diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 629766b6b..a3c1f9120 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -75,7 +75,8 @@ "process.Ext.relative_file_name_modify_time": "double", "process.Ext.relative_file_creation_time": "double", "Target.process.name": "keyword", - "process.Ext.api.name": "keyword" + "process.Ext.api.name": "keyword", + "process.name.caseless": "keyword" }, "logs-windows.*": { "powershell.file.script_block_text": "text" diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml new file mode 100644 index 000000000..8d6693544 --- /dev/null +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -0,0 +1,79 @@ +[metadata] +creation_date = "2023/04/03" +integration = ["windows", "endpoint"] +maturity = "production" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2023/05/02" + +[rule] +author = ["Elastic"] +description = """ +Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control +(C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects +when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type +indicating the host has not seen this RAT process started before within the last 30 days. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "First Time Seen Commonly Abused Remote Access Tool Execution" +references = [ + "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", + "https://attack.mitre.org/techniques/T1219/", +] +risk_score = 47 +rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type: "windows" and + + event.category: "process" and event.type : "start" and + + ( + process.code_signature.subject_name : ( + TeamViewer* or "NetSupport Ltd" or "GlavSoft" or "LogMeIn, Inc." or "Ammyy LLC" or + "Nanosystems S.r.l." or "Remote Utilities LLC" or "ShowMyPC" or "Splashtop Inc." or + "Yakhnovets Denis Aleksandrovich IP" or "Pro Softnet Corporation" or "BeamYourScreen GmbH" or + "RealVNC" or "uvnc" or "SAFIB") or + + process.name.caseless : ( + "teamviewer.exe" or "apc_Admin.exe" or "apc_host.exe" or "SupremoHelper.exe" or "rfusclient.exe" or + "spclink.exe" or "smpcview.exe" or "ROMServer.exe" or "strwinclt.exe" or "RPCSuite.exe" or "RemotePCDesktop.exe" or + "RemotePCService.exe" or "tvn.exe" or "LMIIgnition.exe" or "B4-Service.exe" or "Mikogo-Service.exe" or "AnyDesk.exe" or + "Splashtop-streamer.exe" or AA_v*.exe, or "rutserv.exe" or "rutview.exe" or "vncserver.exe" or "vncviewer.exe" or + "tvnserver.exe" or "tvnviewer.exe" or "winvnc.exe" or "RemoteDesktopManager.exe" or "LogMeIn.exe" or ScreenConnect*.exe or + "RemotePC.exe" or "r_server.exe" or "radmin.exe" or "ROMServer.exe" or "ROMViewer.exe" or "DWRCC.exe" or "AeroAdmin.exe" or + "ISLLightClient.exe" or "ISLLight.exe" or "AteraAgent.exe" or "SRService.exe") + ) and + + not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Software" +reference = "https://attack.mitre.org/techniques/T1219/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-15d" + +