From ae13adf0a9a72385d4cf4282a548f61aeb0045a7 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 22 Sep 2020 14:27:03 +0200 Subject: [PATCH] [New Rule] Suspicious managed code hosting process (#204) * [New Rule] Suspicious managed code hosting process * Update defense_evasion_suspicious_managedcode_host_process.toml * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Justin Ibarra * Update defense_evasion_suspicious_managedcode_host_process.toml * Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...n_suspicious_managedcode_host_process.toml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/windows/defense_evasion_suspicious_managedcode_host_process.toml diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml new file mode 100644 index 000000000..b9481fb1a --- /dev/null +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -0,0 +1,41 @@ +[metadata] +creation_date = "2020/08/21" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/08/21" + +[rule] +author = ["Elastic"] +description = """ +Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code +execution. +""" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Suspicious Managed Code Hosting Process" +references = ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"] +risk_score = 73 +rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" +severity = "high" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.category:file and not event.type:deletion and + file.name:(wscript.exe.log or mshta.exe.log or wscript.exe.log or wmic.exe.log or svchost.exe.log or dllhost.exe.log or cmstp.exe.log or regsvr32.exe.log) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1093" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"