Delayed Execution via Ping

  1[metadata]
  2creation_date = "2023/09/25"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/11/11"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often
 11observed during malware installation and is consistent with an attacker attempting to evade detection.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Delayed Execution via Ping"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Delayed Execution via Ping
 24
 25Ping, a network utility, can be misused by attackers to delay execution of malicious commands, aiding in evasion. Adversaries may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. The detection rule identifies suspicious ping usage followed by execution of known malicious utilities, flagging potential threats by monitoring specific command patterns and excluding benign processes.
 26
 27### Possible investigation steps
 28
 29- Review the process tree to understand the sequence of events, focusing on the parent-child relationship between cmd.exe, ping.exe, and any subsequent suspicious processes like rundll32.exe or powershell.exe.
 30- Examine the command line arguments used with ping.exe to determine the delay introduced and assess if it aligns with typical malicious behavior.
 31- Investigate the user account associated with the process execution, especially if the user.id is not S-1-5-18, to determine if the account has been compromised or is being misused.
 32- Check the file path and code signature of any executables launched from the user's AppData directory to verify if they are trusted or potentially malicious.
 33- Analyze the command line arguments and working directory of any suspicious processes to identify any known malicious patterns or scripts being executed.
 34- Correlate the alert with any other recent alerts or logs from the same host or user to identify potential patterns or ongoing malicious activity.
 35
 36### False positive analysis
 37
 38- Legitimate administrative scripts or maintenance tasks may use ping to introduce delays, especially in batch files executed by system administrators. To handle this, identify and exclude specific scripts or command lines that are known to be safe.
 39- Software installations or updates might use ping for timing purposes. Review the command lines and parent processes involved, and create exceptions for trusted software paths or signatures.
 40- Automated testing environments may use ping to simulate network latency or wait for services to start. Exclude these processes by identifying the testing framework or environment and adding it to the exception list.
 41- Some legitimate applications might use ping as part of their normal operation. Monitor these applications and, if verified as safe, exclude their specific command patterns or executable paths.
 42- Regularly review and update the exception list to ensure it reflects the current environment and any new legitimate use cases that arise.
 43
 44### Response and remediation
 45
 46- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement.
 47- Terminate any suspicious processes identified in the alert, such as those involving ping.exe followed by the execution of known malicious utilities.
 48- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software.
 49- Review and analyze the command history and logs of the affected system to understand the scope of the attack and identify any additional compromised systems.
 50- Restore the system from a known good backup if malware removal is not feasible or if the system's integrity is in question.
 51- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the alert.
 52- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 53risk_score = 21
 54rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
 55severity = "low"
 56tags = [
 57    "Domain: Endpoint",
 58    "OS: Windows",
 59    "Use Case: Threat Detection",
 60    "Tactic: Execution",
 61    "Tactic: Defense Evasion",
 62    "Data Source: Elastic Defend",
 63    "Resources: Investigation Guide",
 64]
 65type = "eql"
 66
 67query = '''
 68sequence by process.parent.entity_id with maxspan=1m
 69  [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and
 70   process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"]
 71  [process where host.os.type == "windows" and event.action == "start" and
 72   process.parent.name : "cmd.exe" and
 73   (
 74        process.name : (
 75            "rundll32.exe", "powershell.exe",
 76            "mshta.exe", "msbuild.exe",
 77            "certutil.exe", "regsvr32.exe",
 78            "powershell.exe", "cscript.exe",
 79            "wscript.exe", "wmic.exe",
 80            "installutil.exe", "msxsl.exe",
 81            "Microsoft.Workflow.Compiler.exe",
 82            "ieexec.exe", "iexpress.exe",
 83            "RegAsm.exe", "installutil.exe",
 84            "RegSvcs.exe", "RegAsm.exe"
 85        ) or
 86        (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true)
 87    ) and
 88
 89    not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
 90    not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and
 91    not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64  /f ") and
 92    not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and
 93    not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and
 94    not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and
 95    not (process.name : "wscript.exe" and
 96         process.working_directory :
 97                    ("?:\\Windows\\TempInst\\*",
 98                     "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\",
 99                     "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
100    ]
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1059"
108name = "Command and Scripting Interpreter"
109reference = "https://attack.mitre.org/techniques/T1059/"
110[[rule.threat.technique.subtechnique]]
111id = "T1059.001"
112name = "PowerShell"
113reference = "https://attack.mitre.org/techniques/T1059/001/"
114
115[[rule.threat.technique.subtechnique]]
116id = "T1059.005"
117name = "Visual Basic"
118reference = "https://attack.mitre.org/techniques/T1059/005/"
119
120
121
122[rule.threat.tactic]
123id = "TA0002"
124name = "Execution"
125reference = "https://attack.mitre.org/tactics/TA0002/"
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1216"
130name = "System Script Proxy Execution"
131reference = "https://attack.mitre.org/techniques/T1216/"
132
133[[rule.threat.technique]]
134id = "T1218"
135name = "System Binary Proxy Execution"
136reference = "https://attack.mitre.org/techniques/T1218/"
137[[rule.threat.technique.subtechnique]]
138id = "T1218.003"
139name = "CMSTP"
140reference = "https://attack.mitre.org/techniques/T1218/003/"
141
142[[rule.threat.technique.subtechnique]]
143id = "T1218.004"
144name = "InstallUtil"
145reference = "https://attack.mitre.org/techniques/T1218/004/"
146
147[[rule.threat.technique.subtechnique]]
148id = "T1218.005"
149name = "Mshta"
150reference = "https://attack.mitre.org/techniques/T1218/005/"
151
152[[rule.threat.technique.subtechnique]]
153id = "T1218.009"
154name = "Regsvcs/Regasm"
155reference = "https://attack.mitre.org/techniques/T1218/009/"
156
157[[rule.threat.technique.subtechnique]]
158id = "T1218.010"
159name = "Regsvr32"
160reference = "https://attack.mitre.org/techniques/T1218/010/"
161
162[[rule.threat.technique.subtechnique]]
163id = "T1218.011"
164name = "Rundll32"
165reference = "https://attack.mitre.org/techniques/T1218/011/"
166
167
168[[rule.threat.technique]]
169id = "T1220"
170name = "XSL Script Processing"
171reference = "https://attack.mitre.org/techniques/T1220/"
172
173[[rule.threat.technique]]
174id = "T1497"
175name = "Virtualization/Sandbox Evasion"
176reference = "https://attack.mitre.org/techniques/T1497/"
177[[rule.threat.technique.subtechnique]]
178id = "T1497.003"
179name = "Time Based Checks"
180reference = "https://attack.mitre.org/techniques/T1497/003/"
181
182
183
184[rule.threat.tactic]
185id = "TA0005"
186name = "Defense Evasion"
187reference = "https://attack.mitre.org/tactics/TA0005/"