security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Image File Execution Options Injection (#550)

Browse Source 
* [New Rule] Image File Execution Options Injection

* Update persistence_evasion_registry_ifeo_injection.toml

* Update persistence_evasion_registry_ifeo_injection.toml

* added FPs section

* eql syntax

* ecs_version

* Update rules/windows/persistence_evasion_registry_ifeo_injection.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-12-08 17:13:00 +01:00
committed by GitHub
parent 0e78638655
commit 0479a8f8a3
1 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_evasion_registry_ifeo_injection.toml
+48
View File
@@ -0,0 +1,48 @@
[metadata]
creation_date = "2020/11/17"
maturity = "production"
updated_date = "2020/11/17"
[rule]
author = ["Elastic"]
description = """
The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a
different process to be executed. This functionality can be abused by an adversary to establish persistence.
"""
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Image File Execution Options Injection"
references = [
"https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
]
risk_score = 41
rule_id = "6839c821-011d-43bd-bd5b-acff00257226"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
type = "eql"
query = '''
registry where length(registry.data.strings) > 0 and
registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
"HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
"HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess") and
/* add FPs here */
not registry.data.strings : ("C:\\Program Files*\\ThinKiosk\\thinkiosk.exe", "*\\PSAppDeployToolkit\\*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1183"
name = "Image File Execution Options Injection"
reference = "https://attack.mitre.org/techniques/T1183/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"