Back

Rule Builder

Enterprise systems have millions of operations on hosts on a daily basis. The generated threat data is present in a massive quantity on enterprise systems. Enterprise security depends how administrators carry out a threat analysis on the vast amount of information present in the host logs, and event viewer logs.
In most attack scenarios, attackers first gain initial access to a single host in a network, run malicious code at opportune time, carry out attacks on other hosts by lateral movement mostly using system internal commands. The attacker may modify system startup files, registry entries and try to gain higher access permissions.
Rules help the administrators sift through the critical events on hosts, malicious activity, and account security permission violations and other suspicious activity on the hosts. Rules based on aggregation of suspicious behavior over multiple hosts help administrators generate alerts. These alerts when investigated by incident responders or analysts help arrive at meaningful conclusions about the patterns followed by attackers and can be useful in mitigating further attacks on the enterprise network.

How rules can help

Rules when formulated in context to your network environments help in the following:

  • Trigger alerts and increase security awareness related to critical events on hosts.
  • Help in forecasting and mitigating future attacks on network systems.
  • Establish a forensic trail.
  • Help investigators and incident responders arrive at meaningful conclusions by distinguishing noise from ongoing events and the real malicious activity on hosts.

In Seqrite HawkkHunt, you can create rules based on exclusive activity by some process, host or network host or a combination of multiple events across hosts. After you create and save a rule, it is automatically pushed to the HawkkHunt portal and the data received from multiple endpoints is analyzed as per the conditions in the rules. If the conditions specified in that rule are met, then an alert is generated and sent across to the HawkkHunt console. The administrator can then assign these alerts to the IR, or the IR can assign the cases to self or other IR to find out the root cause, range of infection, and carry out any mitigation activity as required.

The following table lists the system indicators that you can use to build rules with appropriate operator and values.

Process File Network Registry Windows Event
Process Name File Name Protocol Registry Key Event Id
Process Path File Path Port Registry Value
Process Command Line SHA2 IP Registry Value Data
Parent Path MD5 URL
Parent Command Line Is File Signed Host Name
Grand Parent Name File Drive Type
Grand Parent Path
Is the process signed?

You can use mathematical logical operators such as as AND, and OR  for the rules.

Practices to be followed while writing/adding rules

  • Select the indicators and operators from the dropdown list suggestions, avoid writing rules on your own to avoid formatting errors.
  • Provide a space after every action like, selection of indicator, operator, providing values, brackets and at the end of the rule.

Example 1

IP = 4.4.4.4 and And Port = 80

Explanation

Let us write a rule to detect if the IP address is 4.4.4.4 and Port is 80.

  1. Click Create a rule.
  2. Enter a name for the rule.
  3. Select the severity for the rule.
  4. Enter the rule description.
  5. Click in the Type Rule here textbox to start building the rule. The Indicators are displayed.
  6. Select the required indicator from the list, in our example IP. You may need to scroll down to view the whole list of available indicators.
  7. Tap the spacebar once to view the available options. In this example the mathematical operator “=” & the condition “contains” are displayed.
  8. Select the “=” operator.
    Tap the spacebar once to view the available options. The logical operators “And” & “Or” are displayed. Select as required.
  9. Tap the spacebar once to view the available options. The Indicator list is displayed. Start typing or select Port from displayed list.
  10. Tap the spacebar once to view the available options. Select “=” from the available options.
  11. Type 80 and tap the spacebar once to insert a space. The value is then added to the preview. Further options are displayed in the drop-down if you want to enter more conditions.
  12. If you do not want to set further conditions, click Save on the upper right corner. The rule is saved and added to the rules list.

Example Rule 2

Process Name = teams.exe AND Port = 80

Explanation
When you want to find all such instances where hosts are running Teams.exe and utilizing port 80 for communication to remote host, you can build and apply above rule.

Example Rule 3

( Parent Name = svchost.exe AND Process Name = powershell.exe ) AND ( Process Command Line contains .start. OR Process Command Line contains .add.)

Explanation
Remote attackers frequently use the valid Windows system processes on a compromised host to spread to lateral hosts so that they are not detected. The compromised host could also be running some program or file that would start some rogue process or add an instruction/command to the configuration files so that the malicious file is executed on next startup.
When you want to lookup all instances where Windows System Process called Service Host (SVCHOST.exe) is running along with Powershell and process command contains some string starting with “start” or “add” then you can build and apply the above rule.

