From 32002fd89bdb792258a3a5a3a8c3e8afa5ab1f3f Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 17 Oct 2023 11:36:53 -0300
Subject: [PATCH] [New Rules] [BBR] Windows Deprecated ERs Conversion - 1
 (#3131)

* [New Rules] [BBR] Windows Deprecated ERs Conversion - 1

* .

* .

* Update defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

* .
---
 ...rading_unusual_archive_file_extension.toml |  67 ++++++++
 ...evasion_dotnet_clickonce_dfsvc_netcon.toml |  57 +++++++
 ...fense_evasion_injection_from_msoffice.toml |  85 ++++++++++
 ...squerading_unusual_exe_file_extension.toml |  65 ++++++++
 ...tion_delayed_via_ping_lolbas_unsigned.toml | 151 ++++++++++++++++++
 5 files changed, 425 insertions(+)
 create mode 100644 rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml
 create mode 100644 rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml
 create mode 100644 rules_building_block/defense_evasion_injection_from_msoffice.toml
 create mode 100644 rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml
 create mode 100644 rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml

diff --git a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml
new file mode 100644
index 000000000..23ab605f3
--- /dev/null
+++ b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml
@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2023/09/25"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/25"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by
+masquerading files using the file extension values used by image, audio, or document file types.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Archive File with Unusual Extension"
+risk_score = 21
+rule_id = "cffbaf47-9391-4e09-a83c-1f27d7474826"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.action != "deletion" and
+
+  /* common archive file headers - Rar, 7z, GZIP, MSCF, XZ, ZIP */
+  file.Ext.header_bytes : ("52617221*", "377ABCAF271C*", "1F8B*", "4d534346*", "FD377A585A00*", "504B0304*", "504B0708*") and
+
+  (
+    /* common image file extensions */
+    file.extension : ("jpg", "jpeg", "emf", "tiff", "gif", "png", "bmp", "ico", "fpx", "eps", "inf") or
+
+    /* common audio and video file extensions */
+    file.extension : ("mp3", "wav", "avi", "mpeg", "flv", "wma", "wmv", "mov", "mp4", "3gp") or
+
+    /* common document file extensions */
+    (file.extension : ("doc", "docx", "rtf", "ppt", "pptx", "xls", "xlsx") and
+
+    /* exclude ZIP file header values for OPENXML documents */
+    not file.Ext.header_bytes : ("504B0304*", "504B0708*"))
+  ) and
+
+  not (process.executable : "?:\\Windows\\System32\\inetsrv\\w3wp.exe" and file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.008"
+name = "Masquerade File Type"
+reference = "https://attack.mitre.org/techniques/T1036/008/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml
new file mode 100644
index 000000000..11d2c4033
--- /dev/null
+++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml
@@ -0,0 +1,57 @@
+[metadata]
+creation_date = "2023/09/25"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/25"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of
+ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Execution via Microsoft DotNet ClickOnce Host"
+risk_score = 21
+rule_id = "5297b7f1-bccd-4611-93fa-ea342a01ff84"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
+building_block_type = "default"
+type = "eql"
+
+query = '''
+sequence by user.id with maxspan=5s
+ [process where host.os.type == "windows" and event.action == "start" and
+  process.name : "rundll32.exe" and process.command_line : ("*dfshim*ShOpenVerbApplication*", "*dfshim*#*")]
+ [network where host.os.type == "windows" and process.name : "dfsvc.exe"]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1127"
+name = "Trusted Developer Utilities Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1127/"
+
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1218.011"
+    name = "Rundll32"
+    reference = "https://attack.mitre.org/techniques/T1218/011/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml
new file mode 100644
index 000000000..75c4d039f
--- /dev/null
+++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml
@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2023/09/25"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/25"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual
+process arguments and path. This behavior is often observed during exploitation of Office applications or from documents
+with malicious macros.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Process Injection from Malicious Document"
+risk_score = 21
+rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.action == "start" and
+  process.parent.name : ("excel.exe", "powerpnt.exe", "winword.exe") and
+  process.args_count == 1 and
+  process.executable : (
+    "?:\\Windows\\SysWOW64\\*.exe", "?:\\Windows\\system32\\*.exe"
+  ) and
+  not (process.executable : "?:\\Windows\\System32\\spool\\drivers\\x64\\*" and
+       process.code_signature.trusted == true and not process.code_signature.subject_name : "Microsoft *") and
+  not process.executable : (
+    "?:\\Windows\\Sys*\\Taskmgr.exe",
+    "?:\\Windows\\Sys*\\ctfmon.exe",
+    "?:\\Windows\\System32\\notepad.exe")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1055"
+name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1055"
+name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.001"
+name = "Spearphishing Attachment"
+reference = "https://attack.mitre.org/techniques/T1566/001/"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
diff --git a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml
new file mode 100644
index 000000000..34c52ba7c
--- /dev/null
+++ b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml
@@ -0,0 +1,65 @@
+[metadata]
