Samirbous
6c37d5c6b4
* [New Rule] Suspicious Execution via File Overwrite * Update defense_evasion_overwrite_followed_by_execution.toml * Update defense_evasion_overwrite_followed_by_execution.toml * removed timeline_id * fixed logic and also added references URL * tuned logic to exclude potential FPs not an actual FP, but only observed executable file overwrite by default on Windows is related to SoftwareDistribution, this does not match the sequence (Process Execution followed by Same Process File Overwrite) but added it to exclusion just in case. * adjusted a bit desc and name * changed rule file name * adjusted executable.path for performance avoiding leading wildcard, users can customize rule if they have different drive letters * Update rules/windows/defense_evasion_potential_processherpaderping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_potential_processherpaderping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * relinted * lint * ecs_version * Update rules/windows/defense_evasion_potential_processherpaderping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_potential_processherpaderping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * deleted ecs_version * Update rules/windows/defense_evasion_potential_processherpaderping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * changed rule name as per ross sugges Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
43 lines
1.3 KiB
TOML
43 lines
1.3 KiB
TOML
[metadata]
|
|
creation_date = "2020/10/27"
|
|
maturity = "production"
|
|
updated_date = "2020/10/27"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an
|
|
evasion attempt to execute malicious code in a stealthy way.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.*", "winlogbeat-*"]
|
|
language = "eql"
|
|
license = "Elastic License"
|
|
name = "Potential Process Herpaderping Attempt"
|
|
references = ["https://github.com/jxy-s/herpaderping"]
|
|
risk_score = 73
|
|
rule_id = "ccc55af4-9882-4c67-87b4-449a7ae8079c"
|
|
severity = "high"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
|
type = "eql"
|
|
|
|
query = '''
|
|
sequence with maxspan=5s
|
|
[process where event.type == "start" and not process.parent.executable : "C:\\Windows\\SoftwareDistribution\\*.exe"] by host.id, process.executable, process.parent.entity_id
|
|
[file where event.type == "change" and event.action == "overwrite" and file.extension == "exe"] by host.id, file.path, process.entity_id
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1036"
|
|
name = "Masquerading"
|
|
reference = "https://attack.mitre.org/techniques/T1036/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0005"
|
|
name = "Defense Evasion"
|
|
reference = "https://attack.mitre.org/tactics/TA0005/"
|