From 0dfae46dccb4bba83a78fd4f389cafe9cc246d17 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Fri, 29 Jul 2022 22:27:59 +0200 Subject: [PATCH] [Rule Tuning] Kerberos Traffic from Unusual Process (#2202) Excluding couple of FPs by process.executables to reduce FPs rate. (cherry picked from commit 527507835febd636e15e9378c6e81310af500ed5) --- ...ential_access_kerberoasting_unusual_process.toml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 6343b0bbe..335896d91 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/05/09" +updated_date = "2022/07/29" [rule] author = ["Elastic"] @@ -88,7 +88,16 @@ type = "eql" query = ''' network where event.type == "start" and network.direction : ("outgoing", "egress") and destination.port == 88 and source.port >= 49152 and - process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and + not process.executable : + ("?:\\Windows\\System32\\lsass.exe", + "System", + "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe", + "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe", + "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe", + "?:\\Program Files (x86)\\SuperScan\\scanner.exe", + "?:\\Program Files (x86)\\Nmap\\nmap.exe", + "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe") and + destination.address !="127.0.0.1" and destination.address !="::1" and /* insert false positives here */ not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe") '''