Network Connection via Signed Binary
editNetwork Connection via Signed Binary
editBinaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to live off the land and execute malicious files that could bypass application allowlists and signature validation.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 9
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by process.entity_id [process where (process.name : "expand.exe" or process.name : "extrac32.exe" or process.name : "ieexec.exe" or process.name : "makecab.exe") and event.type == "start"] [network where (process.name : "expand.exe" or process.name : "extrac32.exe" or process.name : "ieexec.exe" or process.name : "makecab.exe") and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Signed Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/