forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_execution_msbuild_started_by_office_app.toml
executable file
·73 lines (63 loc) · 2.4 KB
/
defense_evasion_execution_msbuild_started_by_office_app.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
[metadata]
creation_date = "2020/03/25"
maturity = "production"
updated_date = "2022/03/31"
[rule]
author = ["Elastic"]
description = """
An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build
Engine and could have been caused by an Excel or Word document executing a malicious script payload.
"""
false_positives = [
"""
The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for
this program to be started by an Office application like Word or Excel.
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Microsoft Build Engine Started by an Office Application"
note = """## Config
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"]
risk_score = 73
rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type in ("start", "process_started") and
process.name : "MSBuild.exe" and
process.parent.name : ("eqnedt32.exe",
"excel.exe",
"fltldr.exe",
"msaccess.exe",
"mspub.exe",
"outlook.exe",
"powerpnt.exe",
"winword.exe" )
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1127"
name = "Trusted Developer Utilities Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1127/"
[[rule.threat.technique.subtechnique]]
id = "T1127.001"
name = "MSBuild"
reference = "https://attack.mitre.org/techniques/T1127/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"