security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process (#676)

Browse Source 
* [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process

* replaced path with name for faster comparaison

* added few more cases and refurl

also organized items per anomaly category

* added extra refurl plus few excep

* Update execution_suspicious_ms_office_child_process.toml

* added parenthesis

* excluded an FP
This commit is contained in:
Samirbous
2020-12-09 08:55:58 +01:00
committed by GitHub
parent e272800a5d
commit 14fe63bb1e
2 changed files with 51 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/execution_suspicious_ms_office_child_process.toml
+14 -16
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2020/11/03"
updated_date = "2020/12/03"
[rule]
author = ["Elastic"]
@@ -12,27 +12,25 @@ macros.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
language = "eql"
license = "Elastic License"
name = "Suspicious MS Office Child Process"
risk_score = 21
risk_score = 47
rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f"
severity = "low"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
type = "query"
type = "eql"
query = '''
event.category:process and event.type:(start or process_started) and
process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or
mspub.exe or powerpnt.exe or winword.exe) and
process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or
certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or
forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or
installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or
netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or
qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or
regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or
wmic.exe or wscript.exe or xwizard.exe)
process where event.type in ("start", "process_started") and
process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe") and
process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe",
"cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe",
"ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe", "mshta.exe",
"msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe",
"powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", "regsvcs.exe",
"regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe",
"wmic.exe", "wscript.exe", "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe")
'''
rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
+37 -26
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2020/11/03"
updated_date = "2020/12/03"
[rule]
author = ["Elastic"]
@@ -11,39 +11,50 @@ activity on a system.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
language = "eql"
license = "Elastic License"
name = "Unusual Parent-Child Relationship"
references = [
"https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png",
"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/",
]
risk_score = 47
rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
type = "query"
type = "eql"
query = '''
event.category:process and event.type:(start or process_started) and
process.parent.executable:* and
(process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or
process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or
process.name:autochk.exe and not process.parent.name:smss.exe or
process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or
process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and not process.parent.name:svchost.exe or
process.name:wermgr.exe and not process.parent.name:(svchost.exe or TiWorker.exe) or
process.name:SearchIndexer.exe and not process.parent.name:services.exe or
process.name:SearchProtocolHost.exe and not process.parent.name:(SearchIndexer.exe or dllhost.exe) or
process.name:dllhost.exe and not process.parent.name:(services.exe or svchost.exe) or
process.name:smss.exe and not process.parent.name:(System or smss.exe) or
process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or
process.name:wininit.exe and not process.parent.name:smss.exe or
process.name:winlogon.exe and not process.parent.name:smss.exe or
process.name:(lsass.exe or LsaIso.exe) and not process.parent.name:wininit.exe or
process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or
process.name:services.exe and not process.parent.name:wininit.exe or
process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or
process.name:spoolsv.exe and not process.parent.name:services.exe or
process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or
process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or
process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))
process where event.type in ("start", "process_started") and
process.parent.name != null and
(
/* suspicious parent processes */
(process.name:"autochk.exe" and not process.parent.name:"smss.exe") or
(process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe")) or
(process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:"svchost.exe") or
(process.name:"SearchIndexer.exe" and not process.parent.name:"services.exe") or
(process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or
(process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
(process.name:"smss.exe" and not process.parent.name:("System", "smss.exe")) or
(process.name:"csrss.exe" and not process.parent.name:("smss.exe", "svchost.exe")) or
(process.name:"wininit.exe" and not process.parent.name:"smss.exe") or
(process.name:"winlogon.exe" and not process.parent.name:"smss.exe") or
(process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or
(process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or
(process.name:"services.exe" and not process.parent.name:"wininit.exe") or
(process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe")) or
(process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or
(process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
(process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
(process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or
(process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or
/* suspicious child processes */
(process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe")) or
(process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or
(process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or
(process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or
(process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe"))
)
'''