Delayed Execution via Ping

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/09/25"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often
 11observed during malware installation and is consistent with an attacker attempting to evade detection.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Delayed Execution via Ping"
 18risk_score = 21
 19rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
 20severity = "low"
 21tags = [
 22    "Domain: Endpoint",
 23    "OS: Windows",
 24    "Use Case: Threat Detection",
 25    "Tactic: Execution",
 26    "Tactic: Defense Evasion",
 27    "Data Source: Elastic Defend",
 28]
 29type = "eql"
 30
 31query = '''
 32sequence by process.parent.entity_id with maxspan=1m
 33  [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and
 34   process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"]
 35  [process where host.os.type == "windows" and event.action == "start" and
 36   process.parent.name : "cmd.exe" and
 37   (
 38        process.name : (
 39            "rundll32.exe", "powershell.exe",
 40            "mshta.exe", "msbuild.exe",
 41            "certutil.exe", "regsvr32.exe",
 42            "powershell.exe", "cscript.exe",
 43            "wscript.exe", "wmic.exe",
 44            "installutil.exe", "msxsl.exe",
 45            "Microsoft.Workflow.Compiler.exe",
 46            "ieexec.exe", "iexpress.exe",
 47            "RegAsm.exe", "installutil.exe",
 48            "RegSvcs.exe", "RegAsm.exe"
 49        ) or
 50        (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true)
 51    ) and
 52
 53    not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
 54    not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and
 55    not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64  /f ") and
 56    not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and
 57    not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and
 58    not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and 
 59    not (process.name : "wscript.exe" and
 60         process.working_directory :
 61                    ("?:\\Windows\\TempInst\\*",
 62                     "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\",
 63                     "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
 64    ]
 65'''
 66
 67
 68[[rule.threat]]
 69framework = "MITRE ATT&CK"
 70[[rule.threat.technique]]
 71id = "T1059"
 72name = "Command and Scripting Interpreter"
 73reference = "https://attack.mitre.org/techniques/T1059/"
 74[[rule.threat.technique.subtechnique]]
 75id = "T1059.001"
 76name = "PowerShell"
 77reference = "https://attack.mitre.org/techniques/T1059/001/"
 78
 79[[rule.threat.technique.subtechnique]]
 80id = "T1059.005"
 81name = "Visual Basic"
 82reference = "https://attack.mitre.org/techniques/T1059/005/"
 83
 84
 85
 86[rule.threat.tactic]
 87id = "TA0002"
 88name = "Execution"
 89reference = "https://attack.mitre.org/tactics/TA0002/"
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1216"
 94name = "System Script Proxy Execution"
 95reference = "https://attack.mitre.org/techniques/T1216/"
 96
 97[[rule.threat.technique]]
 98id = "T1218"
 99name = "System Binary Proxy Execution"
100reference = "https://attack.mitre.org/techniques/T1218/"
101[[rule.threat.technique.subtechnique]]
102id = "T1218.003"
103name = "CMSTP"
104reference = "https://attack.mitre.org/techniques/T1218/003/"
105
106[[rule.threat.technique.subtechnique]]
107id = "T1218.004"
108name = "InstallUtil"
109reference = "https://attack.mitre.org/techniques/T1218/004/"
110
111[[rule.threat.technique.subtechnique]]
112id = "T1218.005"
113name = "Mshta"
114reference = "https://attack.mitre.org/techniques/T1218/005/"
115
116[[rule.threat.technique.subtechnique]]
117id = "T1218.009"
118name = "Regsvcs/Regasm"
119reference = "https://attack.mitre.org/techniques/T1218/009/"
120
121[[rule.threat.technique.subtechnique]]
122id = "T1218.010"
123name = "Regsvr32"
124reference = "https://attack.mitre.org/techniques/T1218/010/"
125
126[[rule.threat.technique.subtechnique]]
127id = "T1218.011"
128name = "Rundll32"
129reference = "https://attack.mitre.org/techniques/T1218/011/"
130
131
132[[rule.threat.technique]]
133id = "T1220"
134name = "XSL Script Processing"
135reference = "https://attack.mitre.org/techniques/T1220/"
136
137[[rule.threat.technique]]
138id = "T1497"
139name = "Virtualization/Sandbox Evasion"
140reference = "https://attack.mitre.org/techniques/T1497/"
141[[rule.threat.technique.subtechnique]]
142id = "T1497.003"
143name = "Time Based Evasion"
144reference = "https://attack.mitre.org/techniques/T1497/003/"
145
146
147
148[rule.threat.tactic]
149id = "TA0005"
150name = "Defense Evasion"
151reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top