security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e272800a5d54803c48d83027424ca5e28825ab4f
sigma-rules/rules/windows/execution_via_net_com_assemblies.toml
T
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
2020-12-01 13:24:20 -09:00

54 lines
1.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/03/25"
maturity = "production"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
description = """
RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model
(COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows
utility.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Execution via Regsvcs/Regasm"
risk_score = 21
rule_id = "47f09343-8d1f-4bb5-8bb0-00c9d18f5010"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1121"
name = "Regsvcs/Regasm"
reference = "https://attack.mitre.org/techniques/T1121/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1121"
name = "Regsvcs/Regasm"
reference = "https://attack.mitre.org/techniques/T1121/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink