forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexecution_via_net_com_assemblies.toml
More file actions
55 lines (46 loc) · 1.48 KB
/
execution_via_net_com_assemblies.toml
File metadata and controls
55 lines (46 loc) · 1.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[metadata]
creation_date = "2020/03/25"
deprecation_date = "2021/03/17"
maturity = "deprecated"
updated_date = "2021/03/17"
[rule]
author = ["Elastic"]
description = """
RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model
(COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows
utility.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "Execution via Regsvcs/Regasm"
risk_score = 21
rule_id = "47f09343-8d1f-4bb5-8bb0-00c9d18f5010"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "Signed Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.009"
name = "Regsvcs/Regasm"
reference = "https://attack.mitre.org/techniques/T1218/009/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"