security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8ca32f14237da3aef0f2fae5437c5b4e8335c977
sigma-rules/rules/windows/execution_command_prompt_connecting_to_the_internet.toml
T
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00

63 lines
1.7 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/10/27"
[rule]
author = ["Elastic"]
description = """
Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a
remote URL.
"""
false_positives = [
"""
Administrators may use the command prompt for regular administrative tasks. It's important to baseline your
environment for network connections being made from the command prompt to determine any abnormal use of this tool.
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Command Prompt Network Connection"
risk_score = 21
rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
type = "query"
query = '''
event.category:network and event.type:connection and
process.name:cmd.exe and
not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
Reference in New Issue View Git Blame Copy Permalink