[New Rule] Windows Script Executing a Process via WMI (#643)
* [New Rule] Windows Script Executing a Process via WMI * Update execution_scripts_process_started_via_wmi.toml * Update execution_scripts_process_started_via_wmi.toml * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * increased maxspan * eql syntax * deleted ecs_version * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Samirbous
@@ -0,0 +1,77 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/27"
|
||||
maturity = "production"
|
||||
updated_date = "2020/11/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management
|
||||
Instrumentation (WMI). This may be indicative of malicious activity.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License"
|
||||
name = "Windows Script Interpreter Executing Process via WMI"
|
||||
risk_score = 47
|
||||
rule_id = "b64b183e-1a76-422d-9179-7b389513e74d"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
sequence by host.id with maxspan=5s
|
||||
[library where file.name : "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
|
||||
[process where event.type in ("start", "process_started") and
|
||||
process.parent.name : "wmiprvse.exe" and
|
||||
user.domain != "NT AUTHORITY" and
|
||||
(process.pe.original_file_name in
|
||||
(
|
||||
"cscript.exe",
|
||||
"wscript.exe",
|
||||
"PowerShell.EXE",
|
||||
"Cmd.Exe",
|
||||
"MSHTA.EXE",
|
||||
"RUNDLL32.EXE",
|
||||
"REGSVR32.EXE",
|
||||
"MSBuild.exe",
|
||||
"InstallUtil.exe",
|
||||
"RegAsm.exe",
|
||||
"RegSvcs.exe",
|
||||
"msxsl.exe",
|
||||
"CONTROL.EXE",
|
||||
"EXPLORER.EXE",
|
||||
"Microsoft.Workflow.Compiler.exe",
|
||||
"msiexec.exe"
|
||||
) or
|
||||
process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
|
||||
)
|
||||
]
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1193"
|
||||
name = "Spearphishing Attachment"
|
||||
reference = "https://attack.mitre.org/techniques/T1193/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1047"
|
||||
name = "Windows Management Instrumentation"
|
||||
reference = "https://attack.mitre.org/techniques/T1047/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
Reference in New Issue
Block a user