security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4a2e2764cd34a4f85f4074ca3889e64f8cb42594
sigma-rules/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
T
Jonhnathan c2d1586270 [Rule Tuning] Windows BBR Promotion (#3577) 
* [Rule Tuning] Windows BBR Promotion

* Update non-ecs-schema.json

* Update persistence_netsh_helper_dll.toml

* Update persistence_werfault_reflectdebugger.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update defense_evasion_msdt_suspicious_diagcab.toml

* Update defense_evasion_suspicious_msiexec_execution.toml

* Update discovery_security_software_wmic.toml

* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"

This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.

* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"

This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.

* Revert "Update discovery_security_software_wmic.toml"

This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2024-04-16 09:28:17 -03:00

150 lines
5.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/09/25"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often
observed during malware installation and is consistent with an attacker attempting to evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Delayed Execution via Ping"
risk_score = 21
rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by process.parent.entity_id with maxspan=1m
[process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and
process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"]
[process where host.os.type == "windows" and event.action == "start" and
process.parent.name : "cmd.exe" and
(
process.name : (
"rundll32.exe", "powershell.exe",
"mshta.exe", "msbuild.exe",
"certutil.exe", "regsvr32.exe",
"powershell.exe", "cscript.exe",
"wscript.exe", "wmic.exe",
"installutil.exe", "msxsl.exe",
"Microsoft.Workflow.Compiler.exe",
"ieexec.exe", "iexpress.exe",
"RegAsm.exe", "installutil.exe",
"RegSvcs.exe", "RegAsm.exe"
) or
(process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true)
) and
not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and
not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64 /f ") and
not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and
not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and
not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and
not (process.name : "wscript.exe" and
process.working_directory :
("?:\\Windows\\TempInst\\*",
"?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\",
"?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "Command and Scripting Interpreter"
id = "T1059"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
name = "Visual Basic"
id = "T1059.005"
reference = "https://attack.mitre.org/techniques/T1059/005/"
[[rule.threat.technique.subtechnique]]
name = "PowerShell"
id = "T1059.001"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1497"
name = "Virtualization/Sandbox Evasion"
reference = "https://attack.mitre.org/techniques/T1497/"
[[rule.threat.technique.subtechnique]]
name = "Time Based Evasion"
id = "T1497.003"
reference = "https://attack.mitre.org/techniques/T1497/003/"
[[rule.threat.technique]]
name = "System Binary Proxy Execution"
id = "T1218"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
name = "CMSTP"
id = "T1218.003"
reference = "https://attack.mitre.org/techniques/T1218/003/"
[[rule.threat.technique.subtechnique]]
name = "InstallUtil"
id = "T1218.004"
reference = "https://attack.mitre.org/techniques/T1218/004/"
[[rule.threat.technique.subtechnique]]
name = "Mshta"
id = "T1218.005"
reference = "https://attack.mitre.org/techniques/T1218/005/"
[[rule.threat.technique.subtechnique]]
name = "Regsvcs/Regasm"
id = "T1218.009"
reference = "https://attack.mitre.org/techniques/T1218/009/"
[[rule.threat.technique.subtechnique]]
name = "Regsvr32"
id = "T1218.010"
reference = "https://attack.mitre.org/techniques/T1218/010/"
[[rule.threat.technique.subtechnique]]
name = "Rundll32"
id = "T1218.011"
reference = "https://attack.mitre.org/techniques/T1218/011/"
[[rule.threat.technique]]
name = "System Script Proxy Execution"
id = "T1216"
reference = "https://attack.mitre.org/techniques/T1216/"
[[rule.threat.technique]]
name = "XSL Script Processing"
id = "T1220"
reference = "https://attack.mitre.org/techniques/T1220/"
[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink