Aegrah
commented
11 months ago Initial analysis of our currently available Windows Execution related ruleset.
#!/bin/bash
# Find all files ending with .toml
file_list=$(find /Users/ruben/Documents/GitHub/detection-rules/ -type f -name "*.toml")
# Loop through the list of files
for file in $file_list; do
# Search for lines starting with "tags = " containing both "OS: Windows" and "Tactic: Execution" recursively
if grep -q -R -E '^tags =.*OS: Windows' "$file" 2>/dev/null && grep -q -R -E '^tags =.*Tactic: Execution' "$file" 2>/dev/null && ! grep -q -R -E '^tags =.*Rule Type: ML' "$file" 2>/dev/null; then
name=$(grep -m 1 -E '^name =' "$file" | awk -F'= ' '{print $2}')
rule_id=$(grep -E '^rule_id =' "$file" | awk -F'= ' '{print $2}')
# Extract the filename without the path
filename=$(basename "$file")
echo "File: $filename"
echo "Name: $name"
echo "Rule ID: $rule_id"
# Add a new line after each hit
echo
fi
done| Rule Name | Rule ID | File Name |
|---|---|---|
| Creation of SettingContent-ms Files | 1e6363a6-3af5-41d4-b7ea-d475389c0ceb | execution_settingcontent_ms_file_creation.toml |
| Execution of an Unsigned Service | 56fdfcf1-ca7c-4fd9-951d-e215ee26e404 | execution_unsigned_service_executable.toml |
| Mofcomp Activity | 210d4430-b371-470e-b879-80b7182aa75e | execution_mofcomp.toml |
| Downloaded Shortcut Files | 39157d52-4035-44a8-9d1a-6f8c5f580a07 | execution_downloaded_shortcut_files.toml |
| Downloaded URL Files | cd82e3d6-1346-4afd-8f22-38388bbf34cb | execution_downloaded_url_file.toml |
| WMI WBEMTEST Utility Execution | d3551433-782f-4e22-bbea-c816af2d41c6 | execution_wmi_wbemtest.toml |
| Python Script Execution via Command Line | ee9f08dc-cf80-4124-94ae-08c405f059ae | execution_python_script_in_cmdline.toml |
| Suspicious SolarWinds Child Process | 93b22c0a-06a0-4131-b830-b10d5e166ff4 | execution_apt_solarwinds_backdoor_unusual_child_processes.toml |
| Process Activity via Compiled HTML File | e3343ab9-4245-4715-b344-e11c56b0a47f | execution_via_compiled_html_file.toml |
| Execution of File Written or Modified by PDF Reader | 1defdd62-cd8d-426e-a246-81a37751bb2b | execution_pdf_written_file.toml |
| Command Shell Activity Started via RunDLL32 | 9ccf3ce0-0057-440a-91f5-870c6ad39093 | execution_command_shell_via_rundll32.toml |
| Network Connection via Registration Utility | fb02b8d3-71ee-4af1-bacd-215d23f17efa | execution_register_server_program_connecting_to_the_internet.toml |
| Suspicious PowerShell Engine ImageLoad | 852c1f19-68e8-43a6-9dce-340771fe1be3 | execution_suspicious_powershell_imgload.toml |
| Enumeration Command Spawned via WMIPrvSE | 770e0c4d-b998-41e5-a62e-c7901fd7f470 | execution_enumeration_via_wmiprvse.toml |
| Execution via local SxS Shared Module | a3ea12f3-0d4e-4667-8b44-4230c63f3c75 | execution_shared_modules_local_sxs_dll.toml |
| Outbound Scheduled Task Activity via PowerShell | 5cd55388-a19c-47c7-8ec4-f41656c2fded | execution_scheduled_task_powershell_source.toml |
| Unusual Parent Process for cmd.exe | 3b47900d-e793-49e8-968f-c90dc3526aa1 | execution_command_shell_started_by_unusual_process.toml |
| Suspicious Process Execution via Renamed PsExec Executable | e2f9fdf5-8076-45ad-9427-41e0e03dc9c2 | execution_suspicious_psexesvc.toml |
| Suspicious MS Office Child Process | a624863f-a70d-417f-a7d2-7a404638d47f | initial_access_suspicious_ms_office_child_process.toml |
| Suspicious PDF Reader Child Process | 53a26770-9cbd-40c5-8b57-61d01a325e14 | execution_suspicious_pdf_reader.toml |
| Potential PowerShell HackTool Script by Function Names | cde1bafa-9f01-4f43-a872-605b678968b0 | execution_posh_hacktool_functions.toml |
| Suspicious Portable Executable Encoded in Powershell Script | ad84d445-b1ce-4377-82d9-7c633f28bf9a | execution_posh_portable_executable.toml |
| PsExec Network Connection | 55d551c6-333b-4665-ab7e-5d14a59715ce | execution_psexec_lateral_movement_command.toml |
| Network Connection via Compiled HTML File | b29ee2be-bf99-446c-ab1a-2dc0183394b8 | execution_html_help_executable_program_connecting_to_the_internet.toml |
| Suspicious Cmd Execution via WMI | 12f07955-1674-44f7-86b5-c35da0a6f41a | execution_suspicious_cmd_wmi.toml |
| Command Prompt Network Connection | 89f9a4b0-9f8f-4ee0-8823-c4751a6d6696 | execution_command_prompt_connecting_to_the_internet.toml |
| Command Execution via SolarWinds Process | d72e33fc-6e91-42ff-ac8b-e573268c5a87 | execution_apt_solarwinds_backdoor_child_cmd_powershell.toml |
| Execution of COM object via Xwizard | 1a6075b0-7479-450e-8fe7-b8b8438ac570 | execution_com_object_xwizard.toml |
| Suspicious Execution via Windows Subsystem for Linux | 3e0eeb75-16e8-4f2f-9826-62461ca128b7 | defense_evasion_wsl_bash_exec.toml |
| PowerShell PSReflect Script | 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe | execution_posh_psreflect.toml |
| Conhost Spawned By Suspicious Parent Process | 05b358de-aa6d-4f6c-89e6-78f74018b43b | execution_via_hidden_shell_conhost.toml |
| Svchost spawning Cmd | fd7a6052-58fa-4397-93c3-4795249ccfa2 | execution_command_shell_started_by_svchost.toml |
| Suspicious WMI Image Load from MS Office | 891cb88e-441a-4c3e-be2d-120d99fe7b0d | execution_suspicious_image_load_wmi_ms_office.toml |
| Execution of File Written or Modified by Microsoft Office | 0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5 | execution_ms_office_written_file.toml |
| System Information Discovery via Windows Command Shell | d68e95ad-1c82-4074-a12a-125fe10ac8ba | discovery_files_dir_systeminfo_via_cmd.toml |
| Windows Script Interpreter Executing Process via WMI | b64b183e-1a76-422d-9179-7b389513e74d | initial_access_scripts_process_started_via_wmi.toml |
botelastic[bot]
Summary
This Meta will focus on building out an initial UEBA detection rule pack for execution-related Windows rules.
Most progress is being tracked in Approach to UEBA- V0.1
Tuning & analysis
The tuning for the Execution related rules is now available as PR at #3107. Additionally, several new rules have been created in #3112.