security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Behavior Rule for CVE-2021-40444 Exploitation (#1479)

Browse Source 
* [New Rule] Behavior Rule for CVE-2021-40444 Exploitation

* added a ref

* replaced \ with /

* removed unecessary wildcard
This commit is contained in:
Samirbous
2021-09-08 21:26:14 +02:00
committed by GitHub
parent cb27c686e0
commit 0875c1e4c4
1 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
+62
View File
@@ -0,0 +1,62 @@
[metadata]
creation_date = "2021/09/08"
maturity = "production"
updated_date = "2021/09/08"
[rule]
author = ["Elastic"]
description = """
Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value.
Adversaries may abuse Control.exe to proxy execution of malicious code.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Control Panel Process with Unusual Arguments"
references = ["https://www.joesandbox.com/analysis/476188/1/html"]
risk_score = 73
rule_id = "416697ae-e468-4093-a93d-59661fa619ec"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type in ("start", "process_started") and
process.executable : ("?:\\Windows\\SysWOW64\\control.exe", "?:\\Windows\\System32\\control.exe") and
process.command_line :
("*.jpg*",
"*.png*",
"*.gif*",
"*.bmp*",
"*.jpeg*",
"*.TIFF*",
"*.inf*",
"*.dat*",
"*.cpl:*/*",
"*../../..*",
"*/AppData/Local/*",
"*:\\Users\\Public\\*",
"*\\AppData\\Local\\*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
reference = "https://attack.mitre.org/techniques/T1218/"
name = "Signed Binary Proxy Execution"
id = "T1218"
[[rule.threat.technique.subtechnique]]
reference = "https://attack.mitre.org/techniques/T1218/002/"
name = "Control Panel"
id = "T1218.002"
[rule.threat.tactic]
reference = "https://attack.mitre.org/tactics/TA0005/"
name = "Defense Evasion"
id = "TA0005"