Skip to content

[Rule Tuning] Suspicious Execution from a Mounted Device #4603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kenza-ab opened this issue Apr 10, 2025 · 1 comment
Open

[Rule Tuning] Suspicious Execution from a Mounted Device #4603

kenza-ab opened this issue Apr 10, 2025 · 1 comment
Assignees
@w0rk3r
Labels
community Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Comments

@kenza-ab
Copy link

kenza-ab commented Apr 10, 2025
edited
Loading

Link to Rule

detection-rules/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml

Line 17 in 3b1f780

name = "Suspicious Execution from a Mounted Device"

Rule Tuning Type

Behavioral Tuning - Refining rules to better detect deviations from typical behavior.

Description

Title: Detection Rule Fails When process.working_directory Has Subdirectory in Non-Standard Drive

Description:

Hello Elastic team,

We're currently testing the following detection rule, intended to catch suspicious script executions launched from non-standard drives (i.e., other than C:\):

process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and
(process.working_directory : "?:\\" and not process.working_directory: "C:\\") and
process.parent.name : "explorer.exe" and
process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe")

Problem:

We noticed that this rule does not trigger alerts in cases where a suspicious script (e.g., wscript.exe) is launched from a subdirectory on a non-C drive.

Example Data

Example:

  • process.name: wscript.exe
  • process.parent.name: explorer.exe
  • process.working_directory: F:\rootdir\

No alert was triggered, despite the working directory clearly not being on the C:\ drive.

Concern:

It seems that the use of the following part might not be matching as intended when the working directory includes additional path depth like F:\rootdir\:

(process.working_directory : "?:\\" and not process.working_directory: "C:\\")

Solution:

The following query resolves the issue:

process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and
(process.working_directory : "?:\\*" and not process.working_directory: "C:\\*") and
process.parent.name : "Explorer.EXE" and
process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe")

Example of Emerging Threats

Example of emerging threats: Tangerine Turkey
@kenza-ab kenza-ab added Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Apr 10, 2025
@kenza-ab kenza-ab changed the title [Rule Tuning] Name of rule [Rule Tuning] Suspicious Execution from a Mounted Device Apr 10, 2025
@w0rk3r w0rk3r self-assigned this Apr 16, 2025
@mgarzon
Copy link

mgarzon commented Apr 22, 2025

Since we are updating the rule to include root and all folders on drives other than C:\, we should also include other widely abused process names: certutil.exe, bitsadmin.exe, msiexec.exe, wmic.exe, schtasks.exe, msbuild.exe and rundll32.exe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@w0rk3r w0rk3r

Labels
community Rule: Tuning tweaking or tuning an existing rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mgarzon @w0rk3r @kenza-ab