[New Rule] Abnormal File Extension in User AppData Roaming path

DefSecSentinel commented 3 years ago

Description

This detection looks in the AppData\Roaming path specifically for any files with a file extension of ten or more characters. This behavior was observed being used by malware for dropping and retrieving data. This activity has been run against a group of Windows systems dating back 90 days and was found to only detect the malicious activity.

Required Info

Target indexes

logs-*, winlogbeat-*

Additional requirements

This detection will match on both Elastic endpoint file events and Symon file creation events.

Target Operating Systems

Windows

Platforms

Tested ECS Version

7.14.0

Optional Info

Query

file where file.path : "*\\appdata\\roaming\\*" and 
length(file.extension) >= 10 and 
process.name : ("cmd.exe", "powershell.exe", "wmic.exe", "mshta.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "regsvr32.exe", "RegAsm.exe", "rundll32.exe", "EQNEDT32.EXE", "WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE", "iexplore.exe", "InstallUtil.exe")

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

bm11100 commented 3 years ago

Could include numbers in the regex as well [a-zA-Z0-9]{10,}

brokensound77 commented 3 years ago

Instead of regex, you can just use the length command

length(file.extension) >= 10

bm11100 commented 3 years ago

Instead of regex, you can just use the length command
length(file.extension) >= 10

Possible, but that could lead to some noise like customdestinations-ms as the length function doesn't discriminate against dashes and other characters.

brokensound77 commented 3 years ago

That's true, but cases like that should be explicitly excluded in other ways, because a dash could just as easily be used from a malicious case.

Do you have any examples, resources, or data for this @DefSecSentinel

DefSecSentinel commented 3 years ago

"event": {
    "action": "creation",
    "agent_id_status": "verified",
    "category": "file",
    "created": "2021-09-10T15:59:20.546Z",
    "dataset": "endpoint.events.file",
    "id": "MHhyUJ+hUkq/D12D+++++20y",
    "ingested": "2021-09-10T15:59:37.866Z",
    "kind": "event",
    "module": "endpoint",
    "sequence": "11756",
    "type": "creation"
  },
  "file": {
    "Ext": {
      "entropy": "7.80275525446388",
      "header_bytes": "28da12006db6992685a40b0ad96b64dd",
      "header_data": "",
      "monotonic_id": "1804",
      "windows": {
        "zone_identifier": "-1"
      }
    },
    "extension": "abxpgtjzgpmbr",
    "name": "YyfgEhLNtnVrIiPv.ABXpGtJZgPMbr",
    "path": "C:\\Users\\variable\\AppData\\Roaming\\MIcroSOFT\\zEbiFUhuloaP\\YyfgEhLNtnVrIiPv.ABXpGtJZgPMbr",
    "size": "62188"
  },
  "message": "Endpoint file event",
  "process": {
    "entity_id": "NTc1MDBmZWMtOGVjNi00ODZjLTk2ZWMtOTkzNTc5NTQwZmE3LTI5NDQtMTMyNzU3NjMxNDEuMjk5NTc3NDAw",
    "executable": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Ext": {
      "ancestry": "NTc1MDBmZWMtOGVjNi00ODZjLTk2ZWMtOTkzNTc5NTQwZmE3LTQyMzYtMTMyNzU3NjMxMzkuNDgxMDczMDA=,NTc1MDBmZWMtOGVjNi00ODZjLTk2ZWMtOTkzNTc5NTQwZmE3LTcwMTYtMTMyNzU3NjMxMzguNDcyMjg4NDAw,NTc1MDBmZWMtOGVjNi00ODZjLTk2ZWMtOTkzNTc5NTQwZmE3LTM4OTItMTMyNzU3NjI1NjEuNjQxNDQ2NTAw,NTc1MDBmZWMtOGVjNi00ODZjLTk2ZWMtOTkzNTc5NTQwZmE3LTM2NDgtMTMyNzU3NjI1NjEuNDc3MzgwMzAw,NTc1MDBmZWMtOGVjNi00ODZjLTk2ZWMtOTkzNTc5NTQwZmE3LTU4OC0xMzI3NTc2MjU1OC41NTk5MjAyMDA="
    },
    "name": "powershell.exe",
    "parent": {
      "pid": "4236"
    },
    "pid": "2944"
  },

botelastic[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 2 years ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

elastic / detection-rules