How rules can help
Rules are only applicable to endpoint telemetry data sources. Rules when formulated in context to your Infrastructure environments help in the following:
- Trigger alerts and increase security awareness related to critical events on hosts.
- Help in forecasting and mitigating future attacks on network systems.
- Establish a forensic trail.
- Help investigators and incident responders arrive at meaningful conclusions by distinguishing noise from ongoing events and the real malicious activity on hosts.
In Seqrite HawkkHunt, you can create rules based on exclusive activity by some process, host or network host, or a combination of multiple events across hosts. After you create and save a rule, it is automatically pushed to the HawkkHunt portal and the data received from multiple endpoints is analyzed as per the conditions in the rules. If the conditions specified in that rule are met, then an alert is generated and sent across to the HawkkHunt console. The administrator can then assign these alerts to the IR, or the IR can assign the cases to self or other IR to find out the root cause, and range of infection, and carry out any mitigation activity as required.
The following table lists the indicators that you can use to build rules with appropriate operators and values.
|Process Name||Process Path||Process Command Line||Parent Name||Host Name|
|Command Line Length||Is Browser Process||File Download Option||Is Process Signed||user_name|
|proc_sha2||proc_md5||Parent Path||Parent Command Line||Parent_Bin_Is_Signed|
|Grand Parent Name||Grand Parent Path||Grand Parent Command Line||Grand_Parent_Bin_Is_Signed||cp_event_type|
|cp_given_access||cp_desired_access||cp_target_proc_name||File Name||File Path|
|nw_domain_name||nw_dns_ips||nw_conn_type||Registry Key||Registry Value|
|Registry Value Data||Windows Event Id||Field of Interest|
You can use mathematical logical operators such as as AND, and OR for the rules.
Practices to be followed while writing/adding rules
- Select the indicators and operators from the dropdown list suggestions, avoid writing rules on your own to avoid formatting errors.
- Provide a space after every action like, selection of indicator, operator, providing values, brackets and at the end of the rule.
IP = 220.127.116.11 and And Port = 80
Let us write a rule to detect if the IP address is 18.104.22.168 and Port is 80.
- Click Create a rule.
- Enter a name for the rule.
- Select the severity for the rule.
- Enter the rule description.
- Click in the Type Rule here textbox to start building the rule. The Indicators are displayed.
- Select the required indicator from the list, in our example IP. You may need to scroll down to view the whole list of available indicators.
- Tap the spacebar once to view the available options. In this example the mathematical operator “=” & the condition “contains” are displayed.
- Select the “=” operator.
Tap the spacebar once to view the available options. The logical operators “And” & “Or” are displayed. Select as required.
- Tap the spacebar once to view the available options. The Indicator list is displayed. Start typing or select Port from displayed list.
- Tap the spacebar once to view the available options. Select “=” from the available options.
- Type 80 and tap the spacebar once to insert a space. The value is then added to the preview. Further options are displayed in the drop-down if you want to enter more conditions.
- If you do not want to set further conditions, click Save on the upper right corner. The rule is saved and added to the rules list.
Example Rule 2
Process Name = teams.exe AND Port = 80
When you want to find all such instances where hosts are running Teams.exe and utilizing port 80 for communication to remote host, you can build and apply above rule.
Example Rule 3
( Parent Name = svchost.exe AND Process Name = powershell.exe ) AND ( Process Command Line contains .start. OR Process Command Line contains .add.)
Remote attackers frequently use the valid Windows system processes on a compromised host to spread to lateral hosts so that they are not detected. The compromised host could also be running some program or file that would start some rogue process or add an instruction/command to the configuration files so that the malicious file is executed on next startup.
When you want to lookup all instances where Windows System Process called Service Host (SVCHOST.exe) is running along with Powershell and process command contains some string starting with “start” or “add” then you can build and apply the above rule.
Example Rule 4
( Grand Parent Name = msiexec.exe AND Parent Name = cmd.exe AND ) AND ( Process Name = iexplorer.exe OR Process Name = reg.exe ) AND ( Registry Value contains REGISTRYSOFTWAREMicrosoftWindowsCurrentVersionRun OR Registry Value contains REGISTRYSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun )
Check if “cmd.exe” process has launched child processes i.e “iexplorer.exe” OR “reg.exe” and has used .start. OR .add. in process command line and has done registry activity which contains value as “REGISTRYSOFTWAREMicrosoftWindowsCurrentVersionRun” OR “REGISTRYSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun”. Also, the cmd.exe process must have been launched by “msiexec.exe” (Parent process of cmd.exe).
Types of Rules
The following two types of Rules are present.
The system rules are predefined by Seqrite Labs team. You can activate, deactivate, or delete the system rules.
Custom rules are rules created by the user. You can edit, copy, activate, deactivate, or delete the custom rules.