security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f55e9b05f044131f6c19f553f2e06fcc7486bf5
sigma-rules/rules/windows/execution_command_shell_started_by_unusual_process.toml
T

68 lines
2.3 KiB
TOML
Raw Normal View History

[New Rule] Unusual CommandShell Parent Process (#202)
2020-09-28 23:15:26 +02:00
[metadata]
creation_date = "2020/08/21"
maturity = "production"
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
updated_date = "2022/03/31"
[New Rule] Unusual CommandShell Parent Process (#202)
2020-09-28 23:15:26 +02:00
[rule]
author = ["Elastic"]
description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process."
[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351)
2020-09-30 19:16:04 -05:00
from = "now-9m"
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
language = "eql"
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
license = "Elastic License v2"
[New Rule] Unusual CommandShell Parent Process (#202)
2020-09-28 23:15:26 +02:00
name = "Unusual Parent Process for cmd.exe"
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
note = """## Setup
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
[New Rule] Unusual CommandShell Parent Process (#202)
2020-09-28 23:15:26 +02:00
risk_score = 47
rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1"
severity = "medium"
[Rule Tuning] Tag Categorization Updates (#380)
2020-10-26 13:50:45 -05:00
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948)
2021-02-16 10:52:48 -09:00
timestamp_override = "event.ingested"
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
type = "eql"
[New Rule] Unusual CommandShell Parent Process (#202)
2020-09-28 23:15:26 +02:00
query = '''
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
process where event.type in ("start", "process_started") and
process.name : "cmd.exe" and
process.parent.name : ("lsass.exe",
"csrss.exe",
"epad.exe",
"regsvr32.exe",
"dllhost.exe",
"LogonUI.exe",
"wermgr.exe",
"spoolsv.exe",
"jucheck.exe",
"jusched.exe",
"ctfmon.exe",
"taskhostw.exe",
"GoogleUpdate.exe",
"sppsvc.exe",
"sihost.exe",
"slui.exe",
"SIHClient.exe",
"SearchIndexer.exe",
"SearchProtocolHost.exe",
"FlashPlayerUpdateService.exe",
"WerFault.exe",
"WUDFHost.exe",
"unsecapp.exe",
"wlanext.exe" )
[New Rule] Unusual CommandShell Parent Process (#202)
2020-09-28 23:15:26 +02:00
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
name = "Command and Scripting Interpreter"
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
reference = "https://attack.mitre.org/techniques/T1059/"
[New Rule] Unusual CommandShell Parent Process (#202)
2020-09-28 23:15:26 +02:00
[rule.threat.tactic]
id = "TA0002"
Convert windows rules from KQL to EQL (#1114)
2021-04-30 11:21:12 -08:00
name = "Execution"
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
reference = "https://attack.mitre.org/tactics/TA0002/"
[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351)
2020-09-30 19:16:04 -05:00
Reference in New Issue Copy Permalink