nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/windows/initial_access_execution_from_inetcache.toml

@@ -0,0 +1,143 @@
+[metadata]
+creation_date = "2024/02/14"
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
+maturity = "production"
+updated_date = "2025/09/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious
+content via WININET during initial access.
+"""
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Execution from INET Cache"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Suspicious Execution from INET Cache
+
+The INetCache folder stores temporary internet files, which can be exploited by adversaries to execute malicious payloads delivered via WININET. Attackers may disguise malware as legitimate files cached during browsing. The detection rule identifies suspicious processes initiated from this cache, especially when launched by common file explorers, signaling potential initial access or command and control activities.
+
+### Possible investigation steps
+
+- Review the process details to confirm the executable path and arguments match the INetCache folder pattern specified in the query.
+- Identify the parent process, such as explorer.exe, winrar.exe, 7zFM.exe, or Bandizip.exe, to determine if the process launch is consistent with typical user behavior or potentially malicious activity.
+- Check the user account associated with the process to assess if the activity aligns with the user's normal behavior or if the account may be compromised.
+- Investigate the file in the INetCache directory for known malware signatures or anomalies using antivirus or endpoint detection tools.
+- Analyze network activity from the host to identify any suspicious connections that may indicate command and control communication.
+- Correlate the event with other security alerts or logs to identify patterns or additional indicators of compromise related to the initial access or command and control tactics.
+
+### False positive analysis
+
+- Legitimate software updates or installations may temporarily use the INetCache folder for storing executable files. Users can create exceptions for known update processes by identifying their specific executable paths and excluding them from the rule.
+- Some browser extensions or plugins might cache executable files in the INetCache folder during normal operations. Users should monitor and whitelist these extensions if they are verified as safe and frequently trigger alerts.
+- Automated scripts or tools that interact with web content might inadvertently store executables in the INetCache folder. Users can adjust the rule to exclude these scripts by specifying their parent process names or paths.
+- Certain enterprise applications may use the INetCache folder for legitimate purposes. Users should collaborate with IT departments to identify these applications and configure exceptions based on their unique process signatures.
+- Regularly review and update the list of excluded processes to ensure that only verified and non-threatening activities are exempt from triggering alerts.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further communication with potential command and control servers.
+- Terminate any suspicious processes identified as originating from the INetCache folder to halt any ongoing malicious activity.
+- Delete any malicious files found within the INetCache directory to remove the immediate threat.
+- Conduct a full antivirus and antimalware scan on the affected system to identify and remove any additional threats.
+- Review and analyze recent email logs and web browsing history to identify potential phishing attempts or malicious downloads that may have led to the initial compromise.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+- Implement enhanced monitoring and logging for the INetCache directory and related processes to detect similar threats in the future."""
+references = [
+    "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html",
+]
+risk_score = 73
+rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
+  (
+    process.args : "*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
+    process.executable : (
+      "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*",
+
+      /* Crowdstrike specific condition as it uses NT Object paths */
+      "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"
+    )
+  ) and
+  not process.executable : (
+        "?:\\Program Files\\*.exe",
+        "?:\\Program Files (x86)\\*.exe",
+        "?:\\Windows\\System32\\mspaint.exe",
+        "?:\\Windows\\System32\\notepad.exe",
+
+        /* Crowdstrike specific exclusion as it uses NT Object paths */
+        "\\Device\\HarddiskVolume*\\Program Files\\*.exe",
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\*.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\mspaint.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\notepad.exe"
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.001"
+name = "Spearphishing Attachment"
+reference = "https://attack.mitre.org/techniques/T1566/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

nldcsc_elastic_rules/rules/windows/initial_access_execution_from_removable_media.toml

@@ -0,0 +1,93 @@
+[metadata]
+creation_date = "2023/09/27"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems,
+possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of
+Autorun features when the media is inserted into a system and executes.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Execution from a Removable Media with Network Connection"
+risk_score = 21
+rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+
+query = '''
+sequence by process.entity_id with maxspan=5m
+ [process where host.os.type == "windows" and event.action == "start" and
+
+  /* Direct Exec from USB */
+  (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and
+  (process.code_signature.trusted == false or process.code_signature.exists == false) and
+
+  not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")]
+ [network where host.os.type == "windows" and event.action == "connection_attempted"]
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Execution from a Removable Media with Network Connection
+
+Removable media, like USB drives, are often used for data transfer but can be exploited by adversaries to introduce malware into isolated systems. Attackers may leverage autorun features to execute malicious code upon insertion. The detection rule identifies suspicious process executions from USB devices, especially those lacking valid code signatures, and correlates them with network connection attempts, signaling potential unauthorized access efforts.
+
+### Possible investigation steps
+
+- Review the process execution details, focusing on the process.entity_id to identify the specific process that was executed from the USB device.
+- Check the process.Ext.device.bus_type and process.Ext.device.product_id fields to confirm the involvement of a USB device and gather information about the specific device used.
+- Investigate the process.code_signature fields to determine if the process lacks a valid code signature, which could indicate malicious intent.
+- Correlate the process execution with network connection attempts by examining the network event logs, particularly looking for any unusual or unauthorized connection attempts.
+- Assess the context of the network connection attempt, including the destination IP address and port, to evaluate the potential risk and intent of the connection.
+- Gather additional context by reviewing recent activity on the host, such as other process executions or file modifications, to identify any further signs of compromise.
+- If necessary, isolate the affected system to prevent further unauthorized access or data exfiltration while continuing the investigation.
+
+### False positive analysis
+
+- Legitimate software installations from USB drives may trigger the rule. To manage this, create exceptions for known software installers by verifying their code signatures and adding them to an allowlist.
+- IT administrators often use USB devices for system updates or maintenance. Identify and exclude these activities by correlating them with known administrator accounts or devices.
+- Some organizations use USB devices for regular data transfers. Establish a baseline of normal USB activity and exclude these patterns from triggering alerts.
+- Devices with expired but previously trusted code signatures might be flagged. Regularly update the list of trusted certificates and exclude processes with known expired signatures that are still considered safe.
+- Network connection attempts by legitimate applications running from USB drives can be mistaken for threats. Monitor and document these applications, then configure exceptions based on their process names and network behavior.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Disable autorun features on all systems to prevent automatic execution of potentially malicious code from removable media.
+- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware.
+- Review and block any suspicious network connections originating from the affected system to prevent communication with potential command and control servers.
+- Collect and preserve relevant logs and forensic evidence from the affected system and removable media for further analysis and potential legal action.
+- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine if other systems may be affected.
+- Implement enhanced monitoring and alerting for similar activities, focusing on process executions from removable media and unauthorized network connection attempts."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1091"
+name = "Replication Through Removable Media"
+reference = "https://attack.mitre.org/techniques/T1091/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+

nldcsc_elastic_rules/rules/windows/initial_access_execution_remote_via_msiexec.toml

@@ -0,0 +1,136 @@
+[metadata]
+creation_date = "2023/09/28"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may
+abuse msiexec.exe to launch local or network accessible MSI files.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Remote File Execution via MSIEXEC"
+risk_score = 21
+rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+
+query = '''
+sequence with maxspan=1m
+ [process where host.os.type == "windows" and event.action == "start" and
+    process.name : "msiexec.exe" and process.args : "/V"] by process.entity_id
+ [network where host.os.type == "windows" and process.name : "msiexec.exe" and
+    event.action == "connection_attempted"] by process.entity_id
+ [process where host.os.type == "windows" and event.action == "start" and
+  process.parent.name : "msiexec.exe" and user.id : ("S-1-5-21-*", "S-1-5-12-1-*") and
+  not process.executable : ("?:\\Windows\\SysWOW64\\msiexec.exe",
+                            "?:\\Windows\\System32\\msiexec.exe",
+                            "?:\\Windows\\System32\\srtasks.exe",
+                            "?:\\Windows\\SysWOW64\\srtasks.exe",
+                            "?:\\Windows\\System32\\taskkill.exe",
+                            "?:\\Windows\\Installer\\MSI*.tmp",
+                            "?:\\Program Files\\*.exe",
+                            "?:\\Program Files (x86)\\*.exe",
+                            "?:\\Windows\\System32\\ie4uinit.exe",
+                            "?:\\Windows\\SysWOW64\\ie4uinit.exe",
+                            "?:\\Windows\\System32\\sc.exe",
+                            "?:\\Windows\\system32\\Wbem\\mofcomp.exe",
+                            "?:\\Windows\\twain_32\\fjscan32\\SOP\\crtdmprc.exe",
+                            "?:\\Windows\\SysWOW64\\taskkill.exe",
