Suspicious Execution from a Mounted Device

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2021/05/28"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may
 11use this technique to evade defenses.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Execution from a Mounted Device"
 18references = [
 19    "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
 20    "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
 21]
 22risk_score = 47
 23rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d"
 24setup = """## Setup
 25
 26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 29`event.ingested` to @timestamp.
 30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 31"""
 32severity = "medium"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Defense Evasion",
 38    "Tactic: Execution",
 39    "Data Source: Elastic Defend",
 40    "Data Source: Sysmon",
 41]
 42timestamp_override = "event.ingested"
 43type = "eql"
 44
 45query = '''
 46process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and
 47  (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and
 48  process.parent.name : "explorer.exe" and
 49  process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe",
 50                  "cscript.exe", "wscript.exe")
 51'''
 52
 53
 54[[rule.threat]]
 55framework = "MITRE ATT&CK"
 56[[rule.threat.technique]]
 57id = "T1218"
 58name = "System Binary Proxy Execution"
 59reference = "https://attack.mitre.org/techniques/T1218/"
 60[[rule.threat.technique.subtechnique]]
 61id = "T1218.005"
 62name = "Mshta"
 63reference = "https://attack.mitre.org/techniques/T1218/005/"
 64
 65[[rule.threat.technique.subtechnique]]
 66id = "T1218.010"
 67name = "Regsvr32"
 68reference = "https://attack.mitre.org/techniques/T1218/010/"
 69
 70[[rule.threat.technique.subtechnique]]
 71id = "T1218.011"
 72name = "Rundll32"
 73reference = "https://attack.mitre.org/techniques/T1218/011/"
 74
 75
 76
 77[rule.threat.tactic]
 78id = "TA0005"
 79name = "Defense Evasion"
 80reference = "https://attack.mitre.org/tactics/TA0005/"
 81[[rule.threat]]
 82framework = "MITRE ATT&CK"
 83[[rule.threat.technique]]
 84id = "T1059"
 85name = "Command and Scripting Interpreter"
 86reference = "https://attack.mitre.org/techniques/T1059/"
 87[[rule.threat.technique.subtechnique]]
 88id = "T1059.001"
 89name = "PowerShell"
 90reference = "https://attack.mitre.org/techniques/T1059/001/"
 91
 92[[rule.threat.technique.subtechnique]]
 93id = "T1059.003"
 94name = "Windows Command Shell"
 95reference = "https://attack.mitre.org/techniques/T1059/003/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0002"
101name = "Execution"
102reference = "https://attack.mitre.org/tactics/TA0002/"

References

  • https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/


    Read More

  • Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns

    On May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the United States and Europe. The following industries have been observed being targeted thus far: NGOs Research Institutions Government Agencies International Agencies The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL file, and a legitimate lure referencing foreign threats to the 2020 US Federal Elections. This blog post provides details on the observed activity and outlines possible justification that this campaign could be related to APT29. Phishing Email Campaign The original e-mails looked like the following: Figure 1. Phishing e-mails sent to numerous organizations Volexity also observed a smaller campaign from the same sender with largely the same content several hours earlier, but with the subject line "USAID Special Alert!". [&hellip;]


    Read More

Related rules

to-top