security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6bdfddac8edea5e327bf28aed7e6dc4a7f701dc6
sigma-rules/rules/windows/execution_command_prompt_connecting_to_the_internet.toml
T
Brent Murphy 12577f7380 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
2021-06-15 09:22:59 -04:00

68 lines
2.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/05/26"
[rule]
author = ["Elastic"]
description = """
Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a
remote URL.
"""
false_positives = [
"""
Administrators may use the command prompt for regular administrative tasks. It's important to baseline your
environment for network connections being made from the command prompt to determine any abnormal use of this tool.
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Command Prompt Network Connection"
references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
risk_score = 21
rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
type = "eql"
query = '''
sequence by process.entity_id
[process where process.name : "cmd.exe" and event.type == "start"]
[network where process.name : "cmd.exe" and
not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
"192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
"192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
"FE80::/10", "FF00::/8")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
Reference in New Issue View Git Blame Copy Permalink