+                            "?:\\Windows\\SysWOW64\\schtasks.exe",
+                            "?:\\Windows\\system32\\schtasks.exe",
+                            "?:\\Windows\\System32\\sdbinst.exe") and
+  not (process.code_signature.subject_name == "Citrix Systems, Inc." and process.code_signature.trusted == true) and
+  not (process.name : ("regsvr32.exe", "powershell.exe", "rundll32.exe", "wscript.exe") and
+       process.Ext.token.integrity_level_name == "high" and
+       process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and
+  not (process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and process.code_signature.trusted == true) and
+  not (process.name : "rundll32.exe" and process.args : "printui.dll,PrintUIEntry")
+  ] by process.parent.entity_id
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Remote File Execution via MSIEXEC
+
+MSIEXEC, the Windows Installer, facilitates software installation, modification, and removal. Adversaries exploit it to execute remote MSI files, bypassing security controls. The detection rule identifies suspicious MSIEXEC activity by monitoring process starts, network connections, and child processes, filtering out known benign signatures and paths, thus highlighting potential misuse for initial access or defense evasion.
+
+### Possible investigation steps
+
+- Review the process start event for msiexec.exe to identify the command-line arguments used, focusing on the presence of the "/V" flag, which indicates a remote installation attempt.
+- Examine the network connection attempts associated with msiexec.exe to determine the remote IP addresses or domains being contacted, and assess their reputation or any known associations with malicious activity.
+- Investigate the child processes spawned by msiexec.exe, especially those not matching known benign executables or paths, to identify any suspicious or unexpected activity.
+- Check the user ID associated with the msiexec.exe process to verify if it aligns with expected user behavior or if it indicates potential compromise, especially focusing on user IDs like "S-1-5-21-*" or "S-1-5-12-1-*".
+- Analyze the code signature of any child processes to ensure they are trusted and expected, paying particular attention to any unsigned or untrusted executables.
+- Correlate the alert with any recent phishing attempts or suspicious emails received by the user, as the MITRE ATT&CK technique T1566 (Phishing) is associated with this rule.
+
+### False positive analysis
+
+- Legitimate software installations using msiexec.exe may trigger the rule. To manage this, create exceptions for known software update processes that use msiexec.exe with trusted code signatures.
+- System maintenance tasks that involve msiexec.exe, such as Windows updates or system repairs, can be excluded by identifying and allowing specific system paths and executables involved in these processes.
+- Enterprise software deployment tools that utilize msiexec.exe for remote installations might cause false positives. Exclude these by verifying the code signature and adding exceptions for trusted deployment tools.
+- Administrative scripts or automation tools that invoke msiexec.exe for legitimate purposes should be reviewed and, if verified as safe, excluded based on their execution context and code signature.
+- Network monitoring tools or security software that simulate msiexec.exe activity for testing or monitoring purposes can be excluded by identifying their specific signatures and paths.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration. This can be done by disabling network interfaces or moving the system to a quarantine VLAN.
+- Terminate the msiexec.exe process if it is still running to stop any ongoing malicious activity. Use task management tools or scripts to ensure the process is completely stopped.
+- Conduct a thorough review of the system for any unauthorized changes or installations. Check for newly installed software or modifications to system files that could indicate further compromise.
+- Restore the system from a known good backup if unauthorized changes are detected and cannot be easily reversed. Ensure the backup is clean and free from any malicious alterations.
+- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. This includes applying all relevant Windows updates and security patches.
+- Enhance monitoring and logging on the affected system and network to detect any similar future attempts. Ensure that all relevant security events are being captured and analyzed.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. Provide them with all relevant logs and findings for a comprehensive analysis."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+[[rule.threat.technique.subtechnique]]
+id = "T1218.007"
+name = "Msiexec"
+reference = "https://attack.mitre.org/techniques/T1218/007/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/windows/initial_access_execution_via_office_addins.toml

@@ -0,0 +1,160 @@
+[metadata]
+creation_date = "2023/03/20"
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with
+an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.
