From 046978579304422e07a610fe0efb33a9df43f801 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 15 Jan 2024 11:16:04 -0300 Subject: [PATCH] [Rule Tuning] Windows DR Tuning - 14 (#3376) * [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml --- ...stence_suspicious_com_hijack_registry.toml | 119 ++++++++++++++---- .../persistence_time_provider_mod.toml | 9 +- .../persistence_webshell_detection.toml | 14 ++- ...lege_escalation_expired_driver_loaded.toml | 6 +- ..._printspooler_service_suspicious_file.toml | 17 ++- 5 files changed, 128 insertions(+), 37 deletions(-) diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 4a064c0a3..4a92037eb 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/09" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies Component Object Model (COM) hijacking via registry modification. Adv executing malicious content triggered by hijacked references to COM objects. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Component Object Model Hijacking" @@ -84,39 +84,110 @@ registry where host.os.type == "windows" and user.domain != "NT AUTHORITY" and ( ( - registry.path : ("HK*\\InprocServer32\\", "\\REGISTRY\\*\\InprocServer32\\") and - registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and + registry.path : "HK*\\InprocServer32\\" and + registry.data.strings: ("scrobj.dll", "?:\\*\\scrobj.dll") and not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*" ) or - /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ - (registry.path : ( - "HKEY_USERS\\*\\InprocServer32\\", - "HKEY_USERS\\*\\LocalServer32\\", - "HKEY_USERS\\*\\DelegateExecute*", - "HKEY_USERS\\*\\TreatAs*", - "HKEY_USERS\\*\\ScriptletURL*", - "\\REGISTRY\\USER\\*\\InprocServer32\\", - "\\REGISTRY\\USER\\*\\LocalServer32\\", - "\\REGISTRY\\USER\\*\\DelegateExecute*", - "\\REGISTRY\\USER\\*\\TreatAs*", - "\\REGISTRY\\USER\\*\\ScriptletURL*" - ) and not ( - process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and - registry.path : ( - "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\", - "\\REGISTRY\\USER\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\")) + registry.path : "HKLM\\*\\InProcServer32\\*" and + registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*") ) or + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ ( - registry.path : ("HKLM\\*\\InProcServer32\\*", "\\REGISTRY\\MACHINE\\*\\InProcServer32\\*") and - registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*") + registry.path : ( + "HKEY_USERS\\*\\InprocServer32\\", + "HKEY_USERS\\*\\LocalServer32\\", + "HKEY_USERS\\*\\DelegateExecute", + "HKEY_USERS\\*\\TreatAs\\", + "HKEY_USERS\\*\\ScriptletURL*" + ) and + not + ( + ( + process.name : "svchost.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name == "Microsoft Windows Publisher" and + registry.value : "DelegateExecute" and + registry.data.strings : ( + /* https://strontic.github.io/xcyclopedia/library/clsid_4ED3A719-CEA8-4BD9-910D-E252F997AFC2.html */ + "{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}", + + /* https://strontic.github.io/xcyclopedia/library/clsid_A56A841F-E974-45C1-8001-7E3F8A085917.html */ + "{A56A841F-E974-45C1-8001-7E3F8A085917}", + + /* https://strontic.github.io/xcyclopedia/library/clsid_BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78.html */ + "{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}", + "%SystemRoot%\\system32\\shdocvw.dll" + ) + ) or + ( + process.name : "veeam.backup.shell.exe" and + registry.path : "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\" and + process.code_signature.trusted == true and process.code_signature.subject_name == "Veeam Software Group GmbH" + ) or + ( + process.name : ("ADNotificationManager.exe", "Creative Cloud.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "Adobe Inc." and + registry.data.strings : ( + "\"?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\ADNotificationManager.exe\" -ToastActivated", + "\"?:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\ADNotificationManager.exe\" -ToastActivated", + "\"?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\ADNotificationManager.exe\" -ToastActivated", + "\"?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\ADNotificationManager.exe\" -ToastActivated", + "\"?:\\Program Files\\Adobe\\Adobe Creative Cloud\\ACC\\Creative Cloud.exe\" -ToastActivated" + ) + ) or + ( + process.name : ("IslandUpdateComRegisterShell64.exe", "IslandUpdate.exe", "GoogleUpdateComRegisterShell64.exe") and + process.code_signature.trusted == true and + process.code_signature.subject_name in ("Island Technology Inc.", "Google LLC") and + registry.data.strings : ( + "*?:\\Users\\*\\AppData\\Local\\Island\\Update\\*", + "*?:\\Users\\*\\AppData\\Local\\Google\\Update\\*" + ) + ) or + ( + process.name : ("SelfService.exe", "WfShell.