forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_injection_from_msoffice.toml
94 lines (82 loc) · 2.59 KB
/
defense_evasion_injection_from_msoffice.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
[metadata]
creation_date = "2023/09/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual
process arguments and path. This behavior is often observed during exploitation of Office applications or from documents
with malicious macros.
"""
from = "now-119m"
index = ["logs-endpoint.events.process-*"]
interval = "60m"
language = "eql"
license = "Elastic License v2"
name = "Potential Process Injection from Malicious Document"
risk_score = 21
rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Privilege Escalation",
"Tactic: Initial Access",
"Rule Type: BBR",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.action == "start" and
process.parent.name : ("excel.exe", "powerpnt.exe", "winword.exe") and
process.args_count == 1 and
process.executable : (
"?:\\Windows\\SysWOW64\\*.exe", "?:\\Windows\\system32\\*.exe"
) and
not (process.executable : "?:\\Windows\\System32\\spool\\drivers\\x64\\*" and
process.code_signature.trusted == true and not process.code_signature.subject_name : "Microsoft *") and
not process.executable : (
"?:\\Windows\\Sys*\\Taskmgr.exe",
"?:\\Windows\\Sys*\\ctfmon.exe",
"?:\\Windows\\System32\\notepad.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"
[[rule.threat.technique.subtechnique]]
id = "T1566.001"
name = "Spearphishing Attachment"
reference = "https://attack.mitre.org/techniques/T1566/001/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"