diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 3beaffd08..4e8aadde9 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/18" [rule] author = ["Elastic"] @@ -25,7 +25,14 @@ references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index d2d7937ff..b5acccf53 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/18" [rule] author = ["Elastic"] @@ -25,7 +25,14 @@ references = ["https://dtm.uk/wuauclt/"] risk_score = 47 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 68ece95a1..369ec7f7e 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/18" [rule] author = ["Elastic"] @@ -86,6 +86,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", + "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 7de464722..a07905101 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,9 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/19" [rule] author = ["Elastic"] @@ -14,41 +14,43 @@ behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "eql" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe") and - process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe", "mshta.exe") +host.os.type:windows and event.category:process and event.type:start and ( + process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and + process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or + "wscript.exe" or "mshta.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -61,3 +63,10 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 0c6c03912..93dff83ab 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/18" [rule] author = ["Elastic"] @@ -25,7 +25,14 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 3e512129e..16df4b7d7 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/18" [transform] [[transform.osquery]] @@ -106,6 +106,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", + "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 86fcdc731..ddaafe8f9 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/19" [rule] author = ["Elastic"] @@ -19,8 +19,8 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "eql" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" note = """## Setup @@ -31,32 +31,44 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] + timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "MSBuild.exe" and - process.name : ("csc.exe", "iexplore.exe", "powershell.exe") +host.os.type:windows and event.category:process and event.type:start and process.parent.name:"MSBuild.exe" and +process.name.caseless:("csc.exe" or "iexplore.exe" or "powershell.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.name", "process.parent.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 414fc58c5..4b52077cc 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -25,7 +25,14 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index dce462621..cbf4864f4 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -29,7 +29,14 @@ references = [ risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index de9784d6e..707b1a6aa 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/19" [transform] [[transform.osquery]] @@ -31,13 +31,12 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "eql" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" name = "Svchost spawning Cmd" note = """## Triage and analysis @@ -100,47 +99,40 @@ references = [ risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - - process.parent.name : "svchost.exe" and process.name : "cmd.exe" and - - not process.args : - ("??:\\Program Files\\Npcap\\CheckStatus.bat?", - "?:\\Program Files\\Npcap\\CheckStatus.bat", - "\\system32\\cleanmgr.exe", - "?:\\Windows\\system32\\silcollector.cmd", - "\\system32\\AppHostRegistrationVerifier.exe", - "\\system32\\ServerManagerLauncher.exe", - "dir", - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\LSDeployment\\Lspush.exe", - "(x86)\\FMAuditOnsite\\watchdog.bat", - "?:\\ProgramData\\chocolatey\\bin\\choco-upgrade-all.bat", - "Files\\Npcap\\CheckStatus.bat") and - - /* very noisy pattern - bat or cmd script executed via scheduled tasks */ - not (process.parent.args : "netsvcs" and process.args : ("?:\\*.bat", "?:\\*.cmd")) +host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and +process.name.caseless:"cmd.exe" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.command_line", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index ef6f9c1b7..007c5850f 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/19" [rule] author = ["Elastic"] @@ -24,7 +24,13 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -55,24 +61,30 @@ process where host.os.type == "windows" and event.type == "start" and "tracert.exe", "whoami.exe" ) and - process.parent.name:"wmiprvse.exe" + process.parent.name:"wmiprvse.exe" and + not ( + process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and + process.args : ("demand", "disabled") + ) and + not process.args : "tenable_mw_scan" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -92,6 +104,7 @@ reference = "https://attack.mitre.org/techniques/T1518/" id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" @@ -106,4 +119,3 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 581098701..48aa8a50a 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/19" [rule] author = ["Elastic"] @@ -68,7 +68,14 @@ This rule searches for executable files written by MS Office applications execut risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -83,10 +90,11 @@ sequence with maxspan=2h process.name : "MSPUB.EXE" or process.name : "MSACCESS.EXE") ] by host.id, file.path - [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable + [process where host.os.type == "windows" and event.type == "start" and + not (process.name : "NewOutlookInstaller.exe" and process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + ] by host.id, process.executable ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -94,12 +102,15 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -110,10 +121,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 31d26f7e6..d838855cc 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/29" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/20" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ with powershell.exe, some attackers do this to operate more stealthily. """ from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Suspicious PowerShell Engine ImageLoad" note = """## Triage and analysis @@ -63,56 +63,47 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -library where host.os.type == "windows" and - dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and - not - ( - /* MS Signed Binaries */ - ( - process.code_signature.subject_name : ( - "Microsoft Windows", - "Microsoft Dynamic Code Publisher", - "Microsoft Corporation" - ) and process.code_signature.trusted == true and not process.name : ("rundll32.exe", "regsvr32.exe") - ) or - - /* Signed Executables from the Program Files folder */ - ( - process.executable : ( - "?:\\Program Files (x86)\\*.exe", - "?:\\Program Files\\*.exe" - ) and process.code_signature.trusted == true - ) or - - /* Lenovo */ - ( - process.executable : ( - "?:\\Windows\\Lenovo\\*.exe" - ) and (process.code_signature.subject_name : "Lenovo" and process.code_signature.trusted == true) - ) - ) +host.os.type:windows and event.category:library and + dll.name:("System.Management.Automation.dll" or "System.Management.Automation.ni.dll") and + not (process.code_signature.subject_name:("Microsoft Corporation" or "Microsoft Dynamic Code Publisher" or "Microsoft Windows") and process.code_signature.trusted:true and not process.name.caseless:("regsvr32.exe" or "rundll32.exe")) and + not (process.executable.caseless:(?\:\\\\Program?Files?\(x86\)\\\\*.exe or ?\:\\\\Program?Files\\\\*.exe) and process.code_signature.trusted:true) and + not (process.executable.caseless:?\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:"Lenovo" and + process.code_signature.trusted:true) and not process.executable.caseless : "C:\\Windows\\System32\\powershell.exe" ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 9d558f377..6af5bd359 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/19" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Suspicious Process Execution via Renamed PsExec Executable" note = """## Triage and analysis -### Investigating PsExec Network Connection +### Investigating Suspicious Process Execution via Renamed PsExec Executable PsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections. @@ -55,7 +55,14 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -64,22 +71,20 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index 6c29b7ca4..e82422e85 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -2,55 +2,64 @@ creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/14" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/19" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Execution of an Unsigned Service" risk_score = 21 rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and -( - ( - process.parent.executable : "C:\\Windows\\System32\\services.exe" and - (process.code_signature.exists == false or process.code_signature.trusted == false) - ) -) +host.os.type:windows and event.category:process and event.type:start and +process.parent.executable:"C:\\Windows\\System32\\services.exe" and +(process.code_signature.exists:false or process.code_signature.trusted:false) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d"