From 14fe63bb1eadcdf8576284079901288f2d005478 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 9 Dec 2020 08:55:58 +0100
Subject: [PATCH] [Rule Tuning] Unusual Parent-Child Relationship and
 Suspicious MS Office Child Process (#676)

* [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process

* replaced path with name for faster comparaison

* added few more cases and refurl

also organized items per anomaly category

* added extra refurl plus few excep

* Update execution_suspicious_ms_office_child_process.toml

* added parenthesis

* excluded an FP
---
 ...on_suspicious_ms_office_child_process.toml | 30 +++++----
 ...tion_unusual_parentchild_relationship.toml | 63 +++++++++++--------
 2 files changed, 51 insertions(+), 42 deletions(-)

diff --git a/rules/windows/execution_suspicious_ms_office_child_process.toml b/rules/windows/execution_suspicious_ms_office_child_process.toml
index 24137a88f..a2f5d7156 100644
--- a/rules/windows/execution_suspicious_ms_office_child_process.toml
+++ b/rules/windows/execution_suspicious_ms_office_child_process.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/12/03"
 
 [rule]
 author = ["Elastic"]
@@ -12,27 +12,25 @@ macros.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License"
 name = "Suspicious MS Office Child Process"
-risk_score = 21
+risk_score = 47
 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f"
-severity = "low"
+severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and event.type:(start or process_started) and
-  process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or
-                       mspub.exe or powerpnt.exe or winword.exe) and
-  process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or
-                certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or
-                forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or
-                installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or
-                netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or
-                qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or
-                regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or
-                wmic.exe or wscript.exe or xwizard.exe)
+process where event.type in ("start", "process_started") and
+  process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe") and
+  process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe",
+                "cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", "fsi.exe",
+                "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe", "mshta.exe",
+                "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe",
+                "powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", "regsvcs.exe",
+                "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe",
+                "wmic.exe", "wscript.exe", "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe")
 '''
 
 
diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
index 573e67a0a..7b24606f3 100644
--- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
+++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/12/03"
 
 [rule]
 author = ["Elastic"]
@@ -11,39 +11,50 @@ activity on a system.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License"
 name = "Unusual Parent-Child Relationship"
+references = [
+    "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png",
+    "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/",
+]
 risk_score = 47
 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and event.type:(start or process_started) and
-  process.parent.executable:* and
-(process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or
-   process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or
-   process.name:autochk.exe and not process.parent.name:smss.exe or
-   process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or
-   process.name:(consent.exe or RuntimeBroker.exe or TiWorker.exe) and not process.parent.name:svchost.exe or
-   process.name:wermgr.exe and not process.parent.name:(svchost.exe or TiWorker.exe) or
-   process.name:SearchIndexer.exe and not process.parent.name:services.exe or
-   process.name:SearchProtocolHost.exe and not process.parent.name:(SearchIndexer.exe or dllhost.exe) or
-   process.name:dllhost.exe and not process.parent.name:(services.exe or svchost.exe) or
-   process.name:smss.exe and not process.parent.name:(System or smss.exe) or
-   process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or
-   process.name:wininit.exe and not process.parent.name:smss.exe or
-   process.name:winlogon.exe and not process.parent.name:smss.exe or
-   process.name:(lsass.exe or LsaIso.exe) and not process.parent.name:wininit.exe or
-   process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or
-   process.name:services.exe and not process.parent.name:wininit.exe or
-   process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or
-   process.name:spoolsv.exe and not process.parent.name:services.exe or
-   process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or
-   process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or
-   process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe))
+process where event.type in ("start", "process_started") and
+process.parent.name != null and
+ (
+   /* suspicious parent processes */
+   (process.name:"autochk.exe" and not process.parent.name:"smss.exe") or
+   (process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe")) or
+   (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:"svchost.exe") or
+   (process.name:"SearchIndexer.exe" and not process.parent.name:"services.exe") or
+   (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or
+   (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
+   (process.name:"smss.exe" and not process.parent.name:("System", "smss.exe")) or
+   (process.name:"csrss.exe" and not process.parent.name:("smss.exe", "svchost.exe")) or
+   (process.name:"wininit.exe" and not process.parent.name:"smss.exe") or
+   (process.name:"winlogon.exe" and not process.parent.name:"smss.exe") or
+   (process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or
+   (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or
+   (process.name:"services.exe" and not process.parent.name:"wininit.exe") or
+   (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe")) or
+   (process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or
+   (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
+   (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
+   (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or
+   (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or
+   /* suspicious child processes */
+   (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe")) or
+   (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or
+   (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or
+   (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or
+   (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe"))
+  )
 '''