shashank-elastic
153 lines
4.9 KiB
TOML
153 lines
4.9 KiB
TOML
[metadata]
|
|
creation_date = "2023/09/25"
|
|
integration = ["endpoint"]
|
|
maturity = "production"
|
|
updated_date = "2024/05/21"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often
|
|
observed during malware installation and is consistent with an attacker attempting to evade detection.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.process-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Delayed Execution via Ping"
|
|
risk_score = 21
|
|
rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
|
|
severity = "low"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Windows",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Execution",
|
|
"Tactic: Defense Evasion",
|
|
"Data Source: Elastic Defend",
|
|
]
|
|
type = "eql"
|
|
|
|
query = '''
|
|
sequence by process.parent.entity_id with maxspan=1m
|
|
[process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and
|
|
process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"]
|
|
[process where host.os.type == "windows" and event.action == "start" and
|
|
process.parent.name : "cmd.exe" and
|
|
(
|
|
process.name : (
|
|
"rundll32.exe", "powershell.exe",
|
|
"mshta.exe", "msbuild.exe",
|
|
"certutil.exe", "regsvr32.exe",
|
|
"powershell.exe", "cscript.exe",
|
|
"wscript.exe", "wmic.exe",
|
|
"installutil.exe", "msxsl.exe",
|
|
"Microsoft.Workflow.Compiler.exe",
|
|
"ieexec.exe", "iexpress.exe",
|
|
"RegAsm.exe", "installutil.exe",
|
|
"RegSvcs.exe", "RegAsm.exe"
|
|
) or
|
|
(process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true)
|
|
) and
|
|
|
|
not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
|
|
not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and
|
|
not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64 /f ") and
|
|
not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and
|
|
not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and
|
|
not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and
|
|
not (process.name : "wscript.exe" and
|
|
process.working_directory :
|
|
("?:\\Windows\\TempInst\\*",
|
|
"?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\",
|
|
"?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
|
|
]
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1059"
|
|
name = "Command and Scripting Interpreter"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.001"
|
|
name = "PowerShell"
|
|
reference = "https://attack.mitre.org/techniques/T1059/001/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.005"
|
|
name = "Visual Basic"
|
|
reference = "https://attack.mitre.org/techniques/T1059/005/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1216"
|
|
name = "System Script Proxy Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1216/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1218"
|
|
name = "System Binary Proxy Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1218/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1218.003"
|
|
name = "CMSTP"
|
|
reference = "https://attack.mitre.org/techniques/T1218/003/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1218.004"
|
|
name = "InstallUtil"
|
|
reference = "https://attack.mitre.org/techniques/T1218/004/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1218.005"
|
|
name = "Mshta"
|
|
reference = "https://attack.mitre.org/techniques/T1218/005/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1218.009"
|
|
name = "Regsvcs/Regasm"
|
|
reference = "https://attack.mitre.org/techniques/T1218/009/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1218.010"
|
|
name = "Regsvr32"
|
|
reference = "https://attack.mitre.org/techniques/T1218/010/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1218.011"
|
|
name = "Rundll32"
|
|
reference = "https://attack.mitre.org/techniques/T1218/011/"
|
|
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1220"
|
|
name = "XSL Script Processing"
|
|
reference = "https://attack.mitre.org/techniques/T1220/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1497"
|
|
name = "Virtualization/Sandbox Evasion"
|
|
reference = "https://attack.mitre.org/techniques/T1497/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1497.003"
|
|
name = "Time Based Evasion"
|
|
reference = "https://attack.mitre.org/techniques/T1497/003/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0005"
|
|
name = "Defense Evasion"
|
|
reference = "https://attack.mitre.org/tactics/TA0005/"
|
|
|