From 8f78afb8e5fe2dca26af06ec894eb49cf2a1429b Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 14 Apr 2021 23:54:39 +0200 Subject: [PATCH] [Rule Tuning] Windows Suspicious Script Object Execution (#1081) * [Rule Tuning] Windows Suspicious Script Object Execution * renamed rule in version.lock.json * adjusted codesig check * added 1 exclusion * update date * added cmd to exclusion as per EG telem * removed changes to version.lock.json * restored comment for code sig to support winlogbeat * Revert "removed changes to version.lock.json" This reverts commit 62794be02486b668ae5f25e5613f18b292342377. * restored rule name in version.lock * fixed typo * removed winlogbeat index * Update rules/windows/defense_evasion_suspicious_scrobj_load.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_scrobj_load.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...efense_evasion_suspicious_scrobj_load.toml | 50 +++++++++++-------- 1 file changed, 30 insertions(+), 20 deletions(-) diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 7cd238793..03793dd86 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/04/06" [rule] author = ["Elastic"] @@ -10,41 +10,51 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean executed in the target process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" -name = "Windows Suspicious Script Object Execution" -risk_score = 21 +name = "Suspicious Script Object Execution" +risk_score = 47 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' -/* add winlogbeat-* when process.code_signature.* fields are populated */ - -sequence by process.entity_id with maxspan = 2m - [process where event.type in ("start", "process_started") and - /* uncomment once in winlogbeat */ - /* process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted : true and */ - not process.name : ( - "cscript.exe", - "iexplore.exe", - "MicrosoftEdge.exe", - "msiexec.exe", - "smartscreen.exe", - "taskhostw.exe", - "w3wp.exe", - "wscript.exe")] +sequence by process.entity_id with maxspan=2m + [process where event.type == "start" + and (process.code_signature.subject_name in ("Microsoft Corporation", "Microsoft Windows") and + process.code_signature.trusted == true) and + not process.executable : ( + "?:\\Windows\\System32\\cscript.exe", + "?:\\Windows\\SysWOW64\\cscript.exe", + "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "?:\\Program Files\\Internet Explorer\\iexplore.exe", + "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", + "?:\\Windows\\system32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\system32\\taskhostw.exe", + "?:\\windows\\system32\\inetsrv\\w3wp.exe", + "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe", + "?:\\Windows\\system32\\wscript.exe", + "?:\\Windows\\SysWOW64\\wscript.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe", + "?:\\Windows\\System32\\cmd.exe", + "?:\\Windows\\SysWOW64\\cmd.exe")] [library where event.type == "start" and dll.name : "scrobj.dll"] ''' [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "Signed Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -