security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Potential Command and Control via IEXPLORE (#645)

Browse Source 
* [New Rule] Potential Command and Control via IEXPLORE

* Update command_and_control_iexplore_via_com.toml

* Update command_and_control_iexplore_via_com.toml

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-11-30 21:13:30 +01:00
committed by GitHub
parent 14ef24e9dd
commit 7138b01001
1 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/command_and_control_iexplore_via_com.toml
+52
View File
@@ -0,0 +1,52 @@
[metadata]
creation_date = "2020/11/28"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/28"
[rule]
author = ["Elastic"]
description = """
Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making
unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making
network connections and bypass host-based firewall restrictions.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Potential Command and Control via Internet Explorer"
risk_score = 43
rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan = 1s
[process where event.type:"start" and process.parent.name:"iexplore.exe" and process.parent.args:"-Embedding"]
/* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */
[network where network.protocol : "dns" and process.name:"iexplore.exe" and
not wildcard(dns.question.name, "*.microsoft.com",
"*.digicert.com",
"*.msocsp.com",
"*.windowsupdate.com",
"*.bing.com",
"*.identrust.com")
]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"