rules/windows/command_and_control_remote_file_copy_powershell.toml

[metadata]
creation_date = "2020/11/30"
maturity = "production"
updated_date = "2021/03/03"

[rule]
author = ["Elastic"]
description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination."
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Remote File Download via PowerShell"
risk_score = 47
rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
type = "eql"

query = '''
sequence by host.id, process.entity_id with maxspan=30s
  [network where process.name : "powershell.exe" and network.protocol == "dns" and
   not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and 
   not user.domain : "NT AUTHORITY"]
    [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and 
   not file.name : "__PSScriptPolicy*.ps1"]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"


[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[New Rule] Remote File Download via Powershell (#660 ) 2020-12-08 21:28:28 +01:00			`[metadata]`
			`creation_date = "2020/11/30"`
			`maturity = "production"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`updated_date = "2021/03/03"`
[New Rule] Remote File Download via Powershell (#660 ) 2020-12-08 21:28:28 +01:00
			`[rule]`
			`author = ["Elastic"]`
			`description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination."`
			`from = "now-9m"`
[Rule Tuning] Add windows integration index to rules (#923 ) 2021-01-28 20:53:57 -09:00			`index = ["winlogbeat-", "logs-endpoint.events.", "logs-windows.*"]`
[New Rule] Remote File Download via Powershell (#660 ) 2020-12-08 21:28:28 +01:00			`language = "eql"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
[New Rule] Remote File Download via Powershell (#660 ) 2020-12-08 21:28:28 +01:00			`name = "Remote File Download via PowerShell"`
			`risk_score = 47`
			`rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d"`
			`severity = "medium"`
			`tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]`
			`type = "eql"`

			`query = '''`
			`sequence by host.id, process.entity_id with maxspan=30s`
			`[network where process.name : "powershell.exe" and network.protocol == "dns" and`
			`not dns.question.name : ("localhost", ".microsoft.com", ".azureedge.net", ".powershellgallery.com", ".windowsupdate.com", "metadata.google.internal") and`
			`not user.domain : "NT AUTHORITY"]`
			`[file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and`
			`not file.name : "__PSScriptPolicy*.ps1"]`
			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1105"`
			`name = "Ingress Tool Transfer"`
			`reference = "https://attack.mitre.org/techniques/T1105/"`

[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) 2021-02-17 19:49:58 -09:00
[New Rule] Remote File Download via Powershell (#660 ) 2020-12-08 21:28:28 +01:00			`[rule.threat.tactic]`
			`id = "TA0011"`
			`name = "Command and Control"`
			`reference = "https://attack.mitre.org/tactics/TA0011/"`
			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) 2020-12-18 12:46:16 -09:00			`id = "T1059"`
			`name = "Command and Scripting Interpreter"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`
			`[[rule.threat.technique.subtechnique]]`
			`id = "T1059.001"`
[New Rule] Remote File Download via Powershell (#660 ) 2020-12-08 21:28:28 +01:00			`name = "PowerShell"`
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) 2020-12-18 12:46:16 -09:00			`reference = "https://attack.mitre.org/techniques/T1059/001/"`
[New Rule] Remote File Download via Powershell (#660 ) 2020-12-08 21:28:28 +01:00

[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) 2021-02-17 19:49:58 -09:00
[New Rule] Remote File Download via Powershell (#660 ) 2020-12-08 21:28:28 +01:00			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`