security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e897a6760429ea46da15ebbca1609b62fd37fee9
sigma-rules/rules/windows/initial_access_suspicious_ms_office_child_process.toml
T

56 lines
2.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/03/08"
[rule]
author = ["Elastic"]
description = """
Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel).
These child processes are often launched during exploitation of Office applications or from documents with malicious
macros.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious MS Office Child Process"
risk_score = 47
rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type in ("start", "process_started") and
process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe") and
process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe",
"cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe",
"ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe", "mshta.exe",
"msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe",
"powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", "regsvcs.exe",
"regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe",
"wmic.exe", "wscript.exe", "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"
[[rule.threat.technique.subtechnique]]
id = "T1566.001"
name = "Spearphishing Attachment"
reference = "https://attack.mitre.org/techniques/T1566/001/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
Reference in New Issue View Git Blame Copy Permalink