2020-09-28 23:15:26 +02:00
|
|
|
[metadata]
|
|
|
|
|
creation_date = "2020/08/21"
|
2023-01-04 09:30:07 -05:00
|
|
|
integration = ["endpoint", "windows"]
|
2020-09-28 23:15:26 +02:00
|
|
|
maturity = "production"
|
2022-08-24 10:38:49 -06:00
|
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
|
|
|
min_stack_version = "8.3.0"
|
2024-04-01 20:45:12 -03:00
|
|
|
updated_date = "2024/03/28"
|
2020-09-28 23:15:26 +02:00
|
|
|
|
|
|
|
|
[rule]
|
|
|
|
|
author = ["Elastic"]
|
|
|
|
|
description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process."
|
2020-09-30 19:16:04 -05:00
|
|
|
from = "now-9m"
|
2024-04-01 20:45:12 -03:00
|
|
|
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
|
2021-04-30 11:21:12 -08:00
|
|
|
language = "eql"
|
2021-03-03 22:12:11 -09:00
|
|
|
license = "Elastic License v2"
|
2020-09-28 23:15:26 +02:00
|
|
|
name = "Unusual Parent Process for cmd.exe"
|
|
|
|
|
risk_score = 47
|
|
|
|
|
rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1"
|
2024-03-11 09:09:40 -03:00
|
|
|
setup = """## Setup
|
2023-10-30 16:53:04 +05:30
|
|
|
|
|
|
|
|
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
|
|
|
|
|
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
|
|
|
|
|
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
|
|
|
|
|
`event.ingested` to @timestamp.
|
|
|
|
|
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
|
|
|
|
|
"""
|
2020-09-28 23:15:26 +02:00
|
|
|
severity = "medium"
|
2024-03-13 10:27:44 -03:00
|
|
|
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
|
2021-02-16 10:52:48 -09:00
|
|
|
timestamp_override = "event.ingested"
|
2021-04-30 11:21:12 -08:00
|
|
|
type = "eql"
|
2020-09-28 23:15:26 +02:00
|
|
|
|
|
|
|
|
query = '''
|
2023-03-05 09:41:19 -09:00
|
|
|
process where host.os.type == "windows" and event.type == "start" and
|
2021-04-30 11:21:12 -08:00
|
|
|
process.name : "cmd.exe" and
|
|
|
|
|
process.parent.name : ("lsass.exe",
|
|
|
|
|
"csrss.exe",
|
|
|
|
|
"epad.exe",
|
|
|
|
|
"regsvr32.exe",
|
|
|
|
|
"dllhost.exe",
|
|
|
|
|
"LogonUI.exe",
|
|
|
|
|
"wermgr.exe",
|
|
|
|
|
"spoolsv.exe",
|
|
|
|
|
"jucheck.exe",
|
|
|
|
|
"jusched.exe",
|
|
|
|
|
"ctfmon.exe",
|
|
|
|
|
"taskhostw.exe",
|
|
|
|
|
"GoogleUpdate.exe",
|
|
|
|
|
"sppsvc.exe",
|
|
|
|
|
"sihost.exe",
|
|
|
|
|
"slui.exe",
|
|
|
|
|
"SIHClient.exe",
|
|
|
|
|
"SearchIndexer.exe",
|
|
|
|
|
"SearchProtocolHost.exe",
|
|
|
|
|
"FlashPlayerUpdateService.exe",
|
|
|
|
|
"WerFault.exe",
|
|
|
|
|
"WUDFHost.exe",
|
|
|
|
|
"unsecapp.exe",
|
2023-09-14 02:51:07 +10:00
|
|
|
"wlanext.exe" ) and
|
|
|
|
|
not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}")
|
2020-09-28 23:15:26 +02:00
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[[rule.threat]]
|
|
|
|
|
framework = "MITRE ATT&CK"
|
|
|
|
|
[[rule.threat.technique]]
|
|
|
|
|
id = "T1059"
|
2021-04-30 11:21:12 -08:00
|
|
|
name = "Command and Scripting Interpreter"
|
2022-04-01 15:27:08 -08:00
|
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
2020-09-28 23:15:26 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
|
|
|
id = "TA0002"
|
2021-04-30 11:21:12 -08:00
|
|
|
name = "Execution"
|
2022-04-01 15:27:08 -08:00
|
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
2020-09-30 19:16:04 -05:00
|
|
|
|
