diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/i18n/i18n_en.yaml new file mode 100644 index 00000000..ba47f847 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'Suspicious Microsoft Office child process has been detected' +EventDescriptions: + - LocalizationId: 'corrname_Suspicious_Microsoft_Office_Child_Process' + EventDescription: 'Suspicious child process {object.process.name} has been created by {object.process.parent.name} at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/i18n/i18n_ru.yaml new file mode 100644 index 00000000..7e94e761 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружен подозрительный процесс, созданный приложением MS Office' +EventDescriptions: + - LocalizationId: 'corrname_Suspicious_Microsoft_Office_Child_Process' + EventDescription: 'Обнаружен подозрительный процесс {object.process.name}, созданный приложением MS Office {object.process.parent.name}, на узле {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/metainfo.yaml new file mode 100644 index 00000000..ff789528 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/metainfo.yaml @@ -0,0 +1,30 @@ +ContentAutoName: Suspicious_Microsoft_Office_Child_Process +ExpertContext: + Created: 16.07.2024 + Updated: 29.07.2024 + KnowledgeHolders: + - driverenok + Usecases: + - Атакующие могут использовать инструментарий MS Office чтобы создавать дочерние процессы + Falsepositives: [] + References: + - https://github.com/SigmaHQ/sigma/blob/568f1aef336e62a0c52bc28e6b635950ca900f97/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml + - https://t.me/ptescalator/24 + - https://docs.logpoint.com/docs/alert-rules/en/latest/MITRE%20ATT&CK%20Analytics.html + Improvements: [] + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 +ObjectId: SEC-CR-189386588 +ContentRelations: + Implements: + ATTACK: + execution: + - T1204.002 +EventDescriptions: + - Criteria: correlation_name = "Suspicious_Microsoft_Office_Child_Process" + LocalizationId: corrname_Suspicious_Microsoft_Office_Child_Process diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/rule.co new file mode 100644 index 00000000..0e9c3b84 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/rule.co @@ -0,0 +1,88 @@ +event CreateProcess_via_MSOffice: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() + and in_list(["winword.exe", "excel.exe", "powerpnt.exe", "visio.exe", "mspub.exe", "eqnedt32.exe", "outlook.exe", "eqnedt32.exe", "msosync.exe", "msaccess.exe", "onenote.exe", "winproj.exe", "wordpad.exe", "wordview.exe"], lower(object.process.parent.name)) + and object.process.parent.fullpath != object.process.fullpath + } + +rule Suspicious_Microsoft_Office_Child_Process: CreateProcess_via_MSOffice + + on CreateProcess_via_MSOffice { + # subject + $subject = subject + + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + # action + $action = action + + # object + $object = object + + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.id = object.account.id + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + # status + $status = status + + # event src host + $event_src.host = event_src.host + $event_src.fqdn = event_src.fqdn + $event_src.hostname = event_src.hostname + $event_src.ip = event_src.ip + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.category = event_src.category + } + +emit { + $correlation_type = "incident" + + $importance = "medium" + + $category.generic = "Attack" + $category.high = "Execution" + $category.low = "User Execution: Malicious File" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.name)], "|") + $incident.aggregation.timeout = 2h + + $incident.severity = $importance + + $incident.category = "SoftwareSuspiciousActivity" + $incident.type = "Undefined" +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/raw_events_1.json new file mode 100644 index 00000000..b724a912 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/raw_events_1.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-07-16T19:13:09.4505298Z\"},\"EventRecordID\":\"237268195\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"9516\"},\"Channel\":\"Security\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x9974bf\"},{\"Name\":\"NewProcessId\",\"text\":\"0x14b4\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\SysWOW64\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x3180\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami & pause\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-0-0\"},{\"Name\":\"TargetUserName\",\"text\":\"-\"},{\"Name\":\"TargetDomainName\",\"text\":\"-\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x0\"},{\"Name\":\"ParentProcessName\",\"text\":\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office15\\\\WINWORD.EXE\"},{\"Name\":\"MandatoryLabel\",\"text\":\"S-1-16-8192\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-16T19:40:14.900Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"23cb42a0-c1ed-4080-93d9-208b5953e909"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/raw_events_2.json new file mode 100644 index 00000000..9812fab8 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/raw_events_2.