security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] 3rd Party EDR Compatibility - 12 (#4037)

Browse Source 
* [Rule Tuning] 3rd Party EDR Compatibility - 12

* min_stack for merge, bump updated_date
This commit is contained in:
Jonhnathan
2024-10-11 16:37:20 -03:00
committed by GitHub
parent 32d02ae7aa
commit 0cbbae4f83
10 changed files with 101 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/initial_access_suspicious_ms_exchange_process.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2021/03/04"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic", "Austin Songer"]
@@ -20,9 +22,12 @@ from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -33,14 +38,6 @@ references = [
]
risk_score = 47
rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -52,6 +49,9 @@ tags = [
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2021/03/08"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies suspicious processes being spawned by the Microsoft Exchange Server w
indicate exploitation activity or access to an existing web shell backdoor.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Microsoft Exchange Worker Spawning Suspicious Processes"
@@ -22,14 +24,6 @@ references = [
]
risk_score = 73
rule_id = "f81ee52c-297e-46d9-9205-07e66931df26"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -40,6 +34,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/initial_access_suspicious_ms_office_child_process.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -15,9 +17,12 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -72,14 +77,6 @@ This rule looks for suspicious processes spawned by MS Office programs. This is
references = ["https://www.elastic.co/blog/vulnerability-summary-follina"]
risk_score = 47
rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -92,6 +89,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
+8 -12
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/29"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,20 +13,12 @@ Identifies a suspicious Windows explorer child process. Explorer.exe can be abus
executables from a trusted parent process.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Explorer Child Process"
risk_score = 47
rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -36,6 +30,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -44,7 +40,7 @@ query = '''
process where host.os.type == "windows" and event.type == "start" and
(
process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or
process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE")
?process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE")
) and
/* Explorer started via DCOM */
process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and
rules/windows/initial_access_webshell_screenconnect_server.toml
+10 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2024/03/26"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"logs-system.security*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -35,6 +40,8 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
+9 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2021/03/22"
integration = ["endpoint"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies NullSessionPipe registry modifications that specify which pipes can b
indicative of adversary lateral movement preparation by making the added pipe available to everyone.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "NullSessionPipe Registry Modification"
@@ -31,6 +33,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -39,7 +43,8 @@ query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes"
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
"MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes"
) and length(registry.data.strings) > 0 and
not registry.data.strings : "(empty)"
'''
rules/windows/lateral_movement_evasion_rdp_shadowing.toml
+11 -12
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2021/04/12"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -18,6 +20,8 @@ index = [
"winlogbeat-*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -28,14 +32,6 @@ references = [
]
risk_score = 73
rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -45,6 +41,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -58,12 +56,13 @@ any where host.os.type == "windows" and
(event.category == "registry" and
registry.path : (
"HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
"\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
"\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
"MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
)
) or
(event.category == "process" and event.type == "start" and
(process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or
(process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*")
(?process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*")
)
)
'''
rules/windows/lateral_movement_execution_from_tsclient_mup.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/11/11"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -27,14 +32,6 @@ references = [
]
risk_score = 73
rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -44,6 +41,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/11/02"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -14,23 +16,18 @@ from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
name = "Mounting Hidden or WebDav Remote Shares"
risk_score = 47
rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -41,6 +38,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/lateral_movement_rdp_enabled_registry.toml
+12 -12
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/11/25"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/05"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies registry write modifications to enable Remote Desktop Protocol (RDP)
adversary lateral movement preparation.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "RDP Enabled via Registry"
@@ -53,14 +55,6 @@ This rule detects modification of the fDenyTSConnections registry key to the val
"""
risk_score = 47
rule_id = "58aa72ca-d968-4f34-b9f7-bea51d75eb50"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -72,13 +66,19 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections",
"MACHINE\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections"
) and
registry.data.strings : ("0", "0x00000000") and
not process.executable : ("?:\\Windows\\System32\\SystemPropertiesRemote.exe",
"?:\\Windows\\System32\\SystemPropertiesComputerName.exe",