Execution of Persistent Suspicious Program

  1[metadata]
  2creation_date = "2020/11/19"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and
 11command line usage.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Execution of Persistent Suspicious Program"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Execution of Persistent Suspicious Program
 24
 25Persistent programs, like scripts or rundll32, are often used by adversaries to maintain access to a system. These programs can be executed at startup, leveraging process lineage and command line arguments to evade detection. The detection rule identifies suspicious executions by monitoring the sequence of processes initiated after user logon, focusing on known malicious executables and unusual file paths, thus highlighting potential abuse of persistence mechanisms.
 26
 27### Possible investigation steps
 28
 29- Review the process lineage to confirm the sequence of userinit.exe, explorer.exe, and the suspicious child process. Verify if the child process was indeed launched shortly after user logon.
 30- Examine the command line arguments of the suspicious process to identify any unusual or malicious patterns, especially those involving known suspicious paths like C:\\Users\\*, C:\\ProgramData\\*, or C:\\Windows\\Temp\\*.
 31- Check the original file name of the suspicious process against known malicious executables such as cscript.exe, wscript.exe, or PowerShell.EXE to determine if it matches any of these.
 32- Investigate the parent process explorer.exe to ensure it was not compromised or manipulated to launch the suspicious child process.
 33- Analyze the user account associated with the suspicious process to determine if it has been involved in any other suspicious activities or if it has elevated privileges that could be exploited.
 34- Review recent system changes or installations that might have introduced the suspicious executable or altered startup configurations.
 35
 36### False positive analysis
 37
 38- Legitimate administrative scripts or tools may trigger alerts if they are executed from common directories like C:\\Users or C:\\ProgramData. To manage this, create exceptions for known administrative scripts that are regularly used in your environment.
 39- Software updates or installations might use processes like PowerShell or RUNDLL32, leading to false positives. Identify and exclude these processes when they are part of a verified update or installation routine.
 40- Custom scripts or automation tasks that run at startup could be flagged. Document these tasks and exclude them from the rule if they are part of normal operations.
 41- Security or monitoring tools that use similar execution patterns may be mistakenly identified. Verify these tools and add them to an exclusion list to prevent unnecessary alerts.
 42- User-initiated actions that mimic suspicious behavior, such as running scripts from the command line, can cause false positives. Educate users on safe practices and adjust the rule to exclude known benign user actions.
 43
 44### Response and remediation
 45
 46- Isolate the affected host from the network to prevent further spread or communication with potential command and control servers.
 47- Terminate any suspicious processes identified in the alert, such as those executed by cscript.exe, wscript.exe, PowerShell.EXE, MSHTA.EXE, RUNDLL32.EXE, REGSVR32.EXE, RegAsm.exe, MSBuild.exe, or InstallUtil.exe.
 48- Remove any unauthorized or suspicious startup entries or scheduled tasks that may have been created to ensure persistence.
 49- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
 50- Review and restore any modified system configurations or registry settings to their default or secure state.
 51- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 52- Implement enhanced monitoring and logging for the affected host and similar systems to detect any recurrence or related suspicious activities."""
 53risk_score = 47
 54rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a"
 55severity = "medium"
 56tags = [
 57    "Domain: Endpoint",
 58    "OS: Windows",
 59    "Use Case: Threat Detection",
 60    "Tactic: Persistence",
 61    "Data Source: Elastic Endgame",
 62    "Data Source: Elastic Defend",
 63    "Data Source: Sysmon",
 64    "Resources: Investigation Guide",
 65]
 66type = "eql"
 67
 68query = '''
 69/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */
 70sequence by host.id, user.name with maxspan=1m
 71  [process where host.os.type == "windows" and event.type == "start" and process.name : "userinit.exe" and process.parent.name : "winlogon.exe"]
 72  [process where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe"]
 73  [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "explorer.exe" and
 74   /* add suspicious programs here */
 75   process.pe.original_file_name in ("cscript.exe",
 76                                     "wscript.exe",
 77                                     "PowerShell.EXE",
 78                                     "MSHTA.EXE",
 79                                     "RUNDLL32.EXE",
 80                                     "REGSVR32.EXE",
 81                                     "RegAsm.exe",
 82                                     "MSBuild.exe",
 83                                     "InstallUtil.exe") and
 84    /* add potential suspicious paths here */
 85    process.args : ("C:\\Users\\*", "C:\\ProgramData\\*", "C:\\Windows\\Temp\\*", "C:\\Windows\\Tasks\\*", "C:\\PerfLogs\\*", "C:\\Intel\\*")
 86   ]
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1547"
 94name = "Boot or Logon Autostart Execution"
 95reference = "https://attack.mitre.org/techniques/T1547/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1547.001"
 98name = "Registry Run Keys / Startup Folder"
 99reference = "https://attack.mitre.org/techniques/T1547/001/"
100
101
102
103[rule.threat.tactic]
104id = "TA0003"
105name = "Persistence"
106reference = "https://attack.mitre.org/tactics/TA0003/"