security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Suspicious Process Creation CallTrace (#1588)

Browse Source 
* [New Rule] Suspicious Process Creation CallTrace

* Update non-ecs-schema.json

* added min stack vers

* min_stack_vers not needed

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-11-30 21:35:43 +01:00
committed by GitHub
parent d061bf8e7c
commit d43e3d8e4e
2 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
etc/non-ecs-schema.json
+2
View File
@@ -11,6 +11,8 @@
"winlog.event_data.OriginalFileName": "keyword",
"winlog.event_data.GrantedAccess": "keyword",
"winlog.event_data.CallTrace": "keyword",
"powershell.file.script_block_text": "text",
"winlog.event_data.TargetProcessGUID": "keyword",
"powershell.file.script_block_text": "text",
"winlog.event_data.CallerProcessName": "keyword",
"winlog.event_data.TargetSid": "keyword",
rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
+50
View File
@@ -0,0 +1,50 @@
[metadata]
creation_date = "2021/10/24"
maturity = "production"
updated_date = "2021/10/24"
[rule]
author = ["Elastic"]
description = """
Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent
process. This may indicate a code injection or hollowing attempt.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Process Creation CallTrace"
risk_score = 43
rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sequence by host.id with maxspan=1m
[process where event.code == "1" and
/* sysmon process creation */
process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe",
"fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe",
"cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe",
"wmic.exe", "cmstp.exe", "msxsl.exe")] by process.parent.entity_id, process.entity_id
[process where event.code == "10" and
/* Sysmon process access event from unknown module */
winlog.event_data.CallTrace : "*UNKNOWN*"] by process.entity_id, winlog.event_data.TargetProcessGUID
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "Process Injection"
id = "T1055"
reference = "https://attack.mitre.org/techniques/T1055/"
[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"