Potential Masquerading as Communication Apps
Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/05"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/31"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to
11conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential Masquerading as Communication Apps"
18risk_score = 47
19rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923"
20severity = "medium"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Defense Evasion",
26 "Data Source: Elastic Defend",
27]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32process where host.os.type == "windows" and
33 event.type == "start" and
34 (
35 /* Slack */
36 (process.name : "slack.exe" and not
37 (process.code_signature.subject_name in (
38 "Slack Technologies, Inc.",
39 "Slack Technologies, LLC"
40 ) and process.code_signature.trusted == true)
41 ) or
42
43 /* WebEx */
44 (process.name : "WebexHost.exe" and not
45 (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
46 ) or
47
48 /* Teams */
49 (process.name : "Teams.exe" and not
50 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
51 ) or
52
53 /* Discord */
54 (process.name : "Discord.exe" and not
55 (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
56 ) or
57
58 /* RocketChat */
59 (process.name : "Rocket.Chat.exe" and not
60 (process.code_signature.subject_name == "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
61 ) or
62
63 /* Mattermost */
64 (process.name : "Mattermost.exe" and not
65 (process.code_signature.subject_name == "Mattermost, Inc." and process.code_signature.trusted == true)
66 ) or
67
68 /* WhatsApp */
69 (process.name : "WhatsApp.exe" and not
70 (process.code_signature.subject_name in (
71 "WhatsApp LLC",
72 "WhatsApp, Inc",
73 "24803D75-212C-471A-BC57-9EF86AB91435"
74 ) and process.code_signature.trusted == true)
75 ) or
76
77 /* Zoom */
78 (process.name : "Zoom.exe" and not
79 (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
80 ) or
81
82 /* Outlook */
83 (process.name : "outlook.exe" and not
84 (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
85 ) or
86
87 /* Thunderbird */
88 (process.name : "thunderbird.exe" and not
89 (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
90 )
91 )
92'''
93
94
95[[rule.threat]]
96framework = "MITRE ATT&CK"
97[[rule.threat.technique]]
98id = "T1036"
99name = "Masquerading"
100reference = "https://attack.mitre.org/techniques/T1036/"
101[[rule.threat.technique.subtechnique]]
102id = "T1036.001"
103name = "Invalid Code Signature"
104reference = "https://attack.mitre.org/techniques/T1036/001/"
105
106[[rule.threat.technique.subtechnique]]
107id = "T1036.005"
108name = "Match Legitimate Name or Location"
109reference = "https://attack.mitre.org/techniques/T1036/005/"
110
111
112
113[rule.threat.tactic]
114id = "TA0005"
115name = "Defense Evasion"
116reference = "https://attack.mitre.org/tactics/TA0005/"
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1554"
121name = "Compromise Host Software Binary"
122reference = "https://attack.mitre.org/techniques/T1554/"
123
124
125[rule.threat.tactic]
126id = "TA0003"
127name = "Persistence"
128reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Delayed Execution via Ping
- Expired or Revoked Driver Loaded
- Potential Masquerading as Business App Installer
- Potential Remote File Execution via MSIEXEC
- Potential Windows Session Hijacking via CcmExec