Suspicious Execution from a Mounted Device

  1[metadata]
  2creation_date = "2021/05/28"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/10/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may
 13use this technique to evade defenses.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious Execution from a Mounted Device"
 20references = [
 21    "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
 22    "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
 23]
 24risk_score = 47
 25rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d"
 26setup = """## Setup
 27
 28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 31`event.ingested` to @timestamp.
 32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 33"""
 34severity = "medium"
 35tags = [
 36    "Domain: Endpoint",
 37    "OS: Windows",
 38    "Use Case: Threat Detection",
 39    "Tactic: Defense Evasion",
 40    "Tactic: Execution",
 41    "Data Source: Elastic Defend",
 42    "Data Source: Sysmon",
 43]
 44timestamp_override = "event.ingested"
 45type = "eql"
 46
 47query = '''
 48process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and
 49  (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and
 50  process.parent.name : "explorer.exe" and
 51  process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe",
 52                  "cscript.exe", "wscript.exe")
 53'''
 54
 55
 56[[rule.threat]]
 57framework = "MITRE ATT&CK"
 58[[rule.threat.technique]]
 59id = "T1218"
 60name = "System Binary Proxy Execution"
 61reference = "https://attack.mitre.org/techniques/T1218/"
 62[[rule.threat.technique.subtechnique]]
 63id = "T1218.005"
 64name = "Mshta"
 65reference = "https://attack.mitre.org/techniques/T1218/005/"
 66
 67[[rule.threat.technique.subtechnique]]
 68id = "T1218.010"
 69name = "Regsvr32"
 70reference = "https://attack.mitre.org/techniques/T1218/010/"
 71
 72[[rule.threat.technique.subtechnique]]
 73id = "T1218.011"
 74name = "Rundll32"
 75reference = "https://attack.mitre.org/techniques/T1218/011/"
 76
 77
 78
 79[rule.threat.tactic]
 80id = "TA0005"
 81name = "Defense Evasion"
 82reference = "https://attack.mitre.org/tactics/TA0005/"
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85[[rule.threat.technique]]
 86id = "T1059"
 87name = "Command and Scripting Interpreter"
 88reference = "https://attack.mitre.org/techniques/T1059/"
 89[[rule.threat.technique.subtechnique]]
 90id = "T1059.001"
 91name = "PowerShell"
 92reference = "https://attack.mitre.org/techniques/T1059/001/"
 93
 94[[rule.threat.technique.subtechnique]]
 95id = "T1059.003"
 96name = "Windows Command Shell"
 97reference = "https://attack.mitre.org/techniques/T1059/003/"
 98
 99
100
101[rule.threat.tactic]
102id = "TA0002"
103name = "Execution"
104reference = "https://attack.mitre.org/tactics/TA0002/"