+"""
+from = "now-9m"
+index = [
+    "winlogbeat-*",
+    "logs-endpoint.events.process-*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Execution via Microsoft Office Add-Ins"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Suspicious Execution via Microsoft Office Add-Ins
+
+Microsoft Office Add-Ins enhance productivity by integrating additional features into Office applications. However, adversaries can exploit this by embedding malicious code within add-ins, often delivered through phishing. The detection rule identifies unusual execution patterns, such as Office apps launching add-ins from suspicious paths or with atypical parent processes, signaling potential threats. It filters out known benign activities to minimize false positives, focusing on genuine anomalies indicative of malicious intent.
+
+### Possible investigation steps
+
+- Review the process name and arguments to confirm if the execution involves a Microsoft Office application launching an add-in from a suspicious path, as indicated by the process.name and process.args fields.
+- Check the parent process name to determine if the Office application was launched by an unusual or potentially malicious parent process, such as cmd.exe or powershell.exe, using the process.parent.name field.
+- Investigate the file path from which the add-in was executed to assess if it matches any of the suspicious paths listed in the query, such as the Temp or Downloads directories, using the process.args field.
+- Examine the host's recent activity logs to identify any related events or patterns that might indicate a broader attack or compromise, focusing on the host.os.type and event.type fields.
+- Correlate the alert with any recent phishing attempts or suspicious emails received by the user to determine if the execution is part of a phishing campaign, leveraging the MITRE ATT&CK tactic and technique information provided.
+- Verify if the execution is a false positive by checking against the known benign activities excluded in the query, such as specific VSTOInstaller.exe paths or arguments, to rule out legitimate software installations or updates.
+
+### False positive analysis
+
+- Logitech software installations can trigger false positives when VSTO files are executed by Logitech's PlugInInstallerUtility. To mitigate this, exclude processes with paths related to Logitech installations from the detection rule.
+- The VSTOInstaller.exe process may be flagged when uninstalling applications. Exclude processes with the /Uninstall argument to prevent these false positives.
+- Rundll32.exe executing with specific arguments related to MSI temporary files can be benign. Exclude these specific rundll32.exe executions to avoid false alerts.
+- Sidekick.vsto installations from the specified URL can be legitimate. Exclude this specific VSTOInstaller.exe process with the Sidekick.vsto argument to reduce false positives.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity.
+- Terminate any suspicious processes identified by the detection rule, such as those involving unusual parent processes or originating from suspicious paths.
+- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious add-ins or related malware.
+- Review and clean up any unauthorized or suspicious Office add-ins from the affected applications to ensure no malicious code remains.
+- Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning alone.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+- Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents."""
+references = [
+    "https://github.com/Octoberfest7/XLL_Phishing",
+    "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/",
+]
+risk_score = 47
+rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Tactic: Persistence",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where
+
+    host.os.type == "windows" and event.type == "start" and
+
+    process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE", "VSTOInstaller.exe") and
+
+    process.args regex~ """.+\.(wll|xll|ppa|ppam|xla|xlam|vsto)""" and
+
+    /* Office Add-In from suspicious paths */
+    (process.args :
+             ("?:\\Users\\*\\Temp\\7z*",
+              "?:\\Users\\*\\Temp\\Rar$*",
+              "?:\\Users\\*\\Temp\\Temp?_*",
+              "?:\\Users\\*\\Temp\\BNZ.*",
+              "?:\\Users\\*\\Downloads\\*",
+              "?:\\Users\\*\\AppData\\Roaming\\*",
+              "?:\\Users\\Public\\*",
+              "?:\\ProgramData\\*",
+              "?:\\Windows\\Temp\\*",
+              "\\Device\\*",
+              "http*") or
+
+    process.parent.name : ("explorer.exe", "OpenWith.exe") or
+
+    /* Office Add-In from suspicious parent */
+    process.parent.name : ("cmd.exe", "powershell.exe")) and
+
+    /* False Positives */
+    not (process.args : "*.vsto" and
+         process.parent.executable :
+                   ("?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility*.exe",
+                    "?:\\ProgramData\\Logishrd\\LogiOptions\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
+                    "?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility.exe",
+                    "?:\\Program Files\\LogiOptionsPlus\\PlugInInstallerUtility*.exe",
+                    "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
+                    "?:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*\\VSTOInstaller.exe")) and
