security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
724e34ba95ffb48d13e18a91c547800986164572
sigma-rules/rules/windows/defense_evasion_masquerading_trusted_directory.toml
T
Jonhnathan 6f4c323929 [Rule Tuning] Windows DR Tuning - 6 (#3246) 
* [Rule Tuning] Windows DR Tuning - 6

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2023-12-12 11:37:54 -03:00

69 lines
2.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/11/18"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/11"
[rule]
author = ["Elastic"]
description = """
Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
detections allowlisting those folders.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Program Files Directory Masquerading"
risk_score = 47
rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.executable : "C:\\*Program*Files*\\*.exe" and
not process.executable : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Users\\*.exe",
"?:\\ProgramData\\*.exe",
"?:\\Windows\\Downloaded Program Files\\*.exe",
"?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
"?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.005"
name = "Match Legitimate Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink