security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e2c860693c8d59d04e7bbfcda546347187c5a357
sigma-rules/rules/windows/execution_suspicious_pdf_reader.toml
T

50 lines
2.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/03/30"
maturity = "production"
updated_date = "2020/01/28"
[rule]
author = ["Elastic"]
description = """
Identifies suspicious child processes of PDF reader applications. These child processes are often launched via
exploitation of PDF applications or social engineering.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "kuery"
license = "Elastic License"
name = "Suspicious PDF Reader Child Process"
risk_score = 21
rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and
process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or
net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or
quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or
whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or
iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or
msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or
schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or
wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1204"
name = "User Execution"
reference = "https://attack.mitre.org/techniques/T1204/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink