diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml new file mode 100644 index 000000000..ab81b7fd3 --- /dev/null +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -0,0 +1,123 @@ +[metadata] +creation_date = "2024/09/06" +integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] +maturity = "production" +updated_date = "2024/09/06" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is +often observed during malware installation. +""" +from = "now-9m" +index = [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*" +] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Windows Command Shell Arguments" +risk_score = 73 +rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: System", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "cmd.exe" and + ( + + process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*", + "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*", "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*", + "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*", + "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*", + "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*", + "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or + + (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or + + process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or + + (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or + + (process.parent.name : "explorer.exe" and + process.command_line : + ("*&&S^eT *", + "*&& set *&& set *&& set *&& set *&& set *&& call*", + "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or + + (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*") + ) and + + /* false positives */ + not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and + not process.parent.executable : + ("?:\\Perl64\\bin\\perl.exe", + "?:\\Program Files\\nodejs\\node.exe", + "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe", + "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe", + "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe", + "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe", + "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe", + "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe", + "?:\\Program Files\\Microsoft VS Code\\Code.exe", + "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe", + "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe", + "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe", + "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe", + "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe", + "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe", + "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe", + "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe", + "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe", + "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe", + "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe", + "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe", + "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe", + "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and + not (process.args : "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and + not process.args : + ("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe", + "?:\\Program Files (x86)\\AllesTechnologyAgent\\*", + "https://auth.axis.com/oauth2/oauth-authorize*") and + not process.command_line : + ("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%", + "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and + not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and + not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml new file mode 100644 index 000000000..1c7bc8f80 --- /dev/null +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -0,0 +1,123 @@ +[metadata] +creation_date = "2024/09/06" +integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] +maturity = "production" +updated_date = "2024/09/06" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware +installation leveraging PowerShell. +""" +from = "now-9m" +index = [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*" +] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Windows Powershell Arguments" +risk_score = 73 +rule_id = "83bf249e-4348-47ba-9741-1202a09556ad" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: System", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "powershell.exe" and + ( + process.command_line : + ( + "*^*^*^*^*^*^*^*^*^*", + "*`*`*`*`*", + "*+*+*+*+*+*+*", + "*[char[]](*)*-join*", + "*Base64String*", + "*[*Convert]*", + "*.Compression.*", + "*-join($*", + "*.replace*", + "*MemoryStream*", + "*WriteAllBytes*", + "* -enc *", + "* -ec *", + "* /e *", + "* /enc *", + "* /ec *", + "*WebClient*", + "*DownloadFile*", + "*DownloadString*", + "* iex*", + "* iwr*", + "*Reflection.Assembly*", + "*Assembly.GetType*", + "*$env:temp\\*start*", + "*powercat*", + "*nslookup -q=txt*", + "*$host.UI.PromptForCredential*", + "*Net.Sockets.TCPClient*", + "*curl *;Start*", + "powershell.exe \"<#*", + "*ssh -p *", + "*http*|iex*", + "*@SSL\\DavWWWRoot\\*.ps1*", + "*.lnk*.Seek(0x*", + "*[string]::join(*", + "*[Array]::Reverse($*", + "* hidden $(gc *", + "*=wscri& set*", + "*http'+'s://*", + "*.content|i''Ex*", + "*//:sptth*", + "*//:ptth*", + "*$*=Get-Content*AppData*.SubString(*$*", + "*=cat *AppData*.substring(*);*$*" + ) or + + (process.args : "-c" and process.args : "&{'*") or + + (process.args : "-Outfile" and process.args : "Start*") or + + (process.args : "-bxor" and process.args : "0x*") or + + process.args : "$*$*;set-alias" or + + (process.parent.name : ("explorer.exe", "cmd.exe") and + process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*")) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"