+creation_date = "2023/09/25"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/25"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt
+to evade detection by masquerading files using the file extension values used by image, audio, or document file types.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Executable File with Unusual Extension"
+risk_score = 21
+rule_id = "ecd4857b-5bac-455e-a7c9-a88b66e56a9e"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.action != "deletion" and
+
+ /* MZ header or its common base64 equivalent TVqQ */
+ file.Ext.header_bytes : ("4d5a*", "54567151*") and
+
+ (
+   /* common image file extensions */
+   file.extension : ("jpg", "jpeg", "emf", "tiff", "gif", "png", "bmp", "fpx", "eps", "svg", "inf") or
+
+   /* common audio and video file extensions */
+   file.extension : ("mp3", "wav", "avi", "mpeg", "flv", "wma", "wmv", "mov", "mp4", "3gp") or
+
+   /* common document file extensions */
+   file.extension : ("txt", "pdf", "doc", "docx", "rtf", "ppt", "pptx", "xls", "xlsx", "hwp", "html")
+  ) and
+  not process.pid == 4 and
+  not process.executable : "?:\\Program Files (x86)\\Trend Micro\\Client Server Security Agent\\Ntrtscan.exe"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.008"
+name = "Masquerade File Type"
+reference = "https://attack.mitre.org/techniques/T1036/008/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
diff --git a/rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml b/rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml
new file mode 100644
index 000000000..f07cff9f8
--- /dev/null
+++ b/rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml
@@ -0,0 +1,151 @@
+[metadata]
+creation_date = "2023/09/25"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/25"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often
+observed during malware installation and is consistent with an attacker attempting to evade detection.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Delayed Execution via Ping"
+risk_score = 21
+rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+type = "eql"
+building_block_type = "default"
+
+query = '''
+sequence by process.parent.entity_id with maxspan=1m
+  [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and
+   process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"]
+  [process where host.os.type == "windows" and event.action == "start" and
+   process.parent.name : "cmd.exe" and
+   (
+        process.name : (
+            "rundll32.exe", "powershell.exe",
+            "mshta.exe", "msbuild.exe",
+            "certutil.exe", "regsvr32.exe",
+            "powershell.exe", "cscript.exe",
+            "wscript.exe", "wmic.exe",
+            "installutil.exe", "msxsl.exe",
+            "Microsoft.Workflow.Compiler.exe",
+            "ieexec.exe", "iexpress.exe",
+            "RegAsm.exe", "installutil.exe",
+            "RegSvcs.exe", "RegAsm.exe"
+        ) or
+        (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true)
+    ) and
+
+    not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
+    not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and
+    not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64  /f ") and
+    not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and
+    not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and
+    not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and 
+    not (process.name : "wscript.exe" and
+         process.working_directory :
+                    ("?:\\Windows\\TempInst\\*",
+                     "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\",
+                     "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
+    ]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+name = "Command and Scripting Interpreter"
+id = "T1059"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "Visual Basic"
+  id = "T1059.005"
+  reference = "https://attack.mitre.org/techniques/T1059/005/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "PowerShell"
+  id = "T1059.001"
+  reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+  [rule.threat.tactic]
+  name = "Execution"
+  id = "TA0002"
+  reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1497"
+name = "Virtualization/Sandbox Evasion"
+reference = "https://attack.mitre.org/techniques/T1497/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "Time Based Evasion"
+  id = "T1497.003"
+  reference = "https://attack.mitre.org/techniques/T1497/003/"
+
+[[rule.threat.technique]]
+name = "System Binary Proxy Execution"
+id = "T1218"
+reference = "https://attack.mitre.org/techniques/T1218/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "CMSTP"
+  id = "T1218.003"
+  reference = "https://attack.mitre.org/techniques/T1218/003/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "InstallUtil"
+  id = "T1218.004"
+  reference = "https://attack.mitre.org/techniques/T1218/004/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "Mshta"
+  id = "T1218.005"
+  reference = "https://attack.mitre.org/techniques/T1218/005/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "Regsvcs/Regasm"
+  id = "T1218.009"
+  reference = "https://attack.mitre.org/techniques/T1218/009/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "Regsvr32"
+  id = "T1218.010"
+  reference = "https://attack.mitre.org/techniques/T1218/010/"
+
+  [[rule.threat.technique.subtechnique]]
+  name = "Rundll32"
+  id = "T1218.011"
+  reference = "https://attack.mitre.org/techniques/T1218/011/"
+
+  [[rule.threat.technique]]
+  name = "System Script Proxy Execution"
+  id = "T1216"
+  reference = "https://attack.mitre.org/techniques/T1216/"
+
+  [[rule.threat.technique]]
+  name = "XSL Script Processing"
+  id = "T1220"
+  reference = "https://attack.mitre.org/techniques/T1220/"
+
+
+[rule.threat.tactic]
+name = "Defense Evasion"
+id = "TA0005"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+