From 5ab967b894a996a4cbcaf13f95e9e6d5916fbd59 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 14 Feb 2024 17:50:27 +0000 Subject: [PATCH 1/2] Create initial_access_execution_from_inetcache.toml --- ...itial_access_execution_from_inetcache.toml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 rules/windows/initial_access_execution_from_inetcache.toml diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml new file mode 100644 index 00000000000..bedcbb5d499 --- /dev/null +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2024/02/14" +integration = ["endpoint", "windows", "system"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/14" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious +content via WININET during initial access. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Execution from INET Cache" +references = [ +"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html" +] +risk_score = 73 +rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" +severity = "high" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and + (process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or + process.executable : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" From aef081c85fdd7246293c6e370ce76072e255890e Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 14 Feb 2024 17:53:04 +0000 Subject: [PATCH 2/2] Update initial_access_execution_from_inetcache.toml --- ...initial_access_execution_from_inetcache.toml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index bedcbb5d499..ffbe2992403 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -23,7 +23,7 @@ references = [ risk_score = 73 rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -47,8 +47,21 @@ name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/"