-
Notifications
You must be signed in to change notification settings - Fork 516
/
Copy pathdetect_masquerading_attempts_as_native_windows_binaries.toml
28 lines (27 loc) · 2.49 KB
/
detect_masquerading_attempts_as_native_windows_binaries.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[hunt]
author = "Elastic"
description = "This hunt detects processes named as legit Microsoft native binaries located in the system32 folder. Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. "
integration = ["endpoint"]
uuid = "a2006c66-d6ab-43ee-871e-d650e38f7972"
mitre = ["T1036"]
name = "Masquerading Attempts as Native Windows Binaries"
language = ["ES|QL"]
license = "Elastic License v2"
query = ['''
from logs-endpoint.events.process-*
| where @timestamp > NOW() - 7 day
| where event.type == "start" and event.action == "start" and host.os.name == "Windows" and not starts_with(process.executable, "C:\\Program Files\\WindowsApps\\") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\") and process.name != "setup.exe"
| keep process.name.caseless, process.executable.caseless, process.code_signature.subject_name, process.code_signature.trusted, process.code_signature.exists, host.id
/* system_bin contain Microsoft signed and located in system32 folder process names */
/* non_system_bin contain non Microsoft signed process names */
| eval system_bin = case(starts_with(process.executable.caseless, "c:\\windows\\system32") and starts_with(process.code_signature.subject_name, "Microsoft") and process.code_signature.trusted == true, process.name.caseless, null), non_system_bin = case(process.code_signature.exists == false or process.code_signature.trusted != true or not starts_with(process.code_signature.subject_name, "Microsoft"), process.name.caseless, null)
/* aggregate unique process name counts by process.name and host.id */
| stats count_system_bin = count(system_bin), count_non_system_bin = count(non_system_bin) by process.name.caseless, host.id
/* filter where the same process.name is present in both system_bin and non_system_bin */
| where count_system_bin >= 1 and count_non_system_bin >= 1
''']
notes = [
"Output of the query is the `process.name` and `host.id` where you can pivot by `host.id` and `process.name` (non Microsoft signed) to find the specific suspicious instances.",
"Potential false-positives include processes with missing code signature details due to enrichment bugs.",
"The queried index must capture process start events with code signature information (e.g. Windows event 4688 is not supported).",
]