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "Citrix Systems, Inc." and + registry.data.strings : ( + "\"?:\\Program Files (x86)\\Citrix\\ICA Client\\SelfServicePlugin\\SelfService.exe\" -ToastActivated", + "%SystemRoot%\\system32\\shdocvw.dll", + "%SystemRoot%\\sysWOW64\\shdocvw.dll" + ) + ) or + ( + process.name : ("msrdcw.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "Microsoft Corporation" and + registry.data.strings : ( + "\"?:\\Program Files\\Remote Desktop\\msrdcw.exe\" -ToastActivated", + "\"?:\\Users\\*\\AppData\\Local\\Apps\\Remote Desktop\\msrdcw.exe\" -ToastActivated" + ) + ) or + ( + process.name : ("ssvagent.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "Oracle America, Inc." and + registry.data.strings : ( + "?:\\Program Files\\Java\\jre*\\bin\\jp2iexp.dll", + "?:\\Program Files (x86)\\Java\\jre*\\bin\\jp2iexp.dll" + ) + ) or + ( + process.name : ("hpnotifications.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name == "HP Inc." and + registry.data.strings : ( + "\"?:\\Windows\\System32\\DriverStore\\FileRepository\\hpsvcsscancomp.inf_amd64_*\\x64\\hpnotifications.exe\" -ToastActivated" + ) + ) + ) ) ) and /* removes false-positives generated by OneDrive and Teams */ - not process.name: ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe") and + not + ( + process.name: ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation") + ) and /* Teams DLL loaded by regsvr */ not (process.name: "regsvr32.exe" and registry.data.strings : "*Microsoft.Teams.*.dll") diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 2929ff22a..50dd0ae13 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/14" +updated_date = "2024/01/09" [transform] [[transform.osquery]] @@ -108,7 +108,12 @@ registry where host.os.type == "windows" and event.type:"change" and "HKLM\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*", "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*" ) and - registry.data.strings:"*.dll" + registry.data.strings:"*.dll" and + not + ( + process.executable : "?:\\Windows\\System32\\msiexec.exe" and + registry.data.strings : "?:\\Program Files\\VMware\\VMware Tools\\vmwTimeProvider\\vmwTimeProvider.dll" + ) ''' diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index e854f5145..3643d6f4c 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/09" [rule] author = ["Elastic"] @@ -87,7 +87,17 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and - process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") + process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") and + not + ( + process.parent.name : ("php.exe", "httpd.exe") and process.name : "cmd.exe" and + process.command_line : ( + "cmd.exe /c mode CON", + "cmd.exe /s /c \"mode CON\"", + "cmd.exe /c \"mode\"", + "cmd.exe /s /c \"tput colors 2>&1\"" + ) + ) ''' diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index 72245f0e4..444328cad 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/09" [rule] author = ["Elastic"] @@ -20,9 +20,9 @@ name = "Expired or Revoked Driver Loaded" references = [ "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" ] -risk_score = 21 +risk_score = 47 rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" -severity = "low" +severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 04916a7f4..ef09d3233 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/09" [rule] author = ["Elastic"] @@ -41,11 +41,16 @@ query = ''' file where host.os.type == "windows" and event.type == "creation" and process.name : "spoolsv.exe" and file.extension : "dll" and file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and - not file.path : - ("?:\\WINDOWS\\SysWOW64\\PrintConfig.dll", - "?:\\WINDOWS\\system32\\x5lrs.dll", - "?:\\WINDOWS\\sysWOW64\\x5lrs.dll", - "?:\\WINDOWS\\system32\\PrintConfig.dll") + not file.path : ( + "?:\\WINDOWS\\SysWOW64\\PrintConfig.dll", + "?:\\WINDOWS\\system32\\x5lrs.dll", + "?:\\WINDOWS\\sysWOW64\\x5lrs.dll", + "?:\\WINDOWS\\system32\\PrintConfig.dll", + "?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\*.dll", + "?:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\*.dll", + "?:\\WINDOWS\\system32\\spool\\PRTPROCS\\x64\\*.dll", + "?:\\WINDOWS\\system32\\spool\\{????????-????-????-????-????????????}\\*.dll" + ) '''