From 42247efc3bb5c786e31aae6c88ac4a9cf458ea11 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 22 Sep 2020 14:32:04 +0200 Subject: [PATCH] [New Rule] Suspicious WerFault Child Process (#212) * [New Rule] Suspicious WerFault Child Process * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * linted * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Justin Ibarra Co-authored-by: Justin Ibarra --- ...erading_suspicious_werfault_childproc.toml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml new file mode 100644 index 000000000..e4772d4bd --- /dev/null +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2020/08/24" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/08/24" + +[rule] +author = ["Elastic"] +description = """ +A suspicious WerFault child process was detected, which may indicate an attempt to run unnoticed. Verify process details +such as command line, network connections, file writes and parent process details as well. +""" +false_positives = ["Custom Windows Error Reporting Debugger"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Suspicious WerFault Child Process" +references = [ + "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", +] +risk_score = 47 +rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.category:process and event.type:(start or process_started) and + process.parent.name:WerFault.exe and + not process.name:(cofire.exe or psr.exe or VsJITDebugger.exe or TTTracer.exe or rundll32.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"