Suspicious Execution from a Mounted Device

  1[metadata]
  2creation_date = "2021/05/28"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may
 11use this technique to evade defenses.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Execution from a Mounted Device"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Suspicious Execution from a Mounted Device
 24
 25In Windows environments, script interpreters and signed binaries are essential for executing legitimate tasks. However, adversaries can exploit these by launching them from non-standard directories, such as mounted devices, to bypass security measures. The detection rule identifies such anomalies by monitoring processes initiated from unexpected directories, especially when triggered by common parent processes like explorer.exe, thus flagging potential defense evasion attempts.
 26
 27### Possible investigation steps
 28
 29- Review the process details to confirm the executable path and working directory, ensuring they match the criteria of being launched from a non-standard directory (e.g., not from "C:\\\\").
 30- Investigate the parent process, explorer.exe, to determine if there are any unusual activities or user actions that might have triggered the suspicious execution.
 31- Check the user account associated with the process to verify if the activity aligns with their typical behavior or if the account might be compromised.
 32- Analyze the command line arguments used by the suspicious process to identify any potentially malicious scripts or commands being executed.
 33- Correlate the event with other security alerts or logs from the same host to identify any patterns or additional indicators of compromise.
 34- Examine the mounted device from which the process was executed to determine its origin, legitimacy, and any associated files that might be malicious.
 35
 36### False positive analysis
 37
 38- Legitimate software installations or updates may trigger the rule if they are executed from a mounted device. Users can create exceptions for known software update processes that are verified as safe.
 39- Portable applications running from USB drives or external storage can be flagged. To mitigate this, users should whitelist specific applications that are frequently used and deemed non-threatening.
 40- IT administrative scripts executed from network shares or mounted drives for maintenance tasks might be detected. Users can exclude these scripts by specifying trusted network paths or script names.
 41- Development environments where scripts are tested from non-standard directories can cause alerts. Developers should ensure their working directories are recognized as safe or use designated development machines with adjusted monitoring rules.
 42- Backup or recovery operations that utilize mounted devices for script execution may be misidentified. Users should identify and exclude these operations by defining exceptions for known backup tools and processes.
 43
 44### Response and remediation
 45
 46- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
 47- Terminate any suspicious processes identified by the detection rule, such as those initiated by script interpreters or signed binaries from non-standard directories.
 48- Conduct a forensic analysis of the mounted device and the affected system to identify any malicious payloads or scripts and remove them.
 49- Review and restore any altered system configurations or registry settings to their original state to ensure system integrity.
 50- Update and patch the system to close any vulnerabilities that may have been exploited by the attacker.
 51- Monitor for any recurrence of similar activities by enhancing logging and alerting mechanisms, focusing on process execution from non-standard directories.
 52- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 53references = [
 54    "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
 55    "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
 56]
 57risk_score = 47
 58rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d"
 59setup = """## Setup
 60
 61If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 62events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 63Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 64`event.ingested` to @timestamp.
 65For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 66"""
 67severity = "medium"
 68tags = [
 69    "Domain: Endpoint",
 70    "OS: Windows",
 71    "Use Case: Threat Detection",
 72    "Tactic: Defense Evasion",
 73    "Tactic: Execution",
 74    "Data Source: Elastic Defend",
 75    "Data Source: Sysmon",
 76    "Resources: Investigation Guide",
 77]
 78timestamp_override = "event.ingested"
 79type = "eql"
 80
 81query = '''
 82process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and
 83  (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and
 84  process.parent.name : "explorer.exe" and
 85  process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe",
 86                  "cscript.exe", "wscript.exe")
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1218"
 94name = "System Binary Proxy Execution"
 95reference = "https://attack.mitre.org/techniques/T1218/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1218.005"
 98name = "Mshta"
 99reference = "https://attack.mitre.org/techniques/T1218/005/"
100
101[[rule.threat.technique.subtechnique]]
102id = "T1218.010"
103name = "Regsvr32"
104reference = "https://attack.mitre.org/techniques/T1218/010/"
105
106[[rule.threat.technique.subtechnique]]
107id = "T1218.011"
108name = "Rundll32"
109reference = "https://attack.mitre.org/techniques/T1218/011/"
110
111
112
113[rule.threat.tactic]
114id = "TA0005"
115name = "Defense Evasion"
116reference = "https://attack.mitre.org/tactics/TA0005/"
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1059"
121name = "Command and Scripting Interpreter"
122reference = "https://attack.mitre.org/techniques/T1059/"
123[[rule.threat.technique.subtechnique]]
124id = "T1059.001"
125name = "PowerShell"
126reference = "https://attack.mitre.org/techniques/T1059/001/"
127
128[[rule.threat.technique.subtechnique]]
129id = "T1059.003"
130name = "Windows Command Shell"
131reference = "https://attack.mitre.org/techniques/T1059/003/"
132
133
134
135[rule.threat.tactic]
136id = "TA0002"
137name = "Execution"
138reference = "https://attack.mitre.org/tactics/TA0002/"