security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious Endpoint Security Parent Process (#509)

Browse Source 
* [Rule Tuning] added FPs and converted to EQL for more flexibilty

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* adjusted process names in scope to security agents

* eql syntax

* ecs_version

* adjusted format

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-12-08 22:34:28 +01:00
committed by GitHub
parent 538aa80bba
commit 94e8fa80bb
1 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
+11 -7
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/08/24"
maturity = "production"
updated_date = "2020/11/03"
updated_date = "2020/11/09"
[rule]
author = ["Elastic"]
@@ -11,19 +11,24 @@ injection.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
language = "eql"
license = "Elastic License"
name = "Suspicious Endpoint Security Parent Process"
risk_score = 47
rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
type = "query"
type = "eql"
query = '''
event.category:process and event.type:(start or process_started) and
process.name:(esensor.exe or "elastic-endpoint.exe" or "elastic-agent.exe") and
not process.parent.executable:"C:\Windows\System32\services.exe"
process where event.type in ("start", "process_started", "info") and
process.name : ("esensor.exe", "elastic-endpoint.exe") and
process.parent.executable != null and
/* add FPs here */
not process.parent.executable : ("C:\\Program Files\\Elastic\\*",
"C:\\Windows\\System32\\services.exe",
"C:\\Windows\\System32\\WerFault*.exe",
"C:\\Windows\\System32\\wermgr.exe")
'''
@@ -39,4 +44,3 @@ reference = "https://attack.mitre.org/techniques/T1036/"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"