From 16a49b3278a444f5ae234eb528320655ee4e2f40 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 8 Dec 2020 19:23:48 +0100 Subject: [PATCH] [New Rule] Windows Script Executing a Process via WMI (#643) * [New Rule] Windows Script Executing a Process via WMI * Update execution_scripts_process_started_via_wmi.toml * Update execution_scripts_process_started_via_wmi.toml * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * increased maxspan * eql syntax * deleted ecs_version * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Justin Ibarra * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...ution_scripts_process_started_via_wmi.toml | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 rules/windows/execution_scripts_process_started_via_wmi.toml diff --git a/rules/windows/execution_scripts_process_started_via_wmi.toml b/rules/windows/execution_scripts_process_started_via_wmi.toml new file mode 100644 index 000000000..504f6715a --- /dev/null +++ b/rules/windows/execution_scripts_process_started_via_wmi.toml @@ -0,0 +1,77 @@ +[metadata] +creation_date = "2020/11/27" +maturity = "production" +updated_date = "2020/11/27" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management +Instrumentation (WMI). This may be indicative of malicious activity. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Windows Script Interpreter Executing Process via WMI" +risk_score = 47 +rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +type = "eql" + +query = ''' +sequence by host.id with maxspan=5s + [library where file.name : "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")] + [process where event.type in ("start", "process_started") and + process.parent.name : "wmiprvse.exe" and + user.domain != "NT AUTHORITY" and + (process.pe.original_file_name in + ( + "cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "Cmd.Exe", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "MSBuild.exe", + "InstallUtil.exe", + "RegAsm.exe", + "RegSvcs.exe", + "msxsl.exe", + "CONTROL.EXE", + "EXPLORER.EXE", + "Microsoft.Workflow.Compiler.exe", + "msiexec.exe" + ) or + process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") + ) + ] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1193" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1193/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"