security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious Communication App Child Process (#4369)

Browse Source
This commit is contained in:
Jonhnathan
2025-01-15 12:13:10 -03:00
committed by GitHub
parent cc00963fc3
commit 447fce3b08
2 changed files with 119 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml → rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
+7 -42
View File
@@ -1,5 +1,4 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2023/08/04"
integration = ["endpoint"]
maturity = "production"
@@ -7,7 +6,6 @@ updated_date = "2024/05/31"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the
communication app or the exploitation of a vulnerability on the application causing it to execute code.
@@ -17,16 +15,15 @@ index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Communication App Child Process"
risk_score = 21
risk_score = 47
rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880"
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Persistence",
"Rule Type: BBR",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
@@ -74,6 +71,7 @@ process where host.os.type == "windows" and event.type == "start" and
"?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
@@ -159,6 +157,7 @@ process where host.os.type == "windows" and event.type == "start" and
"?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\System32\\reg.exe",
"?:\\Windows\\SysWOW64\\reg.exe"
) and process.code_signature.trusted == true
@@ -186,7 +185,8 @@ process where host.os.type == "windows" and event.type == "start" and
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
"?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
"?:\\Windows\\System32\\WerFault.exe"
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe"
) and process.code_signature.trusted == true
) or
(
@@ -197,42 +197,6 @@ process where host.os.type == "windows" and event.type == "start" and
)
) or
/* Outlook */
(process.parent.name : "outlook.exe" and not
(
(
process.executable : (
"?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\system32\\wermgr.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"?:\\Users\\*\\AppData\\Local\\Temp\\NewOutlookInstall\\NewOutlookInstaller.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
"?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
"?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe",
"?:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.EXE",
"?:\\Windows\\System32\\spool\\drivers\\x64\\*",
"?:\\Windows\\System32\\prevhost.exe",
"?:\\Windows\\System32\\dwwin.exe",
"?:\\Windows\\System32\\mspaint.exe",
"?:\\Windows\\SysWOW64\\mspaint.exe",
"?:\\Windows\\System32\\notepad.exe",
"?:\\Windows\\SysWOW64\\notepad.exe",
"?:\\Windows\\System32\\smartscreen.exe",
"?:\\Windows\\explorer.exe",
"?:\\Windows\\splwow64.exe"
) and process.code_signature.trusted == true
) or
(
process.name : "rundll32.exe" and
process.args : "*hpmsn???.dll,MonitorPrintJobStatus*"
)
)
) or
/* Thunderbird */
(process.parent.name : "thunderbird.exe" and not
(
@@ -241,6 +205,7 @@ process where host.os.type == "windows" and event.type == "start" and
"?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\splwow64.exe"
) and process.code_signature.trusted == true
) or
rules_building_block/defense_evasion_outlook_suspicious_child.toml
+112
View File
@@ -0,0 +1,112 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2025/01/10"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/10"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies suspicious child processes spawned by MS Outlook, which can indicate a potential masquerading or the
exploitation of a vulnerability on the application causing it to execute code.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Outlook Child Process"
risk_score = 21
rule_id = "6cf17149-a8e3-44ec-9ec9-fdc8535547a1"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Persistence",
"Rule Type: BBR",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "outlook.exe" and
not (
(
process.executable : (
"?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\system32\\wermgr.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"?:\\Users\\*\\AppData\\Local\\Temp\\NewOutlookInstall\\NewOutlookInstaller.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
"?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
"?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe",
"?:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.EXE",
"?:\\Windows\\System32\\spool\\drivers\\x64\\*",
"?:\\Windows\\System32\\prevhost.exe",
"?:\\Windows\\System32\\dwwin.exe",
"?:\\Windows\\System32\\mspaint.exe",
"?:\\Windows\\SysWOW64\\mspaint.exe",
"?:\\Windows\\System32\\notepad.exe",
"?:\\Windows\\SysWOW64\\notepad.exe",
"?:\\Windows\\System32\\smartscreen.exe",
"?:\\Windows\\explorer.exe",
"?:\\Windows\\splwow64.exe"
) and process.code_signature.trusted == true
) or
(
process.name : "rundll32.exe" and
process.args : "*hpmsn???.dll,MonitorPrintJobStatus*"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.001"
name = "Invalid Code Signature"
reference = "https://attack.mitre.org/techniques/T1036/001/"
[[rule.threat.technique.subtechnique]]
id = "T1036.005"
name = "Match Legitimate Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/"
[[rule.threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1554"
name = "Compromise Host Software Binary"
reference = "https://attack.mitre.org/techniques/T1554/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"