diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml new file mode 100644 index 000000000..55c93389a --- /dev/null +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -0,0 +1,72 @@ +[metadata] +creation_date = "2021/01/19" +maturity = "production" +updated_date = "2021/01/19" + +[rule] +author = ["Elastic"] +description = """ +Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is +when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a +benign file type but is actually executable code. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Executable File Creation with Multiple Extensions" +risk_score = 47 +rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +type = "eql" + +query = ''' +file where event.type == "creation" and file.extension:"exe" and + file.name: + ( + "*.vbs.exe", + "*.vbe.exe", + "*.bat.exe", + "*.js.exe", + "*.cmd.exe", + "*.wsh.exe", + "*.ps1.exe", + "*.pdf.exe", + "*.docx.exe", + "*.doc.exe", + "*.xlsx.exe", + "*.xls.exe", + "*.pptx.exe", + "*.ppt.exe", + "*.txt.exe", + "*.rtf.exe", + "*.gif.exe", + "*.jpg.exe", + "*.png.exe", + "*.bmp.exe", + "*.hta.exe", + "*.txt.exe", + "*.img.exe", + "*.iso.exe" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"