diff --git a/rules/windows/defense_evasion_rundll32_sequence.toml b/rules/windows/defense_evasion_rundll32_sequence.toml deleted file mode 100644 index faa014b5a..000000000 --- a/rules/windows/defense_evasion_rundll32_sequence.toml +++ /dev/null @@ -1,49 +0,0 @@ -[metadata] -creation_date = "2020/09/02" -maturity = "development" -updated_date = "2020/11/03" - -[rule] -author = ["Elastic"] -description = """ -Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity -and may identify malicious DLLs. -""" -from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] -language = "eql" -license = "Elastic License" -name = "Unusual Network Connection Sequence via RunDLL32" -risk_score = 21 -rule_id = "2b347f66-6739-4ae3-bd94-195036dde8b3" -severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] -type = "eql" - -query = ''' -/* duplicate of Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886 */ - -sequence by process.entity_id with maxspan=2h - [process where event.type in ("start", "process_started") and - /* uncomment once in winlogbeat */ - (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ ) and - process.args_count < 2] - [network where - /* uncomment once in winlogbeat */ - (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ )] -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1085" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1085/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml index f5bc2f253..4180a568f 100644 --- a/rules/windows/execution_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -1,30 +1,30 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2020/12/07" [rule] author = ["Elastic"] description = """ -Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity -and may identify malicious DLLs. +Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command +and Control activity. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License" name = "Unusual Network Connection via RunDLL32" -risk_score = 21 +risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" -severity = "low" +severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' -sequence by process.entity_id - [process where process.name : "rundll32.exe" and event.type == "start"] - [network where process.name : "rundll32.exe" and - not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")] +sequence by host.id, process.entity_id with maxspan=1m + [process where event.type in ("start", "process_started", "info") and process.name : "rundll32.exe" and process.args_count == 1] + [network where process.name : "rundll32.exe" and network.protocol != "dns" and network.direction == "outgoing" and + not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")] ''' @@ -40,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1085/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -