From 9d884b6452f042bce0da96e7be2e0fb6289ceff5 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 22 Sep 2020 22:39:35 +0200 Subject: [PATCH] [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs (#253) * [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs * Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml Co-authored-by: Justin Ibarra * Update defense_evasion_execution_suspicious_explorer_winword.toml * Update defense_evasion_execution_suspicious_explorer_winword.toml * Added 2 more known vulnerable programs Dism.exe and w3wp.exe * Update defense_evasion_execution_suspicious_explorer_winword.toml * linted * Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...execution_suspicious_explorer_winword.toml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml new file mode 100644 index 000000000..9c4178b3b --- /dev/null +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2020/09/03" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/09/03" + +[rule] +author = ["Elastic"] +description = """ +Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting +after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses +via side loading a malicious DLL within the memory space of one of those processes. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Potential DLL SideLoading via Trusted Microsoft Programs" +risk_score = 73 +rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" +severity = "high" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.category:process and event.type:(start or process_started) and + process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and + not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or + process.executable:("C:\Windows\explorer.exe" or C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or + C\:\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or + "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or + "C:\Windows\System32\inetsrv\w3wp.exe")) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"