[Rule Tuning] Suspicious Explorer Child Process (#1035)

* [Rule Tuning] Suspicious Explorer Child Process * Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2021-04-14 00:10:29 +02:00
parent 0cc0e3d31f
commit f2bc0c685d
1 changed files with 12 additions and 4 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/29"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2021/03/11"

 [rule]
 author = ["Elastic"]
@@ -23,9 +23,18 @@ type = "eql"

 query = '''
 process where event.type in ("start", "process_started") and
-  process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") and
+  (
+   process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or
+   process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE")
+  ) and
  /* Explorer started via DCOM */
-  process.parent.name : "explorer.exe" and process.parent.args : "-Embedding"
+  process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and
+  not process.parent.args:
+          (
+            /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs   */
+            "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}",
+            "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}"
+          )
 '''


@@ -51,4 +60,3 @@ reference = "https://attack.mitre.org/techniques/T1566/002/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-