Suspicious Managed Code Hosting Process

 1[metadata]
 2creation_date = "2020/08/21"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious
11code execution.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Managed Code Hosting Process"
18references = [
19    "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
20]
21risk_score = 73
22rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40"
23severity = "high"
24tags = [
25    "Domain: Endpoint",
26    "OS: Windows",
27    "Use Case: Threat Detection",
28    "Tactic: Defense Evasion",
29    "Data Source: Elastic Defend",
30    "Data Source: Sysmon",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36file where host.os.type == "windows" and event.type != "deletion" and
37  file.name : ("wscript.exe.log",
38               "cscript.exe.log",
39               "mshta.exe.log",
40               "wmic.exe.log",
41               "svchost.exe.log",
42               "dllhost.exe.log",
43               "cmstp.exe.log",
44               "regsvr32.exe.log")
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1055"
52name = "Process Injection"
53reference = "https://attack.mitre.org/techniques/T1055/"
54
55
56[rule.threat.tactic]
57id = "TA0005"
58name = "Defense Evasion"
59reference = "https://attack.mitre.org/tactics/TA0005/"