Delayed Execution via Ping
Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/25"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/05"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often
13observed during malware installation and is consistent with an attacker attempting to evade detection.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Delayed Execution via Ping"
20risk_score = 21
21rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
22severity = "low"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
24type = "eql"
25
26query = '''
27sequence by process.parent.entity_id with maxspan=1m
28 [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and
29 process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"]
30 [process where host.os.type == "windows" and event.action == "start" and
31 process.parent.name : "cmd.exe" and
32 (
33 process.name : (
34 "rundll32.exe", "powershell.exe",
35 "mshta.exe", "msbuild.exe",
36 "certutil.exe", "regsvr32.exe",
37 "powershell.exe", "cscript.exe",
38 "wscript.exe", "wmic.exe",
39 "installutil.exe", "msxsl.exe",
40 "Microsoft.Workflow.Compiler.exe",
41 "ieexec.exe", "iexpress.exe",
42 "RegAsm.exe", "installutil.exe",
43 "RegSvcs.exe", "RegAsm.exe"
44 ) or
45 (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true)
46 ) and
47
48 not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
49 not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and
50 not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64 /f ") and
51 not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and
52 not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and
53 not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and
54 not (process.name : "wscript.exe" and
55 process.working_directory :
56 ("?:\\Windows\\TempInst\\*",
57 "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\",
58 "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
59 ]
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65
66[[rule.threat.technique]]
67name = "Command and Scripting Interpreter"
68id = "T1059"
69reference = "https://attack.mitre.org/techniques/T1059/"
70
71 [[rule.threat.technique.subtechnique]]
72 name = "Visual Basic"
73 id = "T1059.005"
74 reference = "https://attack.mitre.org/techniques/T1059/005/"
75
76 [[rule.threat.technique.subtechnique]]
77 name = "PowerShell"
78 id = "T1059.001"
79 reference = "https://attack.mitre.org/techniques/T1059/001/"
80
81 [rule.threat.tactic]
82 name = "Execution"
83 id = "TA0002"
84 reference = "https://attack.mitre.org/tactics/TA0002/"
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88
89[[rule.threat.technique]]
90id = "T1497"
91name = "Virtualization/Sandbox Evasion"
92reference = "https://attack.mitre.org/techniques/T1497/"
93
94 [[rule.threat.technique.subtechnique]]
95 name = "Time Based Evasion"
96 id = "T1497.003"
97 reference = "https://attack.mitre.org/techniques/T1497/003/"
98
99[[rule.threat.technique]]
100name = "System Binary Proxy Execution"
101id = "T1218"
102reference = "https://attack.mitre.org/techniques/T1218/"
103
104 [[rule.threat.technique.subtechnique]]
105 name = "CMSTP"
106 id = "T1218.003"
107 reference = "https://attack.mitre.org/techniques/T1218/003/"
108
109 [[rule.threat.technique.subtechnique]]
110 name = "InstallUtil"
111 id = "T1218.004"
112 reference = "https://attack.mitre.org/techniques/T1218/004/"
113
114 [[rule.threat.technique.subtechnique]]
115 name = "Mshta"
116 id = "T1218.005"
117 reference = "https://attack.mitre.org/techniques/T1218/005/"
118
119 [[rule.threat.technique.subtechnique]]
120 name = "Regsvcs/Regasm"
121 id = "T1218.009"
122 reference = "https://attack.mitre.org/techniques/T1218/009/"
123
124 [[rule.threat.technique.subtechnique]]
125 name = "Regsvr32"
126 id = "T1218.010"
127 reference = "https://attack.mitre.org/techniques/T1218/010/"
128
129 [[rule.threat.technique.subtechnique]]
130 name = "Rundll32"
131 id = "T1218.011"
132 reference = "https://attack.mitre.org/techniques/T1218/011/"
133
134 [[rule.threat.technique]]
135 name = "System Script Proxy Execution"
136 id = "T1216"
137 reference = "https://attack.mitre.org/techniques/T1216/"
138
139 [[rule.threat.technique]]
140 name = "XSL Script Processing"
141 id = "T1220"
142 reference = "https://attack.mitre.org/techniques/T1220/"
143
144
145[rule.threat.tactic]
146name = "Defense Evasion"
147id = "TA0005"
148reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Clearing Windows Console History
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments
- Disabling Windows Defender Security Settings via PowerShell