forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New] Potential Foxmail Exploitation (elastic#4044)
* Create execution_initial_access_foxmail_exploit.toml * Update execution_initial_access_foxmail_exploit.toml --------- Co-authored-by: Colson Wilhoit <[email protected]>
- Loading branch information
1 parent
41a7a5f
commit 31ca246
Showing
1 changed file
with
78 additions
and
0 deletions.
There are no files selected for viewing
78 changes: 78 additions & 0 deletions
78
rules/windows/execution_initial_access_foxmail_exploit.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| [metadata] | ||
| creation_date = "2024/08/29" | ||
| integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] | ||
| maturity = "production" | ||
| updated_date = "2024/09/16" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. | ||
| This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via | ||
| a malicious email. | ||
| """ | ||
| from = "now-9m" | ||
| index = [ | ||
| "winlogbeat-*", | ||
| "logs-windows.*", | ||
| "endgame-*", | ||
| "logs-system.security*", | ||
| "logs-windows.sysmon_operational-*", | ||
| "logs-sentinel_one_cloud_funnel.*", | ||
| "logs-m365_defender.event-*", | ||
| "logs-endpoint.events.process-*" | ||
| ] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Potential Foxmail Exploitation" | ||
| references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"] | ||
| risk_score = 73 | ||
| rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa" | ||
| severity = "high" | ||
| tags = [ | ||
| "Domain: Endpoint", | ||
| "OS: Windows", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Initial Access", | ||
| "Tactic: Execution", | ||
| "Data Source: Elastic Defend", | ||
| "Data Source: Sysmon", | ||
| "Data Source: System", | ||
| "Data Source: Elastic Endgame", | ||
| "Data Source: SentinelOne", | ||
| "Data Source: Microsoft Defender for Endpoint" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| process where host.os.type == "windows" and event.type == "start" and | ||
| process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*") | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1203" | ||
| name = "Exploitation for Client Execution" | ||
| reference = "https://attack.mitre.org/techniques/T1203/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0002" | ||
| name = "Execution" | ||
| reference = "https://attack.mitre.org/tactics/TA0002/" | ||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1189" | ||
| name = "Drive-by Compromise" | ||
| reference = "https://attack.mitre.org/techniques/T1189/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0001" | ||
| name = "Initial Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0001/" |