security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New] Windows Sandbox with Sensitive Configuration (#4606)

Browse Source 
https://blog-en.itochuci.co.jp/entry/2025/03/12/140000
This commit is contained in:
Samirbous
2025-05-06 11:28:39 +01:00
committed by GitHub
parent 04f15aa08c
commit 91acb4e9ce
1 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_run_virt_windowssandbox.toml
+73
View File
@@ -0,0 +1,73 @@
[metadata]
creation_date = "2025/04/14"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/04/14"
[rule]
author = ["Elastic"]
description = """
Identifies Windows sanfbox processes indicating the start of a new container with sensitive configurations like write
access to the host file system, network connection and automatic execution via logon command. Malware may abuse the
sandbox feature to evade detection.
"""
from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
name = "Windows Sandbox with Sensitive Configuration"
references = ["https://blog-en.itochuci.co.jp/entry/2025/03/12/140000"]
risk_score = 47
rule_id = "56d9cf6c-46ea-4019-9c7f-b1fdb855fee3"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Crowdstrike"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.name : ("wsb.exe", "WindowsSandboxClient.exe") and
process.command_line : ("*<Networking>Enable</Networking>*",
"*<HostFolder>C:\\*<ReadOnly>false*",
"*<LogonCommand>*",
"*<NetworkingEnabled>true*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique.subtechnique]]
id = "T1564.006"
name = "Run Virtual Instance"
reference = "https://attack.mitre.org/techniques/T1564/006/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"