From f2bc0c685d83db7db395fc3dc4b9729759cd4329 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 14 Apr 2021 00:10:29 +0200
Subject: [PATCH] [Rule Tuning] Suspicious Explorer Child Process (#1035)

* [Rule Tuning] Suspicious Explorer Child Process

* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
---
 ...ia_explorer_suspicious_child_parent_args.toml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
index 72c6028bb..a7a5f5681 100644
--- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
+++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/29"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2021/03/11"
 
 [rule]
 author = ["Elastic"]
@@ -23,9 +23,18 @@ type = "eql"
 
 query = '''
 process where event.type in ("start", "process_started") and
-  process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") and
+  (
+   process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or
+   process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE")
+  ) and
   /* Explorer started via DCOM */
-  process.parent.name : "explorer.exe" and process.parent.args : "-Embedding"
+  process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and
+  not process.parent.args:
+          (
+            /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs   */
+            "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}",
+            "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}"
+          )
 '''
 
 
@@ -51,4 +60,3 @@ reference = "https://attack.mitre.org/techniques/T1566/002/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-