rules/windows/execution_command_shell_started_by_unusual_process.toml

[metadata]
creation_date = "2020/08/21"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/10/26"

[rule]
author = ["Elastic"]
description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process."
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Unusual Parent Process for cmd.exe"
risk_score = 47
rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
type = "query"

query = '''
event.category:process and event.type:(start or process_started) and
  process.name:cmd.exe and
  process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or
   jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or
   SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[New Rule] Unusual CommandShell Parent Process (#202 ) 2020-09-28 23:15:26 +02:00			`[metadata]`
			`creation_date = "2020/08/21"`
			`ecs_version = ["1.6.0"]`
			`maturity = "production"`
[Rule Tuning] Tag Categorization Updates (#380 ) 2020-10-26 13:50:45 -05:00			`updated_date = "2020/10/26"`
[New Rule] Unusual CommandShell Parent Process (#202 ) 2020-09-28 23:15:26 +02:00
			`[rule]`
			`author = ["Elastic"]`
			`description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process."`
[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351 ) 2020-09-30 19:16:04 -05:00			`from = "now-9m"`
[New Rule] Unusual CommandShell Parent Process (#202 ) 2020-09-28 23:15:26 +02:00			`index = ["winlogbeat-", "logs-endpoint.events."]`
			`language = "kuery"`
			`license = "Elastic License"`
			`name = "Unusual Parent Process for cmd.exe"`
			`risk_score = 47`
			`rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1"`
			`severity = "medium"`
[Rule Tuning] Tag Categorization Updates (#380 ) 2020-10-26 13:50:45 -05:00			`tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]`
[New Rule] Unusual CommandShell Parent Process (#202 ) 2020-09-28 23:15:26 +02:00			`type = "query"`

			`query = '''`
			`event.category:process and event.type:(start or process_started) and`
			`process.name:cmd.exe and`
			`process.parent.name:(lsass.exe or csrss.exe or notepad.exe or regsvr32.exe or dllhost.exe or LogonUI.exe or wermgr.exe or spoolsv.exe or`
			`jucheck.exe or jusched.exe or ctfmon.exe or taskhostw.exe or GoogleUpdate.exe or sppsvc.exe or sihost.exe or slui.exe or`
			`SIHClient.exe or SearchIndexer.exe or SearchProtocolHost.exe or FlashPlayerUpdateService.exe or WerFault.exe or WUDFHost.exe or unsecapp.exe or wlanext.exe)`
			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1059"`
			`name = "Command and Scripting Interpreter"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`


			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`
[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351 ) 2020-09-30 19:16:04 -05:00