Delayed Execution via Ping
Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/25"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often
11observed during malware installation and is consistent with an attacker attempting to evade detection.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Delayed Execution via Ping"
18risk_score = 21
19rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
20severity = "low"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Execution",
26 "Tactic: Defense Evasion",
27 "Data Source: Elastic Defend",
28]
29type = "eql"
30
31query = '''
32sequence by process.parent.entity_id with maxspan=1m
33 [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and
34 process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"]
35 [process where host.os.type == "windows" and event.action == "start" and
36 process.parent.name : "cmd.exe" and
37 (
38 process.name : (
39 "rundll32.exe", "powershell.exe",
40 "mshta.exe", "msbuild.exe",
41 "certutil.exe", "regsvr32.exe",
42 "powershell.exe", "cscript.exe",
43 "wscript.exe", "wmic.exe",
44 "installutil.exe", "msxsl.exe",
45 "Microsoft.Workflow.Compiler.exe",
46 "ieexec.exe", "iexpress.exe",
47 "RegAsm.exe", "installutil.exe",
48 "RegSvcs.exe", "RegAsm.exe"
49 ) or
50 (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true)
51 ) and
52
53 not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
54 not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and
55 not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64 /f ") and
56 not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and
57 not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and
58 not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and
59 not (process.name : "wscript.exe" and
60 process.working_directory :
61 ("?:\\Windows\\TempInst\\*",
62 "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\",
63 "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\"))
64 ]
65'''
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1059"
72name = "Command and Scripting Interpreter"
73reference = "https://attack.mitre.org/techniques/T1059/"
74[[rule.threat.technique.subtechnique]]
75id = "T1059.001"
76name = "PowerShell"
77reference = "https://attack.mitre.org/techniques/T1059/001/"
78
79[[rule.threat.technique.subtechnique]]
80id = "T1059.005"
81name = "Visual Basic"
82reference = "https://attack.mitre.org/techniques/T1059/005/"
83
84
85
86[rule.threat.tactic]
87id = "TA0002"
88name = "Execution"
89reference = "https://attack.mitre.org/tactics/TA0002/"
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1216"
94name = "System Script Proxy Execution"
95reference = "https://attack.mitre.org/techniques/T1216/"
96
97[[rule.threat.technique]]
98id = "T1218"
99name = "System Binary Proxy Execution"
100reference = "https://attack.mitre.org/techniques/T1218/"
101[[rule.threat.technique.subtechnique]]
102id = "T1218.003"
103name = "CMSTP"
104reference = "https://attack.mitre.org/techniques/T1218/003/"
105
106[[rule.threat.technique.subtechnique]]
107id = "T1218.004"
108name = "InstallUtil"
109reference = "https://attack.mitre.org/techniques/T1218/004/"
110
111[[rule.threat.technique.subtechnique]]
112id = "T1218.005"
113name = "Mshta"
114reference = "https://attack.mitre.org/techniques/T1218/005/"
115
116[[rule.threat.technique.subtechnique]]
117id = "T1218.009"
118name = "Regsvcs/Regasm"
119reference = "https://attack.mitre.org/techniques/T1218/009/"
120
121[[rule.threat.technique.subtechnique]]
122id = "T1218.010"
123name = "Regsvr32"
124reference = "https://attack.mitre.org/techniques/T1218/010/"
125
126[[rule.threat.technique.subtechnique]]
127id = "T1218.011"
128name = "Rundll32"
129reference = "https://attack.mitre.org/techniques/T1218/011/"
130
131
132[[rule.threat.technique]]
133id = "T1220"
134name = "XSL Script Processing"
135reference = "https://attack.mitre.org/techniques/T1220/"
136
137[[rule.threat.technique]]
138id = "T1497"
139name = "Virtualization/Sandbox Evasion"
140reference = "https://attack.mitre.org/techniques/T1497/"
141[[rule.threat.technique.subtechnique]]
142id = "T1497.003"
143name = "Time Based Evasion"
144reference = "https://attack.mitre.org/techniques/T1497/003/"
145
146
147
148[rule.threat.tactic]
149id = "TA0005"
150name = "Defense Evasion"
151reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Clearing Windows Console History
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments
- Disabling Windows Defender Security Settings via PowerShell