diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml new file mode 100644 index 000000000..84799483b --- /dev/null +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2020/11/28" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/11/28" + +[rule] +author = ["Elastic"] +description = """ +Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making +unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making +network connections and bypass host-based firewall restrictions. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Potential Command and Control via Internet Explorer" +risk_score = 43 +rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +type = "eql" + +query = ''' +sequence by host.id, process.entity_id with maxspan = 1s + [process where event.type:"start" and process.parent.name:"iexplore.exe" and process.parent.args:"-Embedding"] + /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */ + [network where network.protocol : "dns" and process.name:"iexplore.exe" and + not wildcard(dns.question.name, "*.microsoft.com", + "*.digicert.com", + "*.msocsp.com", + "*.windowsupdate.com", + "*.bing.com", + "*.identrust.com") + ] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +