Hex Encoding/Decoding Activity

 1[metadata]
 2creation_date = "2020/04/17"
 3deprecation_date = "2021/04/15"
 4maturity = "deprecated"
 5updated_date = "2021/04/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls."
10false_positives = [
11    """
12    Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be
13    filtered by the process executable or username values.
14    """,
15]
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Hex Encoding/Decoding Activity"
21risk_score = 21
22rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83"
23severity = "low"
24tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1140"
37name = "Deobfuscate/Decode Files or Information"
38reference = "https://attack.mitre.org/techniques/T1140/"
39
40[[rule.threat.technique]]
41id = "T1027"
42name = "Obfuscated Files or Information"
43reference = "https://attack.mitre.org/techniques/T1027/"
44
45
46[rule.threat.tactic]
47id = "TA0005"
48name = "Defense Evasion"
49reference = "https://attack.mitre.org/tactics/TA0005/"