From b3f97c676d646c8b8f29f230ad3f0ff3b8d90cab Mon Sep 17 00:00:00 2001 From: swachchhanda Date: Thu, 20 Apr 2023 17:12:04 +0545 Subject: [PATCH 1/4] Added new rule that identifies the creation of a scheduled job by using an XML file without the extension of '.xml'. --- ...asks_schedule_via_masqueraded_xml_file.yml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml new file mode 100644 index 000000000..e5fa4468c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -0,0 +1,52 @@ +title: Suspicious Scheduled Task Creation via Masqueraded XML File +id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c +status: experimental +description: Identifies the creation of a scheduled job by using an XML file without the extension of '.xml'. This behavior is typical of an attacker attempting to develop persistence while remaining undetected. +references: + - https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- + - https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml +author: Elastic (author), Swachchhanda Shrawan Poudel +date: 2023/04/20 +modified: 2023/04/20 +tags: + - attack.Defense Evasion + - attack.T1036.005 + - attack.T1053.005 + - attack.Persistence +logsource: + product: windows + category: process_creation +detection: + selection_1: + - OriginalFileName: 'schtasks.exe' + - Image|endswith: '\schtasks.exe' + selection_2: + CommandLine|contains: + - '/create' + - '-create' + selection_3: + CommandLine|contains: + - '/xml' + - '-xml' + filter_1: + CommandLine|contains: + - '.xml' + filter_2: + system_integrity: + IntegrityLevel: 'System' + filter_3: + ParentImage|contains: + - ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe' + - ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe' + - ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe' + - ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe' + - ':\Program Files\Dell\SupportAssist\pcdrcui.exe' + filter_4: + ParentImage|endswith: + - '\rundll32.exe' + ParentCommandLine|contains: + - ':\WINDOWS\Installer\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc' + condition: (all of selection_*) and not (all of filter_*) +falsepositives: + - Unknown +level: low \ No newline at end of file From 9504a5a7a70259d94b4ec4c19fafcccf76632d04 Mon Sep 17 00:00:00 2001 From: swachchhanda Date: Thu, 20 Apr 2023 17:31:26 +0545 Subject: [PATCH 2/4] mend removed system_integrity --- ...creation_win_schtasks_schedule_via_masqueraded_xml_file.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index e5fa4468c..9cfc16707 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -32,8 +32,7 @@ detection: CommandLine|contains: - '.xml' filter_2: - system_integrity: - IntegrityLevel: 'System' + IntegrityLevel: 'System' filter_3: ParentImage|contains: - ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe' From 39e39187f224afd8d5f5e7a56ccbeb91ccf08ad5 Mon Sep 17 00:00:00 2001 From: swachchhanda Date: Thu, 20 Apr 2023 19:05:19 +0545 Subject: [PATCH 3/4] mend Corrected the syntax --- ...tasks_schedule_via_masqueraded_xml_file.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 9cfc16707..7e1bdc41c 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -9,10 +9,11 @@ author: Elastic (author), Swachchhanda Shrawan Poudel date: 2023/04/20 modified: 2023/04/20 tags: - - attack.Defense Evasion - - attack.T1036.005 - - attack.T1053.005 - - attack.Persistence + - attack.defense_evasion + - attack.persistence + - attack.t1036.005 + - attack.t1053.005 + logsource: product: windows category: process_creation @@ -29,8 +30,7 @@ detection: - '/xml' - '-xml' filter_1: - CommandLine|contains: - - '.xml' + CommandLine|contains: '.xml' filter_2: IntegrityLevel: 'System' filter_3: @@ -41,10 +41,8 @@ detection: - ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe' - ':\Program Files\Dell\SupportAssist\pcdrcui.exe' filter_4: - ParentImage|endswith: - - '\rundll32.exe' - ParentCommandLine|contains: - - ':\WINDOWS\Installer\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc' + ParentImage|endswith: '\rundll32.exe' + ParentCommandLine|contains: ':\WINDOWS\Installer\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc' condition: (all of selection_*) and not (all of filter_*) falsepositives: - Unknown From add0ac0d9f52a4eb2c67137f6c97bf798426324d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 21 Apr 2023 11:38:13 +0200 Subject: [PATCH 4/4] fix: update structure and metadata --- ...asks_schedule_via_masqueraded_xml_file.yml | 37 ++++++++++--------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 7e1bdc41c..c99b4e9a9 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -1,49 +1,50 @@ title: Suspicious Scheduled Task Creation via Masqueraded XML File id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c status: experimental -description: Identifies the creation of a scheduled job by using an XML file without the extension of '.xml'. This behavior is typical of an attacker attempting to develop persistence while remaining undetected. +description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence references: - https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- - - https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml -author: Elastic (author), Swachchhanda Shrawan Poudel + - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml +author: Swachchhanda Shrawan Poudel, Elastic (idea) date: 2023/04/20 -modified: 2023/04/20 tags: - attack.defense_evasion - attack.persistence - attack.t1036.005 - attack.t1053.005 - logsource: product: windows category: process_creation detection: - selection_1: - - OriginalFileName: 'schtasks.exe' + selection_img: - Image|endswith: '\schtasks.exe' - selection_2: + - OriginalFileName: 'schtasks.exe' + selection_cli_create: CommandLine|contains: - '/create' - '-create' - selection_3: + selection_cli_xml: CommandLine|contains: - '/xml' - '-xml' - filter_1: + filter_main_extension_xml: CommandLine|contains: '.xml' - filter_2: + filter_main_system_process: IntegrityLevel: 'System' - filter_3: - ParentImage|contains: + filter_main_rundll32: + ParentImage|endswith: '\rundll32.exe' + ParentCommandLine|contains|all: + - ':\WINDOWS\Installer\MSI' + - '.tmp,zzzzInvokeManagedCustomActionOutOfProc' + filter_optional_third_party: + ParentImage|endswith: + # Consider removing any tools that you don't use to avoid blind spots - ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe' - ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe' - ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe' - ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe' - ':\Program Files\Dell\SupportAssist\pcdrcui.exe' - filter_4: - ParentImage|endswith: '\rundll32.exe' - ParentCommandLine|contains: ':\WINDOWS\Installer\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc' - condition: (all of selection_*) and not (all of filter_*) + condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown -level: low \ No newline at end of file +level: medium