[metadata] creation_date = "2020/10/30" maturity = "production" updated_date = "2022/08/02" [rule] author = ["Elastic"] description = """ Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" note = """## Triage and analysis This is related to the `Process Execution from an Unusual Directory rule`. ## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion"] timestamp_override = "event.ingested" type = "eql" query = ''' process where event.type in ("start", "process_started", "info") and process.name : ("wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "cmstp.exe", "RegAsm.exe", "installutil.exe", "mshta.exe", "RegSvcs.exe", "powershell.exe", "pwsh.exe", "cmd.exe") and /* add suspicious execution paths here */ process.args : ("C:\\PerfLogs\\*", "C:\\Users\\Public\\*", "C:\\Windows\\Tasks\\*", "C:\\Intel\\*", "C:\\AMD\\Temp\\*", "C:\\Windows\\AppReadiness\\*", "C:\\Windows\\ServiceState\\*", "C:\\Windows\\security\\*", "C:\\Windows\\IdentityCRL\\*", "C:\\Windows\\Branding\\*", "C:\\Windows\\csc\\*", "C:\\Windows\\DigitalLocker\\*", "C:\\Windows\\en-US\\*", "C:\\Windows\\wlansvc\\*", "C:\\Windows\\Prefetch\\*", "C:\\Windows\\Fonts\\*", "C:\\Windows\\diagnostics\\*", "C:\\Windows\\TAPI\\*", "C:\\Windows\\INF\\*", "C:\\Windows\\System32\\Speech\\*", "C:\\windows\\tracing\\*", "c:\\windows\\IME\\*", "c:\\Windows\\Performance\\*", "c:\\windows\\intel\\*", "c:\\windows\\ms\\*", "C:\\Windows\\dot3svc\\*", "C:\\Windows\\panther\\*", "C:\\Windows\\RemotePackages\\*", "C:\\Windows\\OCR\\*", "C:\\Windows\\appcompat\\*", "C:\\Windows\\apppatch\\*", "C:\\Windows\\addins\\*", "C:\\Windows\\Setup\\*", "C:\\Windows\\Help\\*", "C:\\Windows\\SKB\\*", "C:\\Windows\\Vss\\*", "C:\\Windows\\servicing\\*", "C:\\Windows\\CbsTemp\\*", "C:\\Windows\\Logs\\*", "C:\\Windows\\WaaS\\*", "C:\\Windows\\twain_32\\*", "C:\\Windows\\ShellExperiences\\*", "C:\\Windows\\ShellComponents\\*", "C:\\Windows\\PLA\\*", "C:\\Windows\\Migration\\*", "C:\\Windows\\debug\\*", "C:\\Windows\\Cursors\\*", "C:\\Windows\\Containers\\*", "C:\\Windows\\Boot\\*", "C:\\Windows\\bcastdvr\\*", "C:\\Windows\\TextInput\\*", "C:\\Windows\\security\\*", "C:\\Windows\\schemas\\*", "C:\\Windows\\SchCache\\*", "C:\\Windows\\Resources\\*", "C:\\Windows\\rescache\\*", "C:\\Windows\\Provisioning\\*", "C:\\Windows\\PrintDialog\\*", "C:\\Windows\\PolicyDefinitions\\*", "C:\\Windows\\media\\*", "C:\\Windows\\Globalization\\*", "C:\\Windows\\L2Schemas\\*", "C:\\Windows\\LiveKernelReports\\*", "C:\\Windows\\ModemLogs\\*", "C:\\Windows\\ImmersiveControlPanel\\*", "C:\\$Recycle.Bin\\*") and /* noisy FP patterns */ not process.parent.executable : ("C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\*\\igfxCUIService*.exe", "C:\\Windows\\System32\\spacedeskService.exe", "C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe") and not (process.name : "rundll32.exe" and process.args : ("uxtheme.dll,#64", "PRINTUI.DLL,PrintUIEntry", "?:\\Windows\\System32\\FirewallControlPanel.dll,ShowNotificationDialog", "?:\\WINDOWS\\system32\\Speech\\SpeechUX\\sapi.cpl", "?:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL")) and not (process.name : "cscript.exe" and process.args : "?:\\WINDOWS\\system32\\calluxxprovider.vbs") and not (process.name : "cmd.exe" and process.args : "?:\\WINDOWS\\system32\\powercfg.exe" and process.args : "?:\\WINDOWS\\inf\\PowerPlan.log") and not (process.name : "regsvr32.exe" and process.args : "?:\\Windows\\Help\\OEM\\scripts\\checkmui.dll") and not (process.name : "cmd.exe" and process.parent.executable : ("?:\\Windows\\System32\\oobe\\windeploy.exe", "?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe", "?:\\Windows\\System32\\igfxCUIService.exe", "?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe")) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/"