[New Rule] Lolbas ImageLoad via Windows Update Client (#366)

* [New Rule] Lolbas ImageLoad via Windows Update Client * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_execution_lolbas_wuauclt.toml * removed timeline_id * new eql synthax * Update defense_evasion_execution_lolbas_wuauclt.toml * ecs_version * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * removed new lines * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * deleted ecs_version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
2020-12-08 18:54:09 +01:00
parent 1c2166b23f
commit 5483712805
1 changed files with 46 additions and 0 deletions
@@ -0,0 +1,46 @@
+[metadata]
+creation_date = "2020/10/13"
+maturity = "production"
+updated_date = "2020/10/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used
+as a defense evasion technique to blend-in malicious activity with legitimate Windows software.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License"
+name = "ImageLoad via Windows Update Auto Update Client"
+references = ["https://dtm.uk/wuauclt/"]
+risk_score = 47
+rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started") and
+  (process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and
+   /* necessary windows update client args to load a dll */
+   process.args : "/RunHandlerComServer" and process.args : "/UpdateDeploymentProvider" and
+   /* common paths writeable by a standard user where the target DLL can be placed */
+   process.args : ("C:\\Users\\*.dll", "C:\\ProgramData\\*.dll", "C:\\Windows\\Temp\\*.dll", "C:\\Windows\\Tasks\\*.dll")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "Signed Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+