rules/windows/execution_command_shell_started_by_svchost.toml

[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"

[rule]
author = ["Elastic"]
description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe"
index = ["winlogbeat-*"]
language = "kuery"
license = "Elastic License"
name = "Svchost spawning Cmd"
risk_score = 21
rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2"
severity = "low"
tags = ["Elastic", "Windows"]
type = "query"

query = '''
process.parent.name:svchost.exe and process.name:cmd.exe
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command-Line Interface"
reference = "https://attack.mitre.org/techniques/T1059/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`[metadata]`
			`creation_date = "2020/02/18"`
			`ecs_version = ["1.4.0"]`
			`maturity = "production"`
			`updated_date = "2020/02/18"`

			`[rule]`
			`author = ["Elastic"]`
			`description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe"`
			`index = ["winlogbeat-*"]`
			`language = "kuery"`
			`license = "Elastic License"`
			`name = "Svchost spawning Cmd"`
			`risk_score = 21`
			`rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2"`
			`severity = "low"`
			`tags = ["Elastic", "Windows"]`
			`type = "query"`

			`query = '''`
			`process.parent.name:svchost.exe and process.name:cmd.exe`
			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1059"`
			`name = "Command-Line Interface"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`


			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`