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-07-16T19:13:09.4782189Z\"},\"EventRecordID\":\"96854957\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3880\",\"ThreadID\":\"4944\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"UtcTime\",\"text\":\"2024-07-16 19:13:09.450\"},{\"Name\":\"ProcessGuid\",\"text\":\"{2b856446-c645-6696-fa0a-000000002f02}\"},{\"Name\":\"ProcessId\",\"text\":\"5300\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\SysWOW64\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.19041.3636 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"Cmd.Exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami & pause\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\Администратор.STAND2008\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"STAND2008\\\\Администратор\"},{\"Name\":\"LogonGuid\",\"text\":\"{2b856446-29ef-6696-bf74-990000000000}\"},{\"Name\":\"LogonId\",\"text\":\"0x9974bf\"},{\"Name\":\"TerminalSessionId\",\"text\":\"2\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=C2DBE672C77E7C3C1A8B2FA858CCD251C88BF116,MD5=D3348AC2130C7E754754A6E9CB053B09,SHA256=E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD,IMPHASH=392B4D61B1D1DADC1F06444DF258188A\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{2b856446-c640-6696-f80a-000000002f02}\"},{\"Name\":\"ParentProcessId\",\"text\":\"12672\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office15\\\\WINWORD.EXE\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office15\\\\WINWORD.EXE\\\" /n \\\"C:\\\\Users\\\\Администратор.STAND2008\\\\Desktop\\\\macros.docm\\\" /o \\\"\\\"\"},{\"Name\":\"ParentUser\",\"text\":\"STAND2008\\\\Администратор\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-16T19:40:58.891Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"80a0c7e6-8c21-4284-9ab3-8c964278933a"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_1.sc new file mode 100644 index 00000000..50864717 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_1.sc @@ -0,0 +1,4 @@ +{"action":"start","category.generic":"Process","category.high":"Availability Management","category.low":"Control","event_src.category":"Operating system","event_src.fqdn":"win10-work.stand2008.local","event_src.host":"win10-work.stand2008.local","event_src.hostname":"win10-work","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","generator.type":"logcollector","generator.version":"N26.0.2936","id":"PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created","importance":"info","input_id":"00000000-0000-0000-0000-000000000000","mime":"application/x-pt-eventlog","msgid":"4688","normalized":true,"object":"process","object.account.domain":"stand2008","object.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","object.account.name":"администратор","object.account.session_id":"10056895","object.process.cmdline":"C:\\Windows\\System32\\cmd.exe /c whoami & pause","object.process.fullpath":"c:\\windows\\syswow64\\cmd.exe","object.process.id":"5300","object.process.name":"cmd.exe","object.process.parent.fullpath":"c:\\program files (x86)\\microsoft office\\office15\\winword.exe","object.process.parent.id":"12672","object.process.parent.name":"winword.exe","object.process.parent.path":"c:\\program files (x86)\\microsoft office\\office15\\","object.process.path":"c:\\windows\\syswow64\\","recv_ipv4":"127.0.0.1","recv_time":"2024-07-16T19:40:14.900Z","status":"success","subject":"account","subject.account.domain":"stand2008","subject.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","subject.account.name":"администратор","subject.account.privileges":"TokenElevationTypeLimited","subject.account.session_id":"10056895","subject.state":"on behalf of oneself","tag":"some_tag","task_id":"00000000-0000-0000-0000-000000000000","taxonomy_version":"26.0.215-release-26.0","time":"2024-07-16T19:13:09.450Z","type":"raw","uuid":"23cb42a0-c1ed-4080-93d9-208b5953e909"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action":"start","category.generic":"Attack","category.high":"Execution","category.low":"User Execution: Malicious File","correlation_name":"Suspicious_Microsoft_Office_Child_Process","correlation_type":"incident","count":1,"event_src.category":"Operating system","event_src.fqdn":"win10-work.stand2008.local","event_src.host":"win10-work.stand2008.local","event_src.hostname":"win10-work","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","generator.type":"correlationengine","importance":"medium","incident.aggregation.key":"Suspicious_Microsoft_Office_Child_Process|win10-work.stand2008.local|","incident.aggregation.timeout":7200,"incident.category":"SoftwareSuspiciousActivity","incident.severity":"medium","msgid":"4688","normalized":true,"object":"process","object.account.domain":"stand2008","object.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","object.account.name":"администратор","object.account.session_id":"10056895","object.process.cmdline":"C:\\Windows\\System32\\cmd.exe /c whoami & pause","object.process.fullpath":"c:\\windows\\syswow64\\cmd.exe","object.process.id":"5300","object.process.name":"cmd.exe","object.process.parent.fullpath":"c:\\program files (x86)\\microsoft office\\office15\\winword.exe","object.process.parent.id":"12672","object.process.parent.name":"winword.exe","object.process.parent.path":"c:\\program files (x86)\\microsoft office\\office15\\","object.process.path":"c:\\windows\\syswow64\\","origin_app_id":"00000000-0000-0000-0000-000000000005","primary_siem_app_id":"00000000-0000-0000-0000-000000000005","status":"success","subject":"account","subject.account.domain":"stand2008","subject.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","subject.account.name":"администратор","subject.account.privileges":"TokenElevationTypeLimited","subject.account.session_id":"10056895","time":"2024-07-16T19:13:09.000Z"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_2.sc new file mode 100644 index 00000000..43fd1288 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_2.sc @@ -0,0 +1,4 @@ +{"action":"start","category.generic":"Process","category.high":"Availability Management","category.low":"Control","datafield6":"2b856446-29ef-6696-bf74-990000000000","event_src.category":"Other","event_src.fqdn":"win10-work.stand2008.local","event_src.host":"win10-work.stand2008.local","event_src.hostname":"win10-work","event_src.subsys":"Microsoft-Windows-Sysmon/Operational","event_src.title":"sysmon","event_src.vendor":"microsoft","generator.type":"logcollector","generator.version":"N26.0.2936","id":"PT_Microsoft_Windows_eventlog_Sysmon_1_Process_creation","importance":"info","input_id":"00000000-0000-0000-0000-000000000000","mime":"application/x-pt-eventlog","msgid":"1","normalized":true,"object":"process","object.account.domain":"stand2008","object.account.id":"synthetic:администратор@stand2008","object.account.name":"администратор","object.account.privileges":"Medium","object.account.session_id":"10056895","object.process.cmdline":"C:\\Windows\\System32\\cmd.exe /c whoami & pause","object.process.cwd":"C:\\Users\\Администратор.STAND2008\\Desktop\\","object.process.fullpath":"c:\\windows\\syswow64\\cmd.exe","object.process.guid":"2b856446-c645-6696-fa0a-000000002f02","object.process.hash.imphash":"392B4D61B1D1DADC1F06444DF258188A","object.process.hash.md5":"D3348AC2130C7E754754A6E9CB053B09","object.process.hash.sha1":"C2DBE672C77E7C3C1A8B2FA858CCD251C88BF116","object.process.hash.sha256":"E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD","object.process.id":"5300","object.process.meta":"Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation","object.process.name":"cmd.exe","object.process.original_name":"Cmd.Exe","object.process.parent.cmdline":"\"C:\\Program Files (x86)\\Microsoft Office\\Office15\\WINWORD.EXE\" /n \"C:\\Users\\Администратор.STAND2008\\Desktop\\macros.docm\" /o \"\"","object.process.parent.fullpath":"c:\\program files (x86)\\microsoft office\\office15\\winword.exe","object.process.parent.guid":"2b856446-c640-6696-f80a-000000002f02","object.process.parent.id":"12672","object.process.parent.name":"winword.exe","object.process.parent.path":"c:\\program files (x86)\\microsoft office\\office15\\","object.process.path":"c:\\windows\\syswow64\\","object.process.version":"10.0.19041.3636 (WinBuild.160101.0800)","recv_ipv4":"127.0.0.1","recv_time":"2024-07-16T19:40:58.891Z","status":"success","subject":"account","subject.account.domain":"stand2008","subject.account.id":"synthetic:администратор@stand2008","subject.account.name":"администратор","subject.account.privileges":"Medium","subject.account.session_id":"10056895","tag":"some_tag","task_id":"00000000-0000-0000-0000-000000000000","taxonomy_version":"26.0.215-release-26.0","time":"2024-07-16T19:13:09.450Z","type":"raw","uuid":"80a0c7e6-8c21-4284-9ab3-8c964278933a"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"action":"start","category.generic":"Attack","category.high":"Execution","category.low":"User Execution: Malicious File","correlation_name":"Suspicious_Microsoft_Office_Child_Process","correlation_type":"incident","count":1,"event_src.category":"Other","event_src.fqdn":"win10-work.stand2008.local","event_src.host":"win10-work.stand2008.local","event_src.hostname":"win10-work","event_src.subsys":"Microsoft-Windows-Sysmon/Operational","event_src.title":"sysmon","event_src.vendor":"microsoft","generator.type":"correlationengine","importance":"medium","incident.aggregation.key":"Suspicious_Microsoft_Office_Child_Process|win10-work.stand2008.local|","incident.aggregation.timeout":7200,"incident.category":"SoftwareSuspiciousActivity","incident.severity":"medium","msgid":"1","normalized":true,"object":"process","object.account.domain":"stand2008","object.account.id":"synthetic:администратор@stand2008","object.account.name":"администратор","object.account.session_id":"10056895","object.process.cmdline":"C:\\Windows\\System32\\cmd.exe /c whoami & pause","object.process.cwd":"C:\\Users\\Администратор.STAND2008\\Desktop\\","object.process.fullpath":"c:\\windows\\syswow64\\cmd.exe","object.process.guid":"2b856446-c645-6696-fa0a-000000002f02","object.process.hash.md5":"D3348AC2130C7E754754A6E9CB053B09","object.process.hash.sha1":"C2DBE672C77E7C3C1A8B2FA858CCD251C88BF116","object.process.hash.sha256":"E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD","object.process.id":"5300","object.process.meta":"Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation","object.process.name":"cmd.exe","object.process.original_name":"Cmd.Exe","object.process.parent.cmdline":"\"C:\\Program Files (x86)\\Microsoft Office\\Office15\\WINWORD.EXE\" /n \"C:\\Users\\Администратор.STAND2008\\Desktop\\macros.docm\" /o \"\"","object.process.parent.fullpath":"c:\\program files (x86)\\microsoft office\\office15\\winword.exe","object.process.parent.guid":"2b856446-c640-6696-f80a-000000002f02","object.process.parent.id":"12672","object.process.parent.name":"winword.exe","object.process.parent.path":"c:\\program files (x86)\\microsoft office\\office15\\","object.process.path":"c:\\windows\\syswow64\\","object.process.version":"10.0.19041.3636 (WinBuild.160101.0800)","origin_app_id":"00000000-0000-0000-0000-000000000005","primary_siem_app_id":"00000000-0000-0000-0000-000000000005","status":"success","subject":"account","subject.account.domain":"stand2008","subject.account.id":"synthetic:администратор@stand2008","subject.account.name":"администратор","subject.account.privileges":"Medium","subject.account.session_id":"10056895","time":"2024-07-16T19:13:09.000Z"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_conds_1.tc new file mode 100644 index 00000000..4ae0fc09 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"action":"start","category.generic":"Attack","category.high":"Execution","category.low":"User Execution: Malicious File","correlation_name":"Suspicious_Microsoft_Office_Child_Process","correlation_type":"incident","event_src.category":"Operating system","event_src.fqdn":"win10-work.stand2008.local","event_src.host":"win10-work.stand2008.local","event_src.hostname":"win10-work","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","importance":"medium","incident.aggregation.key":"Suspicious_Microsoft_Office_Child_Process|win10-work.stand2008.local|","incident.aggregation.timeout":7200,"incident.category":"SoftwareSuspiciousActivity","incident.severity":"medium","object":"process","object.account.domain":"stand2008","object.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","object.account.name":"администратор","object.account.session_id":"10056895","object.process.cmdline":"C:\\Windows\\System32\\cmd.exe /c whoami & pause","object.process.fullpath":"c:\\windows\\syswow64\\cmd.exe","object.process.id":"5300","object.process.name":"cmd.exe","object.process.parent.fullpath":"c:\\program files (x86)\\microsoft office\\office15\\winword.exe","object.process.parent.id":"12672","object.process.parent.name":"winword.exe","object.process.parent.path":"c:\\program files (x86)\\microsoft office\\office15\\","object.process.path":"c:\\windows\\syswow64\\","status":"success","subject":"account","subject.account.domain":"stand2008","subject.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","subject.account.name":"администратор","subject.account.privileges":"TokenElevationTypeLimited","subject.account.session_id":"10056895"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_conds_2.tc new file mode 100644 index 00000000..dd6edfd7 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Suspicious_Microsoft_Office_Child_Process/tests/test_conds_2.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name":"Suspicious_Microsoft_Office_Child_Process"} \ No newline at end of file