[New Rule] Windows Defender Exclusions Added via PowerShell (#1370)

* Added new rule * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Added pwsh.exe to original name * Added PowerShell MITRE reference * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2021-07-21 11:54:11 -05:00
parent 163d9e3864
commit fbd4cf2117
1 changed files with 71 additions and 0 deletions
@@ -0,0 +1,71 @@
+[metadata]
+creation_date = "2021/07/20"
+maturity = "production"
+updated_date = "2021/07/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Windows Defender Exclusions Added via PowerShell"
+note = """## Triage and analysis
+
+Detections should be investigated to identify if the activity corresponds to legitimate activity used to put in exceptions for Windows Defender. As this rule detects post-exploitation process activity, investigations into this should be prioritized"""
+references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"]
+risk_score = 47
+rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and
+ (process.name : ("powershell.exe", "pwsh.exe") or process.pe.original_file_name : ("powershell.exe", "pwsh.exe")) and
+  process.args : ("*Add-MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.006"
+name = "Indicator Blocking"
+reference = "https://attack.mitre.org/techniques/T1562/006/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"