From 74222f86ebed1ad6efae97b50fdff568c2c09295 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 17 Oct 2023 14:16:28 -0300
Subject: [PATCH] [New Rules] [BBR] Windows Deprecated ERs Conversion - 3
 (#3143)

* [New Rules] [BBR] Windows Deprecated ERs Conversion - 3

* Update defense_evasion_invalid_codesign_imageload.toml

* Update defense_evasion_invalid_codesign_imageload.toml

* Update rules_building_block/initial_access_execution_remote_via_msiexec.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/initial_access_xsl_script_execution_via_com.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules_building_block/initial_access_execution_remote_via_msiexec.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
---
 ...se_evasion_invalid_codesign_imageload.toml | 55 +++++++++++
 ...access_execution_from_removable_media.toml | 51 ++++++++++
 ...l_access_execution_remote_via_msiexec.toml | 94 +++++++++++++++++++
 ...l_access_xsl_script_execution_via_com.toml | 72 ++++++++++++++
 4 files changed, 272 insertions(+)
 create mode 100644 rules_building_block/defense_evasion_invalid_codesign_imageload.toml
 create mode 100644 rules_building_block/initial_access_execution_from_removable_media.toml
 create mode 100644 rules_building_block/initial_access_execution_remote_via_msiexec.toml
 create mode 100644 rules_building_block/initial_access_xsl_script_execution_via_com.toml

diff --git a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml
new file mode 100644
index 000000000..b80aa386a
--- /dev/null
+++ b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml
@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2023/09/27"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a
+signed binary.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Image Loaded with Invalid Signature"
+risk_score = 21
+rule_id = "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+library where host.os.type == "windows" and event.action == "load" and
+  dll.code_signature.status : ("errorUntrustedRoot", "errorBadDigest", "errorUntrustedRoot") and
+  (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and
+  not startswith~(dll.name, process.name) and
+  not dll.path : (
+    "?:\\Windows\\System32\\DriverStore\\FileRepository\\*"
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1036.001"
+name = "Invalid Code Signature"
+reference = "https://attack.mitre.org/techniques/T1036/001/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
diff --git a/rules_building_block/initial_access_execution_from_removable_media.toml b/rules_building_block/initial_access_execution_from_removable_media.toml
new file mode 100644
index 000000000..c24c3e353
--- /dev/null
+++ b/rules_building_block/initial_access_execution_from_removable_media.toml
@@ -0,0 +1,51 @@
+[metadata]
+creation_date = "2023/09/27"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/27"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems,
+possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of
+Autorun features when the media is inserted into a system and executes.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Execution from a Removable Media with Network Connection"
+risk_score = 21
+rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"]
+building_block_type = "default"
+type = "eql"
+
+query = '''
+sequence by process.entity_id with maxspan=5m
+ [process where host.os.type == "windows" and event.action == "start" and
+  
+  /* Direct Exec from USB */
+  (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and
+  (process.code_signature.trusted == false or process.code_signature.exists == false) and 
+  
+  not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")]
+ [network where host.os.type == "windows" and event.action == "connection_attempted"]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1091"
+name = "Replication Through Removable Media"
+reference = "https://attack.mitre.org/techniques/T1091/"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
diff --git a/rules_building_block/initial_access_execution_remote_via_msiexec.toml b/rules_building_block/initial_access_execution_remote_via_msiexec.toml
new file mode 100644
index 000000000..b923ea62e
--- /dev/null
+++ b/rules_building_block/initial_access_execution_remote_via_msiexec.toml
@@ -0,0 +1,94 @@
+[metadata]
+creation_date = "2023/09/28"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/28"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse
+msiexec.exe to launch local or network accessible MSI files.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Remote File Execution via MSIEXEC"
+risk_score = 21
+rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
+building_block_type = "default"
+type = "eql"
+
+query = '''
+sequence with maxspan=1m
+ [process where host.os.type == "windows" and event.action == "start" and
+    process.name : "msiexec.exe" and process.args : "/V"] by process.entity_id
+ [network where host.os.type == "windows" and process.name : "msiexec.exe" and
+    event.action == "connection_attempted"] by process.entity_id
+ [process where host.os.type == "windows" and event.action == "start" and
+  process.parent.name : "msiexec.exe" and user.id : ("S-1-5-21-*", "S-1-5-12-1-*") and
+  not process.executable : ("?:\\Windows\\SysWOW64\\msiexec.exe",
+                            "?:\\Windows\\System32\\msiexec.exe",
+                            "?:\\Windows\\System32\\srtasks.exe",
+                            "?:\\Windows\\SysWOW64\\srtasks.exe",
+                            "?:\\Windows\\System32\\taskkill.exe",
+                            "?:\\Windows\\Installer\\MSI*.tmp",
+                            "?:\\Program Files\\*.exe",
+                            "?:\\Program Files (x86)\\*.exe",
+                            "?:\\Windows\\System32\\ie4uinit.exe",
+                            "?:\\Windows\\SysWOW64\\ie4uinit.exe",
+                            "?:\\Windows\\System32\\sc.exe",
+                            "?:\\Windows\\system32\\Wbem\\mofcomp.exe",
+                            "?:\\Windows\\twain_32\\fjscan32\\SOP\\crtdmprc.exe",
+                            "?:\\Windows\\SysWOW64\\taskkill.exe",
+                            "?:\\Windows\\SysWOW64\\schtasks.exe",
+                            "?:\\Windows\\system32\\schtasks.exe",
+                            "?:\\Windows\\System32\\sdbinst.exe") and
+  not (process.code_signature.subject_name == "Citrix Systems, Inc." and process.code_signature.trusted == true) and
+  not (process.name : ("regsvr32.exe", "powershell.exe", "rundll32.exe", "wscript.exe") and
+       process.Ext.token.integrity_level_name == "high" and
+       process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and
+  not (process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and process.code_signature.trusted == true) and
+  not (process.name : "rundll32.exe" and process.args : "printui.dll,PrintUIEntry")
+  ] by process.parent.entity_id
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+[[rule.threat.technique.subtechnique]]
+id = "T1218.007"
+name = "Msiexec"
+reference = "https://attack.mitre.org/techniques/T1218/007/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
diff --git a/rules_building_block/initial_access_xsl_script_execution_via_com.toml b/rules_building_block/initial_access_xsl_script_execution_via_com.toml
new file mode 100644
index 000000000..f0892a1b1
--- /dev/null
+++ b/rules_building_block/initial_access_xsl_script_execution_via_com.toml
@@ -0,0 +1,72 @@
+[metadata]
+creation_date = "2023/09/27"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/27"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. 
+This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Remote XSL Script Execution via COM"
+risk_score = 21
+rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
+building_block_type = "default"
+type = "eql"
+
+query = '''
+sequence with maxspan=1m
+ [library where host.os.type == "windows" and dll.name : "msxml3.dll" and
+  process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id
+ [process where host.os.type == "windows" and event.action == "start" and
+  process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and 
+  not process.executable :
+        ("?:\\Windows\\System32\\WerFault.exe",
+         "?:\\Windows\\SysWoW64\\WerFault.exe",
+         "?:\\windows\\splwow64.exe",
+         "?:\\Windows\\System32\\conhost.exe",
+         "?:\\Program Files\\*.exe",
+         "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1220"
+name = "XSL Script Processing"
+reference = "https://attack.mitre.org/techniques/T1220/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"