Example Rule 4

( Grand Parent Name = msiexec.exe AND Parent Name = cmd.exe AND ) AND ( Process Name = iexplorer.exe OR Process Name = reg.exe ) AND ( Registry Value contains \REGISTRY\SOFTWARE\\Microsoft\Windows\CurrentVersion\Run OR Registry Value contains \REGISTRY\SOFTWARE\Wow6432Node\Microsoft\\Windows\CurrentVersion\Run )

Explanation
Check if “cmd.exe” process has launched child processes i.e “iexplorer.exe” OR “reg.exe” and has used .start. OR .add. in process command line and has done registry activity which contains value as “\REGISTRY\SOFTWARE\\Microsoft\Windows\CurrentVersion\Run” OR “\REGISTRY\SOFTWARE\Wow6432Node\Microsoft\\Windows\CurrentVersion\Run”. Also, the cmd.exe process must have been launched by “msiexec.exe” (Parent process of cmd.exe).

Creating a rule

    1. Go to Dashboard > Rule Builder. Existing rules if any are listed.
    2. Click Create Rule.
    3. In the Rule Name section, enter a name for the rule.

create rule_informative

  • Select the severity of the alert that would be generated by this rule, whether High, Medium Low or Informative.
  • Enter the description for the rule in the designated text box.
  • In the Create Detection Rule section, click View All Indicators to view the available indicators that you can use to build the detection rule. You can build a rule using the options available for process, file, network, registry, and Windows Event Id indicators.
  • In text box below Enter Rule Conditions, enter the indicator that you want to use for building the rule. The options change dynamically as per the letters you enter. Browse from the listed entries and select the appropriate indicator to build the rule.
  • Enter the mathematical operator that you want to use. For e.g. you may want to search for process name Teams.exe. Accordingly, you can use the = sign and type teams.exe
  • Use the appropriate Logical operator AND if you want to pass another argument to the rule query.
  • Click Save on the upper right corner.
    Note: The rule is saved and applied immediately. Whenever the conditions specified in the rule are met on any host, a corresponding alert is generated on the HawkkHunt console.

 

Deleting a rule

    1. Go to Dashboard > Detection Rules/Rule Builder. Existing rules if any are listed.Delete a rule

 

  1. Click on the rule that you want to delete. The corresponding icons for Edit, Copy, and Delete (Trash) are displayed.
  2. Click the Trash icon.
  3. Click Delete on the confirmation dialog box. The rule is deleted.

Copying a rule

    1. Go to Dashboard > Detection Rules/Rule Builder. Existing rules if any are listed.
      Copying a rule
  1. Click on the rule that you want to copy. The corresponding icons for Edit, Copy, and Delete (Trash) are displayed on the extreme right side.
  2. Click the Copy icon.
  3. The description for the rule is displayed. Change the name of the rule as required.
  4. Make any changes if required to the severity, description and conditions.
  5. Click  Save on the upper right corner. The rule is saved and added to the list of rules.

Editing a rule

    1. Go to Dashboard > Rule Builder. Existing rules if any are listed.
      Editing a rule
    2. Click on the rule that you want to edit. The corresponding icons for Edit, Copy, and Delete (Trash) are displayed.
    3. Click the Edit icon. The rule description fields are displayed.
    4. Make the changes as required to the severity, description, and the conditions as required.
    5. Click Save on the upper right corner.  The rule is saved.

Viewing rules

You can view the rules created earlier by the administrator or the IRs. You can sort these rules by severity, timestamp. You can also use the filter to view the rules as per criterion. You can choose to view the rules created by you, or by others as required.

  1. Go to Dashboard > Rule Builder. Existing rules if any are listed.
  2. To filter rules as per your requirements, enter the criterion in the filter box, add more conditions as required. The displayed rule list is automatically updated as per the set criteria.
  3. To sort the rules by severity, click the corresponding icon at the top of the severity column. The displayed list is sorted accordingly.
  4. To sort the rules by Timestamp, click the corresponding icon at the top of the Timestamp column. The displayed list is sorted accordingly as per the most recent or the oldest.
  5. To view rules created exclusively by you, in the Created by drop-down list, select Only Mine. The displayed list is sorted accordingly. By default, the list displays rules created by all.
  6. To view rules created by others, in the Created by drop-down list, select Only Others. The displayed list is sorted accordingly.