[metadata] creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" updated_date = "2024/09/17" [rule] author = ["Elastic"] description = """ Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email. """ from = "now-9m" index = [ "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-endpoint.events.process-*" ] language = "eql" license = "Elastic License v2" name = "Potential Foxmail Exploitation" references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"] risk_score = 73 rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: System", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/"