Suspicious .NET Code Compilation

 1[metadata]
 2creation_date = "2020/08/21"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = "Identifies suspicious .NET code execution. connections."
12from = "now-9m"
13index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Suspicious .NET Code Compilation"
17note = """## Setup
18
19If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
20"""
21risk_score = 47
22rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29process where host.os.type == "windows" and event.type == "start" and
30  process.name : ("csc.exe", "vbc.exe") and
31  process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe")
32'''
33
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1027"
39name = "Obfuscated Files or Information"
40reference = "https://attack.mitre.org/techniques/T1027/"
41[[rule.threat.technique.subtechnique]]
42id = "T1027.004"
43name = "Compile After Delivery"
44reference = "https://attack.mitre.org/techniques/T1027/004/"
45
46
47
48[rule.threat.tactic]
49id = "TA0005"
50name = "Defense Evasion"
51reference = "https://attack.mitre.org/tactics/TA0005/"