Jonhnathan
7c78e4081f
* [Rule Tuning] min_stack New Rules that use the S1 Integration * Update execution_windows_powershell_susp_args.toml * Update execution_initial_access_foxmail_exploit.toml
126 lines
5.8 KiB
TOML
126 lines
5.8 KiB
TOML
[metadata]
|
|
creation_date = "2024/09/06"
|
|
integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
|
|
maturity = "production"
|
|
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
|
min_stack_version = "8.13.0"
|
|
updated_date = "2024/09/16"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is
|
|
often observed during malware installation.
|
|
"""
|
|
from = "now-9m"
|
|
index = [
|
|
"winlogbeat-*",
|
|
"logs-windows.*",
|
|
"logs-system.security*",
|
|
"logs-windows.sysmon_operational-*",
|
|
"logs-sentinel_one_cloud_funnel.*",
|
|
"logs-m365_defender.event-*"
|
|
]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Suspicious Windows Command Shell Arguments"
|
|
risk_score = 73
|
|
rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf"
|
|
severity = "high"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Windows",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Execution",
|
|
"Data Source: System",
|
|
"Data Source: Sysmon",
|
|
"Data Source: SentinelOne",
|
|
"Data Source: Microsoft Defender for Endpoint"
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
process where host.os.type == "windows" and event.type == "start" and
|
|
process.name : "cmd.exe" and
|
|
(
|
|
|
|
process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
|
|
"*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*", "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
|
|
"* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
|
|
"*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
|
|
"*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
|
|
"*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or
|
|
|
|
(process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or
|
|
|
|
process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or
|
|
|
|
(process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or
|
|
|
|
(process.parent.name : "explorer.exe" and
|
|
process.command_line :
|
|
("*&&S^eT *",
|
|
"*&& set *&& set *&& set *&& set *&& set *&& call*",
|
|
"**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or
|
|
|
|
(process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
|
|
) and
|
|
|
|
/* false positives */
|
|
not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and
|
|
not process.parent.executable :
|
|
("?:\\Perl64\\bin\\perl.exe",
|
|
"?:\\Program Files\\nodejs\\node.exe",
|
|
"?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
|
|
"?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
|
|
"?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
|
|
"?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
|
|
"?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
|
|
"D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
|
|
"?:\\Program Files\\Microsoft VS Code\\Code.exe",
|
|
"?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
|
|
"?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
|
|
"?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
|
|
"?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
|
|
"?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
|
|
"?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
|
|
"?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
|
|
"?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
|
|
"?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
|
|
"?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
|
|
"?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
|
|
"?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
|
|
"?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
|
|
"?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
|
|
not (process.args : "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and
|
|
not process.args :
|
|
("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
|
|
"?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
|
|
"https://auth.axis.com/oauth2/oauth-authorize*") and
|
|
not process.command_line :
|
|
("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
|
|
"?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and
|
|
not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and
|
|
not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1059"
|
|
name = "Command and Scripting Interpreter"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.003"
|
|
name = "Windows Command Shell"
|
|
reference = "https://attack.mitre.org/techniques/T1059/003/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|