security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8afded11e751d0eaf5d2e4697bdb0f7b5764e8cb
sigma-rules/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
T
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
2022-07-18 15:41:32 -04:00

53 lines
1.8 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/11/17"
maturity = "production"
updated_date = "2022/03/31"
[rule]
author = ["Elastic"]
description = """
Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate
adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can
be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious WMI Image Load from MS Office"
note = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
]
risk_score = 21
rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
event.action : "load" and
event.category : "library" and
dll.name : "wmiutils.dll"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1047"
name = "Windows Management Instrumentation"
reference = "https://attack.mitre.org/techniques/T1047/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink