forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_masquerading_trusted_directory.toml
49 lines (41 loc) · 1.48 KB
/
defense_evasion_masquerading_trusted_directory.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[metadata]
creation_date = "2020/11/18"
maturity = "production"
updated_date = "2021/09/23"
[rule]
author = ["Elastic"]
description = """
Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
detections whitelisting those folders.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Program Files Directory Masquerading"
risk_score = 47
rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and
process.executable : "C:\\*Program*Files*\\*.exe" and
not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.005"
name = "Match Legitimate Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"