security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential Command and Control via Internet Explorer (#1771)

Browse Source 
* Use user.name on the sequence instead of user.id

* Update command_and_control_iexplore_via_com.toml

* Remove min_stack and comment "with runs"

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2022-02-15 22:58:01 -03:00
committed by GitHub
parent 42436d3364
commit 03f60cc11c
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/command_and_control_iexplore_via_com.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/28"
maturity = "production"
updated_date = "2021/09/23"
updated_date = "2022/02/14"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
type = "eql"
query = '''
sequence by host.id, user.id with maxspan = 5s
sequence by host.id, user.name with maxspan = 5s
[library where dll.name : "IEProxy.dll" and process.name : ("rundll32.exe", "regsvr32.exe")]
[process where event.type == "start" and process.parent.name : "iexplore.exe" and process.parent.args : "-Embedding"]
/* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */
@@ -40,7 +40,7 @@ sequence by host.id, user.id with maxspan = 5s
"*.office365.com",
"*.office.com"
)
]
] /* with runs=5 */
'''