forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 1
/
defense_evasion_execution_via_visualstudio_prebuildevent.toml
103 lines (94 loc) · 3.51 KB
/
defense_evasion_execution_via_visualstudio_prebuildevent.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
[metadata]
creation_date = "2023/09/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a
trusted visual studio project to execute a malicious command during the project build process.
"""
from = "now-119m"
index = ["logs-endpoint.events.process-*"]
interval = "60m"
language = "eql"
license = "Elastic License v2"
name = "Execution via MS VisualStudio Pre/Post Build Events"
references = [
"https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html",
"https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/",
"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx",
]
risk_score = 21
rule_id = "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Execution",
"Rule Type: BBR",
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
sequence with maxspan=1m
[process where host.os.type == "windows" and event.action == "start" and
process.name : "cmd.exe" and process.parent.name : "MSBuild.exe" and
process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\tmp*.exec.cmd"] by process.entity_id
[process where host.os.type == "windows" and event.action == "start" and
process.name : (
"cmd.exe", "powershell.exe",
"MSHTA.EXE", "CertUtil.exe",
"CertReq.exe", "rundll32.exe",
"regsvr32.exe", "MSbuild.exe",
"cscript.exe", "wscript.exe",
"installutil.exe"
) and
not
(
process.name : ("cmd.exe", "powershell.exe") and
process.args : (
"*\\vcpkg\\scripts\\buildsystems\\msbuild\\applocal.ps1",
"HKLM\\SOFTWARE\\Microsoft\\VisualStudio\\SxS\\VS?",
"process.versions.node*",
"?:\\Program Files\\nodejs\\node.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSBuild\\ToolsVersions\\*",
"*Get-ChildItem*Tipasplus.css*",
"Build\\GenerateResourceScripts.ps1",
"Shared\\Common\\..\\..\\BuildTools\\ConfigBuilder.ps1\"",
"?:\\Projets\\*\\PostBuild\\MediaCache.ps1"
)
) and
not process.executable : "?:\\Program Files*\\Microsoft Visual Studio\\*\\MSBuild.exe" and
not (process.name : "cmd.exe" and
process.command_line :
("*vswhere.exe -property catalog_productSemanticVersion*",
"*git log --pretty=format*", "*\\.nuget\\packages\\vswhere\\*",
"*Common\\..\\..\\BuildTools\\*"))
] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1127"
name = "Trusted Developer Utilities Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1127/"
[[rule.threat.technique.subtechnique]]
id = "T1127.001"
name = "MSBuild"
reference = "https://attack.mitre.org/techniques/T1127/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"