Closed Aegrah closed 6 months ago
#!/bin/bash
# Find all files ending with .toml
file_list=$(find /Users/ruben/Documents/GitHub/detection-rules/ -type f -name "*.toml")
# Loop through the list of files
for file in $file_list; do
# Search for lines starting with "tags = " containing both "OS: Windows" and "Tactic: Execution" recursively
if grep -q -R -E '^tags =.*OS: Windows' "$file" 2>/dev/null && grep -q -R -E '^tags =.*Tactic: Execution' "$file" 2>/dev/null && ! grep -q -R -E '^tags =.*Rule Type: ML' "$file" 2>/dev/null; then
name=$(grep -m 1 -E '^name =' "$file" | awk -F'= ' '{print $2}')
rule_id=$(grep -E '^rule_id =' "$file" | awk -F'= ' '{print $2}')
# Extract the filename without the path
filename=$(basename "$file")
echo "File: $filename"
echo "Name: $name"
echo "Rule ID: $rule_id"
# Add a new line after each hit
echo
fi
done
Rule Name | Rule ID | File Name |
---|---|---|
Creation of SettingContent-ms Files | 1e6363a6-3af5-41d4-b7ea-d475389c0ceb | execution_settingcontent_ms_file_creation.toml |
Execution of an Unsigned Service | 56fdfcf1-ca7c-4fd9-951d-e215ee26e404 | execution_unsigned_service_executable.toml |
Mofcomp Activity | 210d4430-b371-470e-b879-80b7182aa75e | execution_mofcomp.toml |
Downloaded Shortcut Files | 39157d52-4035-44a8-9d1a-6f8c5f580a07 | execution_downloaded_shortcut_files.toml |
Downloaded URL Files | cd82e3d6-1346-4afd-8f22-38388bbf34cb | execution_downloaded_url_file.toml |
WMI WBEMTEST Utility Execution | d3551433-782f-4e22-bbea-c816af2d41c6 | execution_wmi_wbemtest.toml |
Python Script Execution via Command Line | ee9f08dc-cf80-4124-94ae-08c405f059ae | execution_python_script_in_cmdline.toml |
Suspicious SolarWinds Child Process | 93b22c0a-06a0-4131-b830-b10d5e166ff4 | execution_apt_solarwinds_backdoor_unusual_child_processes.toml |
Process Activity via Compiled HTML File | e3343ab9-4245-4715-b344-e11c56b0a47f | execution_via_compiled_html_file.toml |
Execution of File Written or Modified by PDF Reader | 1defdd62-cd8d-426e-a246-81a37751bb2b | execution_pdf_written_file.toml |
Command Shell Activity Started via RunDLL32 | 9ccf3ce0-0057-440a-91f5-870c6ad39093 | execution_command_shell_via_rundll32.toml |
Network Connection via Registration Utility | fb02b8d3-71ee-4af1-bacd-215d23f17efa | execution_register_server_program_connecting_to_the_internet.toml |
Suspicious PowerShell Engine ImageLoad | 852c1f19-68e8-43a6-9dce-340771fe1be3 | execution_suspicious_powershell_imgload.toml |
Enumeration Command Spawned via WMIPrvSE | 770e0c4d-b998-41e5-a62e-c7901fd7f470 | execution_enumeration_via_wmiprvse.toml |
Execution via local SxS Shared Module | a3ea12f3-0d4e-4667-8b44-4230c63f3c75 | execution_shared_modules_local_sxs_dll.toml |
Outbound Scheduled Task Activity via PowerShell | 5cd55388-a19c-47c7-8ec4-f41656c2fded | execution_scheduled_task_powershell_source.toml |
Unusual Parent Process for cmd.exe | 3b47900d-e793-49e8-968f-c90dc3526aa1 | execution_command_shell_started_by_unusual_process.toml |
Suspicious Process Execution via Renamed PsExec Executable | e2f9fdf5-8076-45ad-9427-41e0e03dc9c2 | execution_suspicious_psexesvc.toml |
Suspicious MS Office Child Process | a624863f-a70d-417f-a7d2-7a404638d47f | initial_access_suspicious_ms_office_child_process.toml |
Suspicious PDF Reader Child Process | 53a26770-9cbd-40c5-8b57-61d01a325e14 | execution_suspicious_pdf_reader.toml |
Potential PowerShell HackTool Script by Function Names | cde1bafa-9f01-4f43-a872-605b678968b0 | execution_posh_hacktool_functions.toml |
Suspicious Portable Executable Encoded in Powershell Script | ad84d445-b1ce-4377-82d9-7c633f28bf9a | execution_posh_portable_executable.toml |
PsExec Network Connection | 55d551c6-333b-4665-ab7e-5d14a59715ce | execution_psexec_lateral_movement_command.toml |
Network Connection via Compiled HTML File | b29ee2be-bf99-446c-ab1a-2dc0183394b8 | execution_html_help_executable_program_connecting_to_the_internet.toml |
Suspicious Cmd Execution via WMI | 12f07955-1674-44f7-86b5-c35da0a6f41a | execution_suspicious_cmd_wmi.toml |
Command Prompt Network Connection | 89f9a4b0-9f8f-4ee0-8823-c4751a6d6696 | execution_command_prompt_connecting_to_the_internet.toml |
Command Execution via SolarWinds Process | d72e33fc-6e91-42ff-ac8b-e573268c5a87 | execution_apt_solarwinds_backdoor_child_cmd_powershell.toml |
Execution of COM object via Xwizard | 1a6075b0-7479-450e-8fe7-b8b8438ac570 | execution_com_object_xwizard.toml |
Suspicious Execution via Windows Subsystem for Linux | 3e0eeb75-16e8-4f2f-9826-62461ca128b7 | defense_evasion_wsl_bash_exec.toml |
PowerShell PSReflect Script | 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe | execution_posh_psreflect.toml |
Conhost Spawned By Suspicious Parent Process | 05b358de-aa6d-4f6c-89e6-78f74018b43b | execution_via_hidden_shell_conhost.toml |
Svchost spawning Cmd | fd7a6052-58fa-4397-93c3-4795249ccfa2 | execution_command_shell_started_by_svchost.toml |
Suspicious WMI Image Load from MS Office | 891cb88e-441a-4c3e-be2d-120d99fe7b0d | execution_suspicious_image_load_wmi_ms_office.toml |
Execution of File Written or Modified by Microsoft Office | 0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5 | execution_ms_office_written_file.toml |
System Information Discovery via Windows Command Shell | d68e95ad-1c82-4074-a12a-125fe10ac8ba | discovery_files_dir_systeminfo_via_cmd.toml |
Windows Script Interpreter Executing Process via WMI | b64b183e-1a76-422d-9179-7b389513e74d | initial_access_scripts_process_started_via_wmi.toml |
During the scripted approach of looping through our ruleset, I noticed quite a few multi-tactic
only have one tag listed in the tags list. Additional manual analysis will be conducted to ensure all current Execution
rules are mapped. These tags will be added as part of the soon incoming tuning PR.
The tuning for the Execution related rules is now available as PR at https://github.com/elastic/detection-rules/pull/3107. Additionally, several new rules have been created in https://github.com/elastic/detection-rules/pull/3112.
Moved to backlog until we gather additional telemetry from our UEBA changes.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.
Summary
This Meta will focus on building out an initial UEBA detection rule pack for execution-related Windows rules.
Most progress is being tracked in Approach to UEBA- V0.1
Tuning & analysis
The tuning for the Execution related rules is now available as PR at #3107. Additionally, several new rules have been created in #3112.