From c89b722a34bf59f4a91edeef99fc3e83c8307b05 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 31 Aug 2023 07:33:16 -0300 Subject: [PATCH] [New Rule] Suspicious Communication App Child Process (#2998) * [New Rule] Suspicious Communication App Child Process * Update defense_evasion_communication_apps_suspicious_child_process.toml * Update rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- ...ication_apps_suspicious_child_process.toml | 231 ++++++++++++++++++ 1 file changed, 231 insertions(+) create mode 100644 rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml diff --git a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml new file mode 100644 index 000000000..bc2845463 --- /dev/null +++ b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml @@ -0,0 +1,231 @@ +[metadata] +creation_date = "2023/08/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/04" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the +communication app or the exploitation of a vulnerability on the application causing it to execute code. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Communication App Child Process" +risk_score = 21 +rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + ( + /* Slack */ + (process.parent.name : "slack.exe" and not + ( + ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe", + "?:\\Windows\\System32\\rundll32.exe", + "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", + "?:\\Windows\\System32\\notepad.exe", + "?:\\Windows\\System32\\WerFault.exe" + ) and process.code_signature.trusted == true + ) or + ( + process.code_signature.subject_name : ( + "Slack Technologies, Inc.", + "Slack Technologies, LLC" + ) and process.code_signature.trusted == true + ) or + ( + (process.name : "powershell.exe" and process.command_line : "powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*") or + (process.name : "cmd.exe" and process.command_line : "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"%windir%\\System32\\rundll32.exe User32.dll,SetFocus 0\"") + ) + ) + ) or + + /* WebEx */ + (process.parent.name : ("CiscoCollabHost.exe", "WebexHost.exe") and not + ( + ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\WerFault.exe" + ) and process.code_signature.trusted == true + ) or + ( + process.code_signature.subject_name : ( + "Cisco Systems, Inc.", + "Cisco WebEx LLC", + "Cisco Systems Inc." + ) and process.code_signature.trusted == true + ) + ) + ) or + + /* Teams */ + (process.parent.name : "Teams.exe" and not + ( + ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\WerFault.exe" + ) and process.code_signature.trusted == true + ) or + ( + process.code_signature.subject_name : ( + "Microsoft Corporation", + "Microsoft 3rd Party Application Component" + ) and process.code_signature.trusted == true + ) or + ( + (process.name : "taskkill.exe" and process.args : "Teams.exe") + ) + ) + ) or + + /* Discord */ + (process.parent.name : "Discord.exe" and not + ( + ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\reg.exe", + "?:\\Windows\\SysWOW64\\reg.exe", + "?:\\Windows\\System32\\WerFault.exe" + ) and process.code_signature.trusted == true + ) or + ( + process.code_signature.subject_name : ( + "Discord Inc." + ) and process.code_signature.trusted == true + ) or + ( + process.name : "cmd.exe" and process.command_line : ( + "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"chcp\"", + "C:\\WINDOWS\\system32\\cmd.exe /q /d /s /c \"C:\\Program^ Files\\NVIDIA^ Corporation\\NVSMI\\nvidia-smi.exe\"" + ) + ) + ) + ) or + + /* WhatsApp */ + (process.parent.name : "Whatsapp.exe" and not + ( + ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\reg.exe", + "?:\\Windows\\SysWOW64\\reg.exe" + ) and process.code_signature.trusted == true + ) or + ( + process.code_signature.subject_name : ( + "WhatsApp LLC", + "WhatsApp, Inc", + "24803D75-212C-471A-BC57-9EF86AB91435" + ) and process.code_signature.trusted == true + ) or + ( + (process.name : "cmd.exe" and process.command_line : "C:\\Windows\\system32\\cmd.exe /d /s /c \"C:\\Windows\\system32\\wbem\\wmic.exe*") + ) + ) + ) or + + /* Zoom */ + (process.parent.name : "Zoom.exe" and not + ( + ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Windows\\System32\\WerFault.exe" + ) and process.code_signature.trusted == true + ) or + ( + process.code_signature.subject_name : ( + "Zoom Video Communications, Inc." + ) and process.code_signature.trusted == true + ) + ) + ) or + + /* Outlook */ + (process.parent.name : "outlook.exe" and not + ( + ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\NewOutlookInstall\\NewOutlookInstaller.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe", + "?:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.EXE", + "?:\\Windows\\System32\\spool\\drivers\\x64\\*", + "?:\\Windows\\System32\\prevhost.exe", + "?:\\Windows\\System32\\dwwin.exe", + "?:\\Windows\\System32\\notepad.exe", + "?:\\Windows\\explorer.exe" + ) and process.code_signature.trusted == true + ) + ) + ) or + + /* Thunderbird */ + (process.parent.name : "thunderbird.exe" and not + ( + ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\WerFault.exe" + ) and process.code_signature.trusted == true + ) or + ( + process.code_signature.subject_name : ( + "Mozilla Corporation" + ) and process.code_signature.trusted == true + ) + ) + ) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"