[Rule Tuning] Convert unusual extension rule to regex (#1368)

* Convert unusual extension rule to regex * Update defense_evasion_file_creation_mult_extension.toml * Fix date * Fix extension
2021-07-21 11:49:32 -06:00
parent 9b559d0cd9
commit 9f3d5328f4
1 changed files with 4 additions and 30 deletions
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/07/20"
+min_stack_version = "7.12.0"

 [rule]
 author = ["Elastic"]
@@ -23,34 +24,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.type == "creation" and file.extension:"exe" and
-  file.name:
-  (
-    "*.vbs.exe",
-    "*.vbe.exe",
-    "*.bat.exe",
-    "*.js.exe",
-    "*.cmd.exe",
-    "*.wsh.exe",
-    "*.ps1.exe",
-    "*.pdf.exe",
-    "*.docx.exe",
-    "*.doc.exe",
-    "*.xlsx.exe",
-    "*.xls.exe",
-    "*.pptx.exe",
-    "*.ppt.exe",
-    "*.txt.exe",
-    "*.rtf.exe",
-    "*.gif.exe",
-    "*.jpg.exe",
-    "*.png.exe",
-    "*.bmp.exe",
-    "*.hta.exe",
-    "*.txt.exe",
-    "*.img.exe",
-    "*.iso.exe"
-  )
+file where event.type == "creation" and file.extension : "exe" and
+  file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe"""
 '''


@@ -71,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1036/004/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-