Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
32 lines
1.4 KiB
TOML
32 lines
1.4 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt identifies potential defense evasion techniques via capitalized process execution on Linux systems. It detects processes that have two or more consecutive capital letters within their names, which can indicate an attempt to evade detection. Such naming conventions are often used in malicious payloads to blend in with legitimate processes.
|
|
"""
|
|
integration = ["endpoint"]
|
|
uuid = "9d485892-1ca2-464b-9e4e-6b21ab379b9a"
|
|
name = "Defense Evasion via Capitalized Process Execution"
|
|
language = ["ES|QL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"Detects processes that have two or more consecutive capital letters within their names, with optional digits.",
|
|
"This technique is often used in malicious payloads, such as Metasploit payloads, to evade detection.",
|
|
"Included a process count of <= 3 and a host count of <= 3 to eliminate common processes across different hosts."
|
|
]
|
|
mitre = ["T1036.004", "T1070"]
|
|
|
|
query = [
|
|
'''
|
|
from logs-endpoint.events.process-*
|
|
| where @timestamp > now() - 10 day
|
|
| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
|
|
(process.name rlike """[A-Z]{2,}[a-z]{1,}[0-9]{0,}""") or
|
|
(process.name rlike """[A-Z]{1,}[0-9]{0,}""")
|
|
)
|
|
| stats cc = count(), host_count = count_distinct(host.name) by process.name
|
|
// Alter this threshold to make sense for your environment
|
|
| where cc <= 3 and host_count <= 3
|
|
| limit 100
|
|
'''
|
|
]
|