security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/rules_building_block/defense_evasion_injection_from_msoffice.toml
T
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30

95 lines
2.6 KiB
TOML
Raw Permalink Blame History

[metadata]
creation_date = "2023/09/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual
process arguments and path. This behavior is often observed during exploitation of Office applications or from documents
with malicious macros.
"""
from = "now-119m"
index = ["logs-endpoint.events.process-*"]
interval = "60m"
language = "eql"
license = "Elastic License v2"
name = "Potential Process Injection from Malicious Document"
risk_score = 21
rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Privilege Escalation",
"Tactic: Initial Access",
"Rule Type: BBR",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.action == "start" and
process.parent.name : ("excel.exe", "powerpnt.exe", "winword.exe") and
process.args_count == 1 and
process.executable : (
"?:\\Windows\\SysWOW64\\*.exe", "?:\\Windows\\system32\\*.exe"
) and
not (process.executable : "?:\\Windows\\System32\\spool\\drivers\\x64\\*" and
process.code_signature.trusted == true and not process.code_signature.subject_name : "Microsoft *") and
not process.executable : (
"?:\\Windows\\Sys*\\Taskmgr.exe",
"?:\\Windows\\Sys*\\ctfmon.exe",
"?:\\Windows\\System32\\notepad.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"
[[rule.threat.technique.subtechnique]]
id = "T1566.001"
name = "Spearphishing Attachment"
reference = "https://attack.mitre.org/techniques/T1566/001/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
Reference in New Issue View Git Blame Copy Permalink