[metadata] creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection. """ from = "now-9m" index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Delayed Execution via Ping" risk_score = 21 rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915" severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend", ] type = "eql" query = ''' sequence by process.parent.entity_id with maxspan=1m [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"] [process where host.os.type == "windows" and event.action == "start" and process.parent.name : "cmd.exe" and ( process.name : ( "rundll32.exe", "powershell.exe", "mshta.exe", "msbuild.exe", "certutil.exe", "regsvr32.exe", "powershell.exe", "cscript.exe", "wscript.exe", "wmic.exe", "installutil.exe", "msxsl.exe", "Microsoft.Workflow.Compiler.exe", "ieexec.exe", "iexpress.exe", "RegAsm.exe", "installutil.exe", "RegSvcs.exe", "RegAsm.exe" ) or (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true) ) and not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64 /f ") and not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and not (process.name : "wscript.exe" and process.working_directory : ("?:\\Windows\\TempInst\\*", "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\", "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\")) ] ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1216" name = "System Script Proxy Execution" reference = "https://attack.mitre.org/techniques/T1216/" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" [[rule.threat.technique.subtechnique]] id = "T1218.003" name = "CMSTP" reference = "https://attack.mitre.org/techniques/T1218/003/" [[rule.threat.technique.subtechnique]] id = "T1218.004" name = "InstallUtil" reference = "https://attack.mitre.org/techniques/T1218/004/" [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" [[rule.threat.technique.subtechnique]] id = "T1218.009" name = "Regsvcs/Regasm" reference = "https://attack.mitre.org/techniques/T1218/009/" [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" [[rule.threat.technique]] id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" [[rule.threat.technique.subtechnique]] id = "T1497.003" name = "Time Based Evasion" reference = "https://attack.mitre.org/techniques/T1497/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/"