+    not (process.args : "/Uninstall" and process.name : "VSTOInstaller.exe") and
+    not (process.parent.name : "rundll32.exe" and
+         process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and
+    not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.001"
+name = "Spearphishing Attachment"
+reference = "https://attack.mitre.org/techniques/T1566/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1137"
+name = "Office Application Startup"
+reference = "https://attack.mitre.org/techniques/T1137/"
+[[rule.threat.technique.subtechnique]]
+id = "T1137.006"
+name = "Add-ins"
+reference = "https://attack.mitre.org/techniques/T1137/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

nldcsc_elastic_rules/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

@@ -0,0 +1,124 @@
+[metadata]
+creation_date = "2023/03/16"
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies newly seen removable devices by device friendly name using registry modification events. While this activity
+is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
+"""
+from = "now-9m"
+index = [
+    "logs-endpoint.events.registry-*",
+    "winlogbeat-*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Time Seen Removable Device"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating First Time Seen Removable Device
+
+Removable devices, like USB drives, are common in Windows environments for data transfer. Adversaries exploit these to introduce malware or exfiltrate data, leveraging their plug-and-play nature. The detection rule monitors registry changes for new device names, signaling potential unauthorized access. By focusing on first-time-seen devices, it helps identify suspicious activities linked to data exfiltration or initial access attempts.
+
+### Possible investigation steps
+
+- Review the registry event details to confirm the presence of a new device by checking the registry.value for "FriendlyName" and registry.path for USBSTOR.
+- Correlate the timestamp of the registry event with user activity logs to identify which user was logged in at the time of the device connection.
+- Check for any subsequent file access or transfer events involving the new device to assess potential data exfiltration.
+- Investigate the device's history by searching for any previous connections to other systems within the network to determine if it has been used elsewhere.
+- Analyze any related alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint for additional context or suspicious activities linked to the device.
+
+### False positive analysis
+
+- Frequent use of company-issued USB drives for legitimate data transfer can trigger alerts. Maintain a list of approved devices and create exceptions for these in the monitoring system.
+- Software updates or installations via USB drives may be flagged. Identify and whitelist known update devices or processes to prevent unnecessary alerts.
+- IT department activities involving USB devices for maintenance or troubleshooting can appear suspicious. Coordinate with IT to log and exclude these routine operations from triggering alerts.
+- Devices used for regular backups might be detected as new. Ensure backup devices are registered and excluded from the rule to avoid false positives.
+- Personal USB devices used by employees for non-work-related purposes can cause alerts. Implement a policy for registering personal devices and exclude them if deemed non-threatening.
+
+### Response and remediation
+
+- Immediately isolate the affected host from the network to prevent potential data exfiltration or further spread of malware.
+- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to identify and remove any malicious software introduced via the removable device.
+- Review and analyze the registry changes logged by the detection rule to confirm the legitimacy of the device and assess any unauthorized access attempts.
+- If malicious activity is confirmed, collect and preserve relevant logs and evidence for further forensic analysis and potential legal action.
+- Notify the security team and relevant stakeholders about the incident, providing details of the device and any identified threats.
+- Implement a temporary block on the use of removable devices across the network until the threat is fully contained and remediated.
+- Enhance monitoring and detection capabilities by updating security tools and rules to better identify similar threats in the future, focusing on registry changes and device connections."""
+references = [
+    "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html",
+    "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings",
+]
+risk_score = 21
+rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Tactic: Exfiltration",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1091"
+name = "Replication Through Removable Media"
+reference = "https://attack.mitre.org/techniques/T1091/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1052"
+name = "Exfiltration Over Physical Medium"
+reference = "https://attack.mitre.org/techniques/T1052/"
+[[rule.threat.technique.subtechnique]]
+id = "T1052.001"
+name = "Exfiltration over USB"
+reference = "https://attack.mitre.org/techniques/T1052/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["registry.path"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
+
+