security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Process Termination Followed by Deletion (#482)

Browse Source 
* [New Rule] Process Termination Followed by Deletion

* excluded SoftwareDistrib and WinSxS Folders

* added drive letter for better performance

* excluded signed PE

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* added few more extension as suggested by DanStep

* dropped winlogbeat due to pe.codesign

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-12-08 22:26:11 +01:00
committed by GitHub
parent 97fa6c62cd
commit 538aa80bba
1 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2020/11/04"
maturity = "production"
updated_date = "2020/11/04"
[rule]
author = ["Elastic"]
description = """
Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native
files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the
adversary's footprint.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Process Termination followed by Deletion"
risk_score = 47
rule_id = "09443c92-46b3-45a4-8f25-383b028b258d"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[process where event.type == "end" and
process.code_signature.trusted == false and
not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe")
] by process.executable
[file where event.type == "deletion" and file.extension : ("exe", "scr", "com")] by file.path
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal on Host"
reference = "https://attack.mitre.org/techniques/T1070/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"