Potential Masquerading as Communication Apps

Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/05/05"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2024/05/31"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to
 11conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Masquerading as Communication Apps"
 18risk_score = 47
 19rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923"
 20severity = "medium"
 21tags = [
 22    "Domain: Endpoint",
 23    "OS: Windows",
 24    "Use Case: Threat Detection",
 25    "Tactic: Defense Evasion",
 26    "Data Source: Elastic Defend",
 27]
 28timestamp_override = "event.ingested"
 29type = "eql"
 30
 31query = '''
 32process where host.os.type == "windows" and
 33  event.type == "start" and
 34  (
 35    /* Slack */
 36    (process.name : "slack.exe" and not
 37      (process.code_signature.subject_name in (
 38        "Slack Technologies, Inc.",
 39        "Slack Technologies, LLC"
 40       ) and process.code_signature.trusted == true)
 41    ) or
 42
 43    /* WebEx */
 44    (process.name : "WebexHost.exe" and not
 45      (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
 46    ) or
 47
 48    /* Teams */
 49    (process.name : "Teams.exe" and not
 50      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
 51    ) or
 52
 53    /* Discord */
 54    (process.name : "Discord.exe" and not
 55      (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
 56    ) or
 57
 58    /* RocketChat */
 59    (process.name : "Rocket.Chat.exe" and not
 60      (process.code_signature.subject_name == "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
 61    ) or
 62
 63    /* Mattermost */
 64    (process.name : "Mattermost.exe" and not
 65      (process.code_signature.subject_name == "Mattermost, Inc." and process.code_signature.trusted == true)
 66    ) or
 67
 68    /* WhatsApp */
 69    (process.name : "WhatsApp.exe" and not
 70      (process.code_signature.subject_name in (
 71        "WhatsApp LLC",
 72        "WhatsApp, Inc",
 73        "24803D75-212C-471A-BC57-9EF86AB91435"
 74       ) and process.code_signature.trusted == true)
 75    ) or
 76
 77    /* Zoom */
 78    (process.name : "Zoom.exe" and not
 79      (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
 80    ) or
 81
 82    /* Outlook */
 83    (process.name : "outlook.exe" and not
 84      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
 85    ) or
 86
 87    /* Thunderbird */
 88    (process.name : "thunderbird.exe" and not
 89      (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
 90    )
 91  )
 92'''
 93
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1036"
 99name = "Masquerading"
100reference = "https://attack.mitre.org/techniques/T1036/"
101[[rule.threat.technique.subtechnique]]
102id = "T1036.001"
103name = "Invalid Code Signature"
104reference = "https://attack.mitre.org/techniques/T1036/001/"
105
106[[rule.threat.technique.subtechnique]]
107id = "T1036.005"
108name = "Match Legitimate Name or Location"
109reference = "https://attack.mitre.org/techniques/T1036/005/"
110
111
112
113[rule.threat.tactic]
114id = "TA0005"
115name = "Defense Evasion"
116reference = "https://attack.mitre.org/tactics/TA0005/"
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1554"
121name = "Compromise Host Software Binary"
122reference = "https://attack.mitre.org/techniques/T1554/"
123
124
125[rule.threat.tactic]
126id = "TA0003"
127name = "Persistence"
128reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top