From 6dc78c4703798620bcb51e7e1f78e046aa4c3d32 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 8 Dec 2020 12:37:51 +0100 Subject: [PATCH] [New Rule] Remote File Download via Scripting (#647) * [New Rule] Remote File Download via Scripting * Update rules/windows/command_and_control_remote_file_copy_scripts.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_scripts.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * eql syntax * ecs_version * Update rules/windows/command_and_control_remote_file_copy_scripts.toml Co-authored-by: Justin Ibarra * relinted * deleted ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra --- ..._and_control_remote_file_copy_scripts.toml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/windows/command_and_control_remote_file_copy_scripts.toml diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml new file mode 100644 index 000000000..69aa34be0 --- /dev/null +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2020/11/29" +maturity = "production" +updated_date = "2020/11/29" + +[rule] +author = ["Elastic"] +description = """ +Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file +from a remote destination. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Remote File Download via Script Interpreter" +risk_score = 43 +rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +type = "eql" + +query = ''' +sequence by host.id, process.entity_id + [network where process.name : ("wscript.exe", "cscript.exe") and network.protocol != "dns" and + network.direction == "outgoing" and network.type == "ipv4" and destination.ip != "127.0.0.1" + ] + [file where event.type == "creation" and file.extension : ("exe", "dll")] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +