Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'Suspicious Microsoft Office child process has been detected'
EventDescriptions:
- LocalizationId: 'corrname_Suspicious_Microsoft_Office_Child_Process'
EventDescription: 'Suspicious child process {object.process.name} has been created by {object.process.parent.name} at host {event_src.host}'
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'Обнаружен подозрительный процесс, созданный приложением MS Office'
EventDescriptions:
- LocalizationId: 'corrname_Suspicious_Microsoft_Office_Child_Process'
EventDescription: 'Обнаружен подозрительный процесс {object.process.name}, созданный приложением MS Office {object.process.parent.name}, на узле {event_src.host}'
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
ContentAutoName: Suspicious_Microsoft_Office_Child_Process
ExpertContext:
Created: 16.07.2024
Updated: 29.07.2024
KnowledgeHolders:
- driverenok
Usecases:
- Атакующие могут использовать инструментарий MS Office чтобы создавать дочерние процессы
Falsepositives: []
References:
- https://github.com/SigmaHQ/sigma/blob/568f1aef336e62a0c52bc28e6b635950ca900f97/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml
- https://t.me/ptescalator/24
- https://docs.logpoint.com/docs/alert-rules/en/latest/MITRE%20ATT&CK%20Analytics.html
Improvements: []
DataSources:
- Provider: Microsoft-Windows-Security-Auditing
EventID:
- 4688
- Provider: Microsoft-Windows-Sysmon
EventID:
- 1
ObjectId: SEC-CR-189386588
ContentRelations:
Implements:
ATTACK:
execution:
- T1204.002
EventDescriptions:
- Criteria: correlation_name = "Suspicious_Microsoft_Office_Child_Process"
LocalizationId: corrname_Suspicious_Microsoft_Office_Child_Process
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
event CreateProcess_via_MSOffice:
key:
event_src.host
filter {
filter::NotFromCorrelator()
and filter::ProcessStart_Windows_any()
and in_list(["winword.exe", "excel.exe", "powerpnt.exe", "visio.exe", "mspub.exe", "eqnedt32.exe", "outlook.exe", "eqnedt32.exe", "msosync.exe", "msaccess.exe", "onenote.exe", "winproj.exe", "wordpad.exe", "wordview.exe"], lower(object.process.parent.name))
and object.process.parent.fullpath != object.process.fullpath
}

rule Suspicious_Microsoft_Office_Child_Process: CreateProcess_via_MSOffice

on CreateProcess_via_MSOffice {
# subject
$subject = subject

$subject.account.name = subject.account.name
$subject.account.domain = subject.account.domain
$subject.account.session_id = subject.account.session_id
$subject.account.id = subject.account.id
$subject.account.privileges = subject.account.privileges

# action
$action = action

# object
$object = object

$object.account.session_id = object.account.session_id
$object.account.name = object.account.name
$object.account.domain = object.account.domain
$object.account.id = object.account.id

$object.process.id = object.process.id
$object.process.name = object.process.name
$object.process.path = object.process.path
$object.process.fullpath = object.process.fullpath
$object.process.hash = object.process.hash
$object.process.hash.md5 = object.process.hash.md5
$object.process.hash.sha1 = object.process.hash.sha1
$object.process.hash.sha256 = object.process.hash.sha256
$object.process.version = object.process.version
$object.process.cmdline = object.process.cmdline
$object.process.guid = object.process.guid
$object.process.meta = object.process.meta
$object.process.original_name = object.process.original_name
$object.process.cwd = object.process.cwd
$object.process.chain = object.process.chain

$object.process.parent.id = object.process.parent.id
$object.process.parent.name = object.process.parent.name
$object.process.parent.path = object.process.parent.path
$object.process.parent.fullpath = object.process.parent.fullpath
$object.process.parent.guid = object.process.parent.guid
$object.process.parent.cmdline = object.process.parent.cmdline

# status
$status = status

# event src host
$event_src.host = event_src.host
$event_src.fqdn = event_src.fqdn
$event_src.hostname = event_src.hostname
$event_src.ip = event_src.ip
$event_src.asset = event_src.asset
$event_src.vendor = event_src.vendor
$event_src.title = event_src.title
$event_src.subsys = event_src.subsys
$event_src.category = event_src.category
}

emit {
$correlation_type = "incident"

$importance = "medium"

$category.generic = "Attack"
$category.high = "Execution"
$category.low = "User Execution: Malicious File"

$incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.name)], "|")
$incident.aggregation.timeout = 2h

$incident.severity = $importance

$incident.category = "SoftwareSuspiciousActivity"
$incident.type = "Undefined"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-07-16T19:13:09.4505298Z\"},\"EventRecordID\":\"237268195\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"9516\"},\"Channel\":\"Security\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x9974bf\"},{\"Name\":\"NewProcessId\",\"text\":\"0x14b4\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\SysWOW64\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x3180\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami & pause\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-0-0\"},{\"Name\":\"TargetUserName\",\"text\":\"-\"},{\"Name\":\"TargetDomainName\",\"text\":\"-\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x0\"},{\"Name\":\"ParentProcessName\",\"text\":\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office15\\\\WINWORD.EXE\"},{\"Name\":\"MandatoryLabel\",\"text\":\"S-1-16-8192\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-16T19:40:14.900Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"23cb42a0-c1ed-4080-93d9-208b5953e909"}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-07-16T19:13:09.4782189Z\"},\"EventRecordID\":\"96854957\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3880\",\"ThreadID\":\"4944\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"win10-work.stand2008.local\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"UtcTime\",\"text\":\"2024-07-16 19:13:09.450\"},{\"Name\":\"ProcessGuid\",\"text\":\"{2b856446-c645-6696-fa0a-000000002f02}\"},{\"Name\":\"ProcessId\",\"text\":\"5300\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\SysWOW64\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.19041.3636 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"Cmd.Exe\"},{\"Name\":\"CommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami & pause\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Users\\\\Администратор.STAND2008\\\\Desktop\\\\\"},{\"Name\":\"User\",\"text\":\"STAND2008\\\\Администратор\"},{\"Name\":\"LogonGuid\",\"text\":\"{2b856446-29ef-6696-bf74-990000000000}\"},{\"Name\":\"LogonId\",\"text\":\"0x9974bf\"},{\"Name\":\"TerminalSessionId\",\"text\":\"2\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=C2DBE672C77E7C3C1A8B2FA858CCD251C88BF116,MD5=D3348AC2130C7E754754A6E9CB053B09,SHA256=E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD,IMPHASH=392B4D61B1D1DADC1F06444DF258188A\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{2b856446-c640-6696-f80a-000000002f02}\"},{\"Name\":\"ParentProcessId\",\"text\":\"12672\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office15\\\\WINWORD.EXE\"},{\"Name\":\"ParentCommandLine\",\"text\":\"\\\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office15\\\\WINWORD.EXE\\\" /n \\\"C:\\\\Users\\\\Администратор.STAND2008\\\\Desktop\\\\macros.docm\\\" /o \\\"\\\"\"},{\"Name\":\"ParentUser\",\"text\":\"STAND2008\\\\Администратор\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-16T19:40:58.891Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"80a0c7e6-8c21-4284-9ab3-8c964278933a"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{"action":"start","category.generic":"Process","category.high":"Availability Management","category.low":"Control","event_src.category":"Operating system","event_src.fqdn":"win10-work.stand2008.local","event_src.host":"win10-work.stand2008.local","event_src.hostname":"win10-work","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","generator.type":"logcollector","generator.version":"N26.0.2936","id":"PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created","importance":"info","input_id":"00000000-0000-0000-0000-000000000000","mime":"application/x-pt-eventlog","msgid":"4688","normalized":true,"object":"process","object.account.domain":"stand2008","object.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","object.account.name":"администратор","object.account.session_id":"10056895","object.process.cmdline":"C:\\Windows\\System32\\cmd.exe /c whoami & pause","object.process.fullpath":"c:\\windows\\syswow64\\cmd.exe","object.process.id":"5300","object.process.name":"cmd.exe","object.process.parent.fullpath":"c:\\program files (x86)\\microsoft office\\office15\\winword.exe","object.process.parent.id":"12672","object.process.parent.name":"winword.exe","object.process.parent.path":"c:\\program files (x86)\\microsoft office\\office15\\","object.process.path":"c:\\windows\\syswow64\\","recv_ipv4":"127.0.0.1","recv_time":"2024-07-16T19:40:14.900Z","status":"success","subject":"account","subject.account.domain":"stand2008","subject.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","subject.account.name":"администратор","subject.account.privileges":"TokenElevationTypeLimited","subject.account.session_id":"10056895","subject.state":"on behalf of oneself","tag":"some_tag","task_id":"00000000-0000-0000-0000-000000000000","taxonomy_version":"26.0.215-release-26.0","time":"2024-07-16T19:13:09.450Z","type":"raw","uuid":"23cb42a0-c1ed-4080-93d9-208b5953e909"}

# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь
expect 1 {"action":"start","category.generic":"Attack","category.high":"Execution","category.low":"User Execution: Malicious File","correlation_name":"Suspicious_Microsoft_Office_Child_Process","correlation_type":"incident","count":1,"event_src.category":"Operating system","event_src.fqdn":"win10-work.stand2008.local","event_src.host":"win10-work.stand2008.local","event_src.hostname":"win10-work","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","generator.type":"correlationengine","importance":"medium","incident.aggregation.key":"Suspicious_Microsoft_Office_Child_Process|win10-work.stand2008.local|","incident.aggregation.timeout":7200,"incident.category":"SoftwareSuspiciousActivity","incident.severity":"medium","msgid":"4688","normalized":true,"object":"process","object.account.domain":"stand2008","object.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","object.account.name":"администратор","object.account.session_id":"10056895","object.process.cmdline":"C:\\Windows\\System32\\cmd.exe /c whoami & pause","object.process.fullpath":"c:\\windows\\syswow64\\cmd.exe","object.process.id":"5300","object.process.name":"cmd.exe","object.process.parent.fullpath":"c:\\program files (x86)\\microsoft office\\office15\\winword.exe","object.process.parent.id":"12672","object.process.parent.name":"winword.exe","object.process.parent.path":"c:\\program files (x86)\\microsoft office\\office15\\","object.process.path":"c:\\windows\\syswow64\\","origin_app_id":"00000000-0000-0000-0000-000000000005","primary_siem_app_id":"00000000-0000-0000-0000-000000000005","status":"success","subject":"account","subject.account.domain":"stand2008","subject.account.id":"S-1-5-21-3800063338-4262557262-2801230003-500","subject.account.name":"администратор","subject.account.privileges":"TokenElevationTypeLimited","subject.account.session_id":"10056895","time":"2024-07-16T19:13:09.000Z"}
Loading