forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexecution_delayed_via_ping_lolbas_unsigned.toml
151 lines (127 loc) · 5.15 KB
/
execution_delayed_via_ping_lolbas_unsigned.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
[metadata]
creation_date = "2023/09/25"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/25"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
description = """
Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often
observed during malware installation and is consistent with an attacker attempting to evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Delayed Execution via Ping"
risk_score = 21
rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
type = "eql"
building_block_type = "default"
query = '''
sequence by process.parent.entity_id with maxspan=1m
[process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and
process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"]
[process where host.os.type == "windows" and event.action == "start" and
process.parent.name : "cmd.exe" and
(
process.name : (
"rundll32.exe", "powershell.exe",
"mshta.exe", "msbuild.exe",
"certutil.exe", "regsvr32.exe",
"powershell.exe", "cscript.exe",
"wscript.exe", "wmic.exe",
"installutil.exe", "msxsl.exe",
"Microsoft.Workflow.Compiler.exe",
"ieexec.exe", "iexpress.exe",
"RegAsm.exe", "installutil.exe",
"RegSvcs.exe", "RegAsm.exe"
) or
(process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true)
) and
not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and
not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64 /f ") and
not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and
not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and
not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and
not (process.name : "wscript.exe" and
process.working_directory :
("?:\\Windows\\TempInst\\*",
"?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\",
"?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "Command and Scripting Interpreter"
id = "T1059"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
name = "Visual Basic"
id = "T1059.005"
reference = "https://attack.mitre.org/techniques/T1059/005/"
[[rule.threat.technique.subtechnique]]
name = "PowerShell"
id = "T1059.001"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1497"
name = "Virtualization/Sandbox Evasion"
reference = "https://attack.mitre.org/techniques/T1497/"
[[rule.threat.technique.subtechnique]]
name = "Time Based Evasion"
id = "T1497.003"
reference = "https://attack.mitre.org/techniques/T1497/003/"
[[rule.threat.technique]]
name = "System Binary Proxy Execution"
id = "T1218"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
name = "CMSTP"
id = "T1218.003"
reference = "https://attack.mitre.org/techniques/T1218/003/"
[[rule.threat.technique.subtechnique]]
name = "InstallUtil"
id = "T1218.004"
reference = "https://attack.mitre.org/techniques/T1218/004/"
[[rule.threat.technique.subtechnique]]
name = "Mshta"
id = "T1218.005"
reference = "https://attack.mitre.org/techniques/T1218/005/"
[[rule.threat.technique.subtechnique]]
name = "Regsvcs/Regasm"
id = "T1218.009"
reference = "https://attack.mitre.org/techniques/T1218/009/"
[[rule.threat.technique.subtechnique]]
name = "Regsvr32"
id = "T1218.010"
reference = "https://attack.mitre.org/techniques/T1218/010/"
[[rule.threat.technique.subtechnique]]
name = "Rundll32"
id = "T1218.011"
reference = "https://attack.mitre.org/techniques/T1218/011/"
[[rule.threat.technique]]
name = "System Script Proxy Execution"
id = "T1216"
reference = "https://attack.mitre.org/techniques/T1216/"
[[rule.threat.technique]]
name = "XSL Script Processing"
id = "T1220"
reference = "https://attack.mitre.org/techniques/T1220/"
[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"