rules/windows/execution_unusual_process_network_connection.toml

[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2020/11/03"

[rule]
author = ["Elastic"]
description = """
Identifies network activity from unexpected system applications. This may indicate adversarial activity as these
applications are often leveraged by adversaries to execute code and evade detection.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Unusual Process Network Connection"
risk_score = 21
rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
type = "eql"

query = '''
sequence by process.entity_id
  [process where (process.name : "Microsoft.Workflow.Compiler.exe" or
                  process.name : "bginfo.exe" or
                  process.name : "cdb.exe" or
                  process.name : "cmstp.exe" or
                  process.name : "csi.exe" or
                  process.name : "dnx.exe" or
                  process.name : "fsi.exe" or
                  process.name : "ieexec.exe" or
                  process.name : "iexpress.exe" or
                  process.name : "odbcconf.exe" or
                  process.name : "rcsi.exe" or
                  process.name : "xwizard.exe") and
     event.type == "start"]
  [network where (process.name : "Microsoft.Workflow.Compiler.exe" or
                  process.name : "bginfo.exe" or
                  process.name : "cdb.exe" or
                  process.name : "cmstp.exe" or
                  process.name : "csi.exe" or
                  process.name : "dnx.exe" or
                  process.name : "fsi.exe" or
                  process.name : "ieexec.exe" or
                  process.name : "iexpress.exe" or
                  process.name : "odbcconf.exe" or
                  process.name : "rcsi.exe" or
                  process.name : "xwizard.exe")]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1127"
name = "Trusted Developer Utilities Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1127/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`[metadata]`
			`creation_date = "2020/02/18"`
			`maturity = "production"`
[Rule Tuning] Remove all rule timelines (#466 ) 2020-11-03 19:51:53 +01:00			`updated_date = "2020/11/03"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
			`Identifies network activity from unexpected system applications. This may indicate adversarial activity as these`
			`applications are often leveraged by adversaries to execute code and evade detection.`
			`"""`
Increase lookback for endpoint rules (#200 ) 2020-08-21 12:23:43 -05:00			`from = "now-9m"`
[Rule Tuning] Update Index Pattern for Detection Engine Rules (#101 ) 2020-08-03 15:46:57 -04:00			`index = ["winlogbeat-", "logs-endpoint.events."]`
Remove connection type from endpoint network rules (#426 ) 2020-10-28 21:35:34 +01:00			`language = "eql"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`license = "Elastic License"`
			`name = "Unusual Process Network Connection"`
			`risk_score = 21`
			`rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267"`
			`severity = "low"`
[Rule Tuning] Tag Categorization Updates (#380 ) 2020-10-26 13:50:45 -05:00			`tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]`
Remove connection type from endpoint network rules (#426 ) 2020-10-28 21:35:34 +01:00			`type = "eql"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00
			`query = '''`
Remove connection type from endpoint network rules (#426 ) 2020-10-28 21:35:34 +01:00			`sequence by process.entity_id`
			`[process where (process.name : "Microsoft.Workflow.Compiler.exe" or`
			`process.name : "bginfo.exe" or`
			`process.name : "cdb.exe" or`
			`process.name : "cmstp.exe" or`
			`process.name : "csi.exe" or`
			`process.name : "dnx.exe" or`
			`process.name : "fsi.exe" or`
			`process.name : "ieexec.exe" or`
			`process.name : "iexpress.exe" or`
			`process.name : "odbcconf.exe" or`
			`process.name : "rcsi.exe" or`
			`process.name : "xwizard.exe") and`
			`event.type == "start"]`
			`[network where (process.name : "Microsoft.Workflow.Compiler.exe" or`
			`process.name : "bginfo.exe" or`
			`process.name : "cdb.exe" or`
			`process.name : "cmstp.exe" or`
			`process.name : "csi.exe" or`
			`process.name : "dnx.exe" or`
			`process.name : "fsi.exe" or`
			`process.name : "ieexec.exe" or`
			`process.name : "iexpress.exe" or`
			`process.name : "odbcconf.exe" or`
			`process.name : "rcsi.exe" or`
			`process.name : "xwizard.exe")]`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1127"`
Refresh ATT&CK data to v7.2 and expand threat validation (#330 ) 2020-09-24 01:03:29 -05:00			`name = "Trusted Developer Utilities Proxy Execution"`
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`reference = "https://attack.mitre.org/techniques/T1127/"`


			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`