From e6f237f2df36b2fbedf2caa2c68d7230a003700b Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 24 Aug 2020 11:40:41 +0200 Subject: [PATCH 01/10] [New Rule] Suspicious Elastic Endpoint Parent Process --- ...querading_as_elastic_endpoint_process.toml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml new file mode 100644 index 00000000000..0f4c3610db4 --- /dev/null +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -0,0 +1,42 @@ +[metadata] +creation_date = "2020/08/24" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/08/24" + +[rule] +author = ["Elastic"] +description = """ +A suspicious Elastic Endpoint Parent Process was detected. Verify process details such as hash, commandline, network +connections, file writes and parent and child process details as well. +""" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Suspicious Elastic Endpoint Parent Process" +risk_score = 47 +rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.category :"process" and not event.type:"end" and + process.name :("esensor.exe" or "elastic-endpoint.exe" or "elastic-agent.exe") and + not process.parent.name:"services.exe" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + From 55d8db76f5d2f18b189c5ed684544432df503140 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 24 Aug 2020 11:45:13 +0200 Subject: [PATCH 02/10] Update defense_evasion_masquerading_as_elastic_endpoint_process.toml --- ...efense_evasion_masquerading_as_elastic_endpoint_process.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 0f4c3610db4..15611cb295c 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -8,7 +8,7 @@ updated_date = "2020/08/24" author = ["Elastic"] description = """ A suspicious Elastic Endpoint Parent Process was detected. Verify process details such as hash, commandline, network -connections, file writes and parent and child process details as well. +connections, file writes, parent and child process details as well. """ index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" From 9cd344bb90b222cf112e13f4d9acfe5c18faced5 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 24 Aug 2020 12:46:19 +0200 Subject: [PATCH 03/10] Update defense_evasion_masquerading_as_elastic_endpoint_process.toml --- ...efense_evasion_masquerading_as_elastic_endpoint_process.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 15611cb295c..c461f3c6e53 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -23,7 +23,7 @@ type = "query" query = ''' event.category :"process" and not event.type:"end" and process.name :("esensor.exe" or "elastic-endpoint.exe" or "elastic-agent.exe") and - not process.parent.name:"services.exe" + not process.parent.executable :"C:\Windows\System32\services.exe" ''' From 05d37d317d527dfadbae83cb9c0f7866680112b1 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 27 Aug 2020 09:14:38 +0200 Subject: [PATCH 04/10] Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra --- ...fense_evasion_masquerading_as_elastic_endpoint_process.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index c461f3c6e53..a703382c358 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2020/08/24" -ecs_version = ["1.5.0"] +ecs_version = ["1.6.0"] maturity = "production" updated_date = "2020/08/24" @@ -39,4 +39,3 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - From 72dcd074a594d66242b91bbf03c2c8658a8dc88a Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 27 Aug 2020 09:15:07 +0200 Subject: [PATCH 05/10] Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra --- ...se_evasion_masquerading_as_elastic_endpoint_process.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index a703382c358..c0621612af7 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -21,9 +21,9 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.category :"process" and not event.type:"end" and - process.name :("esensor.exe" or "elastic-endpoint.exe" or "elastic-agent.exe") and - not process.parent.executable :"C:\Windows\System32\services.exe" +event.category:process and not event.type:end and + process.name:(esensor.exe or "elastic-endpoint.exe" or "elastic-agent.exe") and + not process.parent.executable:"C:\Windows\System32\services.exe" ''' From e9810fa35224b98c151aad02283e21a8ae31a510 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 27 Aug 2020 09:15:28 +0200 Subject: [PATCH 06/10] Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra --- ...efense_evasion_masquerading_as_elastic_endpoint_process.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index c0621612af7..2c63e201a33 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -7,7 +7,7 @@ updated_date = "2020/08/24" [rule] author = ["Elastic"] description = """ -A suspicious Elastic Endpoint Parent Process was detected. Verify process details such as hash, commandline, network +A suspicious Elastic endpoint agent parent process was detected. Verify process details such as hash, command line, network connections, file writes, parent and child process details as well. """ index = ["winlogbeat-*", "logs-endpoint.events.*"] From f5b35c368d63819abbd5b4bcdb2c8c963000d39c Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 27 Aug 2020 09:17:17 +0200 Subject: [PATCH 07/10] Update defense_evasion_masquerading_as_elastic_endpoint_process.toml --- ...efense_evasion_masquerading_as_elastic_endpoint_process.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 2c63e201a33..38fdb4d29d6 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -7,7 +7,7 @@ updated_date = "2020/08/24" [rule] author = ["Elastic"] description = """ -A suspicious Elastic endpoint agent parent process was detected. Verify process details such as hash, command line, network +A suspicious Elastic endpoint agent parent process was detected. This may indicate a process hollowing or other form of code injection. Verify process details such as hash, command line, network connections, file writes, parent and child process details as well. """ index = ["winlogbeat-*", "logs-endpoint.events.*"] From ccd4069877e89e566e0334ace86846b94fea7175 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Fri, 4 Sep 2020 21:29:49 +0200 Subject: [PATCH 08/10] Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra --- ...efense_evasion_masquerading_as_elastic_endpoint_process.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 38fdb4d29d6..4deef06da0d 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -21,7 +21,7 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.category:process and not event.type:end and +event.category:process and event.type:(start or process_started) and process.name:(esensor.exe or "elastic-endpoint.exe" or "elastic-agent.exe") and not process.parent.executable:"C:\Windows\System32\services.exe" ''' From cf30b475e06ae382fe4b765bdc2f792cc8ef7e73 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 17 Sep 2020 23:04:35 +0200 Subject: [PATCH 09/10] Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...fense_evasion_masquerading_as_elastic_endpoint_process.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 4deef06da0d..eed8c5f2892 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -7,8 +7,7 @@ updated_date = "2020/08/24" [rule] author = ["Elastic"] description = """ -A suspicious Elastic endpoint agent parent process was detected. This may indicate a process hollowing or other form of code injection. Verify process details such as hash, command line, network -connections, file writes, parent and child process details as well. +A suspicious Elastic endpoint agent parent process was detected. This may indicate a process hollowing or other form of code injection. """ index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" From a88f0cdcffa4f57d2aa41dedb21105f16c099ddb Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 17 Sep 2020 23:04:44 +0200 Subject: [PATCH 10/10] Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...efense_evasion_masquerading_as_elastic_endpoint_process.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index eed8c5f2892..bf3f0145ee3 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -21,7 +21,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - process.name:(esensor.exe or "elastic-endpoint.exe" or "elastic-agent.exe") and + process.name:(esensor.exe or "elastic-endpoint.exe" or "elastic-agent.exe") and not process.parent.executable:"C:\Windows\System32\services.exe" '''