-
Notifications
You must be signed in to change notification settings - Fork 455
/
defense_evasion_masquerading_trusted_directory.toml
45 lines (38 loc) · 1.41 KB
/
defense_evasion_masquerading_trusted_directory.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
[metadata]
creation_date = "2020/11/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/18"
[rule]
author = ["Elastic"]
description = """
Identifies execution from a directory masquerading as Windows Program Files directories. Those folders are trusted and
usually host trusted third party programs, an Adversary may leverage that with low privileges to bypass detections
whitelisting those folders.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Program Files Directory Masquerading"
risk_score = 43
rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
type = "eql"
query = '''
process where event.type in ("start", "process_started", "info") and
(wildcard(process.executable, "C:\\*Program*Files*\\*.exe") or wildcard(process.args, "C:\\*Program*Files*\\*")) and
not wildcard(process.executable, "C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") and
not wildcard(process.args, "C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"