From dc9c63d0432fe8d52017b769a49ef85a3d69b4bf Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 1 Dec 2020 20:30:03 +0100 Subject: [PATCH] [New Rule] Unusual Svchost ChildProc - ChildLess Services (#370) * [New Rule] Unusual Svchost ChildProc - ChildLess Services * changed tags * changed rule filename * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: Justin Ibarra * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: Justin Ibarra * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...n_unusual_svchost_childproc_childless.toml | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml new file mode 100644 index 000000000..dd83c45f3 --- /dev/null +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2020/10/13" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/10/13" + +[rule] +author = ["Elastic"] +description = """ +Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate +a code injection or an equivalent form of exploitation. +""" +false_positives = ["Changes to Windows services or a rarely executed child process."] +from = "now-9m" +index = ["logs-endpoint.events.*", "winlogbeat-*"] +language = "eql" +license = "Elastic License" +name = "Unusual Service Host Child Process - Childless Service" +risk_score = 47 +rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and + process.parent.name : "svchost.exe" and + + /* based on svchost service arguments -s svcname where the service is known to be childless */ + + process.parent.args : ("WdiSystemHost","LicenseManager", + "StorSvc","CDPSvc","cdbhsvc","BthAvctpSvc","SstpSvc","WdiServiceHost", + "imgsvc","TrkWks","WpnService","IKEEXT","PolicyAgent","CryptSvc", + "netprofm","ProfSvc","StateRepository","camsvc","LanmanWorkstation", + "NlaSvc","EventLog","hidserv","DisplayEnhancementService","ShellHWDetection", + "AppHostSvc","fhsvc","CscService","PushToInstall") and + + /* unknown FPs can be added here */ + + not process.name : ("WerFault.exe","WerFaultSecure.exe","wermgr.exe") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1093" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1093/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"