From 25493a90c9280b56bf74f76902fe4ee432dbebd9 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 22 Jul 2022 16:21:53 +0200
Subject: [PATCH] [New Rule] Suspicious HTML File Creation (#2068)

* [New Rule] Suspicious HTML File Creation

* Update initial_access_evasion_suspicious_htm_file_creation.toml

* Update non-ecs-schema.json

* Update initial_access_evasion_suspicious_htm_file_creation.toml

* Update rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit d312f49117d01f94e57e5b750805c2525159f09c)
---
 detection_rules/etc/non-ecs-schema.json       |  4 +-
 ..._evasion_suspicious_htm_file_creation.toml | 91 +++++++++++++++++++
 2 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index d6f47d23b..8ff48b7fd 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -52,7 +52,9 @@
   "logs-endpoint.events.*": {
     "process.Ext.token.integrity_level_name": "keyword",
     "process.parent.Ext.real.pid": "long", 
-    "file.Ext.header_bytes": "keyword"
+    "file.Ext.header_bytes": "keyword",
+	"file.Ext.entropy": "long",
+	"file.size": "long"
   },
   "logs-windows.*": {
     "powershell.file.script_block_text": "text"
diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml
new file mode 100644
index 000000000..89d55f8ae
--- /dev/null
+++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml
@@ -0,0 +1,91 @@
+[metadata]
+creation_date = "2022/07/03"
+maturity = "production"
+updated_date = "2022/07/03"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle
+data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious HTML File Creation"
+note = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+risk_score = 47
+rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
+type = "eql"
+
+query = '''
+sequence by user.id with maxspan=5m
+ [file where event.action in ("creation", "rename") and
+  file.extension : ("htm", "html") and
+   file.path : ("?:\\Users\\*\\Downloads\\*",
+                "?:\\Users\\*\\Content.Outlook\\*",
+                "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*",
+                "?:\\Users\\*\\AppData\\Local\\Temp\\7z*",
+                "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*") and
+   ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]
+ [process where event.action == "start" and
+  (
+   (process.name in ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe")
+    and process.args == "--single-argument") or
+   (process.name == "iexplore.exe" and process.args_count == 2) or
+   (process.name in ("firefox.exe", "waterfox.exe") and process.args == "-url")
+  )
+  and process.args : ("?:\\Users\\*\\Downloads\\*.htm*",
+                      "?:\\Users\\*\\Content.Outlook\\*.htm*",
+                      "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.htm*",
+                      "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*",
+                      "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.001"
+name = "Spearphishing Attachment"
+reference = "https://attack.mitre.org/techniques/T1566/001/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+[[rule.threat.technique.subtechnique]]
+id = "T1027.006"
+name = "HTML Smuggling"
+reference = "https://attack.mitre.org/techniques/T1027/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"