Suspicious Managed Code Hosting Process
Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/21"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious
11code execution.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Managed Code Hosting Process"
18references = [
19 "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
20]
21risk_score = 73
22rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40"
23severity = "high"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Defense Evasion",
29 "Data Source: Elastic Defend",
30 "Data Source: Sysmon",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36file where host.os.type == "windows" and event.type != "deletion" and
37 file.name : ("wscript.exe.log",
38 "cscript.exe.log",
39 "mshta.exe.log",
40 "wmic.exe.log",
41 "svchost.exe.log",
42 "dllhost.exe.log",
43 "cmstp.exe.log",
44 "regsvr32.exe.log")
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1055"
52name = "Process Injection"
53reference = "https://attack.mitre.org/techniques/T1055/"
54
55
56[rule.threat.tactic]
57id = "TA0005"
58name = "Defense Evasion"
59reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate