security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prep main for 9.1 (#4555)

Browse Source 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
This commit is contained in:
shashank-elastic
2025-03-26 20:34:14 +05:30
committed by GitHub
parent 2d2c5b4d88
commit e8c54169a4
422 changed files with 11786 additions and 12086 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/execution_command_shell_started_by_svchost.toml
+20 -18
View File
@@ -2,9 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/02/21"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
updated_date = "2025/03/20"
[transform]
[[transform.osquery]]
@@ -31,6 +29,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
"""
[rule]
author = ["Elastic"]
description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe"
@@ -128,43 +127,45 @@ process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and
not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211"
'''
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."process.args"]
"case_insensitive" = true
"value" = "?:\\\\Windows\\\\system32\\\\silcollector.cmd"
case_insensitive = true
value = "?:\\\\Windows\\\\system32\\\\silcollector.cmd"
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."process.command_line"]
"case_insensitive" = true
"value" = "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*"
case_insensitive = true
value = "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*"
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."process.command_line"]
"case_insensitive" = true
"value" = "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*"
case_insensitive = true
value = "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*"
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."process.command_line"]
"case_insensitive" = true
"value" = "cmd /C \".\\\\inetsrv\\\\iissetup.exe /keygen \""
case_insensitive = true
value = """
cmd /C ".\\inetsrv\\iissetup.exe /keygen "
"""
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
@@ -173,7 +174,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.command_line", "user.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"