diff --git a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml similarity index 83% rename from rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml rename to rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index 60798ca9d..ea1ef34c0 100644 --- a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -1,5 +1,4 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/04" integration = ["endpoint"] maturity = "production" @@ -7,7 +6,6 @@ updated_date = "2024/05/31" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code. @@ -17,16 +15,15 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Communication App Child Process" -risk_score = 21 +risk_score = 47 rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880" -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", - "Rule Type: BBR", "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" @@ -74,6 +71,7 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe" @@ -159,6 +157,7 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Windows\\System32\\reg.exe", "?:\\Windows\\SysWOW64\\reg.exe" ) and process.code_signature.trusted == true @@ -186,7 +185,8 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe", "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", - "?:\\Windows\\System32\\WerFault.exe" + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe" ) and process.code_signature.trusted == true ) or ( @@ -197,42 +197,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ) or - /* Outlook */ - (process.parent.name : "outlook.exe" and not - ( - ( - process.executable : ( - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe", - "?:\\Windows\\system32\\wermgr.exe", - "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", - "?:\\Users\\*\\AppData\\Local\\Temp\\NewOutlookInstall\\NewOutlookInstaller.exe", - "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe", - "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", - "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe", - "?:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.EXE", - "?:\\Windows\\System32\\spool\\drivers\\x64\\*", - "?:\\Windows\\System32\\prevhost.exe", - "?:\\Windows\\System32\\dwwin.exe", - "?:\\Windows\\System32\\mspaint.exe", - "?:\\Windows\\SysWOW64\\mspaint.exe", - "?:\\Windows\\System32\\notepad.exe", - "?:\\Windows\\SysWOW64\\notepad.exe", - "?:\\Windows\\System32\\smartscreen.exe", - "?:\\Windows\\explorer.exe", - "?:\\Windows\\splwow64.exe" - ) and process.code_signature.trusted == true - ) or - ( - process.name : "rundll32.exe" and - process.args : "*hpmsn???.dll,MonitorPrintJobStatus*" - ) - ) - ) or - /* Thunderbird */ (process.parent.name : "thunderbird.exe" and not ( @@ -241,6 +205,7 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Windows\\splwow64.exe" ) and process.code_signature.trusted == true ) or diff --git a/rules_building_block/defense_evasion_outlook_suspicious_child.toml b/rules_building_block/defense_evasion_outlook_suspicious_child.toml new file mode 100644 index 000000000..90c03a8a6 --- /dev/null +++ b/rules_building_block/defense_evasion_outlook_suspicious_child.toml @@ -0,0 +1,112 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2025/01/10" +integration = ["endpoint"] +maturity = "production" +updated_date = "2025/01/10" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Identifies suspicious child processes spawned by MS Outlook, which can indicate a potential masquerading or the +exploitation of a vulnerability on the application causing it to execute code. +""" +from = "now-9m" +index = ["logs-endpoint.events.process-*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Outlook Child Process" +risk_score = 21 +rule_id = "6cf17149-a8e3-44ec-9ec9-fdc8535547a1" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "outlook.exe" and + not ( + ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\system32\\wermgr.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\NewOutlookInstall\\NewOutlookInstaller.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe", + "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", + "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe", + "?:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.EXE", + "?:\\Windows\\System32\\spool\\drivers\\x64\\*", + "?:\\Windows\\System32\\prevhost.exe", + "?:\\Windows\\System32\\dwwin.exe", + "?:\\Windows\\System32\\mspaint.exe", + "?:\\Windows\\SysWOW64\\mspaint.exe", + "?:\\Windows\\System32\\notepad.exe", + "?:\\Windows\\SysWOW64\\notepad.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\explorer.exe", + "?:\\Windows\\splwow64.exe" + ) and process.code_signature.trusted == true + ) or + ( + process.name : "rundll32.exe" and + process.args : "*hpmsn???.dll,MonitorPrintJobStatus*" + ) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +