From 7138b0100137cd3631441824935ea9a066bbaba6 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 30 Nov 2020 21:13:30 +0100
Subject: [PATCH] [New Rule] Potential Command and Control via IEXPLORE (#645)

* [New Rule] Potential Command and Control via IEXPLORE

* Update command_and_control_iexplore_via_com.toml

* Update command_and_control_iexplore_via_com.toml

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
---
 .../command_and_control_iexplore_via_com.toml | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 rules/windows/command_and_control_iexplore_via_com.toml

diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml
new file mode 100644
index 000000000..84799483b
--- /dev/null
+++ b/rules/windows/command_and_control_iexplore_via_com.toml
@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2020/11/28"
+ecs_version = ["1.6.0"]
+maturity = "production"
+updated_date = "2020/11/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making
+unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making
+network connections and bypass host-based firewall restrictions.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License"
+name = "Potential Command and Control via Internet Explorer"
+risk_score = 43
+rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
+type = "eql"
+
+query = '''
+sequence by host.id, process.entity_id with maxspan = 1s
+  [process where event.type:"start" and process.parent.name:"iexplore.exe" and process.parent.args:"-Embedding"]
+  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */
+  [network where network.protocol : "dns" and process.name:"iexplore.exe" and
+   not wildcard(dns.question.name, "*.microsoft.com", 
+                                   "*.digicert.com", 
+                                   "*.msocsp.com", 
+                                   "*.windowsupdate.com", 
+                                   "*.bing.com",
+                                   "*.identrust.com")
+  ]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+