[metadata]
creation_date = "2023/09/25"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/25"
bypass_bbr_timing = true

[rule]
author = ["Elastic"]
description = """
Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often
observed during malware installation and is consistent with an attacker attempting to evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Delayed Execution via Ping"
risk_score = 21
rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
type = "eql"
building_block_type = "default"

query = '''
sequence by process.parent.entity_id with maxspan=1m
  [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and
   process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"]
  [process where host.os.type == "windows" and event.action == "start" and
   process.parent.name : "cmd.exe" and
   (
        process.name : (
            "rundll32.exe", "powershell.exe",
            "mshta.exe", "msbuild.exe",
            "certutil.exe", "regsvr32.exe",
            "powershell.exe", "cscript.exe",
            "wscript.exe", "wmic.exe",
            "installutil.exe", "msxsl.exe",
            "Microsoft.Workflow.Compiler.exe",
            "ieexec.exe", "iexpress.exe",
            "RegAsm.exe", "installutil.exe",
            "RegSvcs.exe", "RegAsm.exe"
        ) or
        (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true)
    ) and

    not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
    not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and
    not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64  /f ") and
    not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and
    not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and
    not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and 
    not (process.name : "wscript.exe" and
         process.working_directory :
                    ("?:\\Windows\\TempInst\\*",
                     "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\",
                     "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
    ]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
name = "Command and Scripting Interpreter"
id = "T1059"
reference = "https://attack.mitre.org/techniques/T1059/"

  [[rule.threat.technique.subtechnique]]
  name = "Visual Basic"
  id = "T1059.005"
  reference = "https://attack.mitre.org/techniques/T1059/005/"

  [[rule.threat.technique.subtechnique]]
  name = "PowerShell"
  id = "T1059.001"
  reference = "https://attack.mitre.org/techniques/T1059/001/"

  [rule.threat.tactic]
  name = "Execution"
  id = "TA0002"
  reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1497"
name = "Virtualization/Sandbox Evasion"
reference = "https://attack.mitre.org/techniques/T1497/"

  [[rule.threat.technique.subtechnique]]
  name = "Time Based Evasion"
  id = "T1497.003"
  reference = "https://attack.mitre.org/techniques/T1497/003/"

[[rule.threat.technique]]
name = "System Binary Proxy Execution"
id = "T1218"
reference = "https://attack.mitre.org/techniques/T1218/"

  [[rule.threat.technique.subtechnique]]
  name = "CMSTP"
  id = "T1218.003"
  reference = "https://attack.mitre.org/techniques/T1218/003/"

  [[rule.threat.technique.subtechnique]]
  name = "InstallUtil"
  id = "T1218.004"
  reference = "https://attack.mitre.org/techniques/T1218/004/"

  [[rule.threat.technique.subtechnique]]
  name = "Mshta"
  id = "T1218.005"
  reference = "https://attack.mitre.org/techniques/T1218/005/"

  [[rule.threat.technique.subtechnique]]
  name = "Regsvcs/Regasm"
  id = "T1218.009"
  reference = "https://attack.mitre.org/techniques/T1218/009/"

  [[rule.threat.technique.subtechnique]]
  name = "Regsvr32"
  id = "T1218.010"
  reference = "https://attack.mitre.org/techniques/T1218/010/"

  [[rule.threat.technique.subtechnique]]
  name = "Rundll32"
  id = "T1218.011"
  reference = "https://attack.mitre.org/techniques/T1218/011/"

  [[rule.threat.technique]]
  name = "System Script Proxy Execution"
  id = "T1216"
  reference = "https://attack.mitre.org/techniques/T1216/"

  [[rule.threat.technique]]
  name = "XSL Script Processing"
  id = "T1220"
  reference = "https://attack.mitre.org/techniques/T1220/"


[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"