[New Rule] New BBR Rules - Part 4 (#3035)

* [New Rule] New BBR Rules - Part 4

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0e337e2c36)

rules_building_block/collection_files_staged_in_recycle_bin_root.toml

@@ -0,0 +1,47 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in
+the root of the Recycle Bin in preparation for exfiltration or to evade defenses.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "File Staged in Root Folder of Recycle Bin"
+risk_score = 21
+rule_id = "57bccf1d-daf5-4e1a-9049-ff79b5254704"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.type == "creation" and
+  file.path : "?:\\$RECYCLE.BIN\\*" and
+  not file.path : "?:\\$RECYCLE.BIN\\*\\*" and
+  not file.name : "desktop.ini"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1074"
+name = "Data Staged"
+reference = "https://attack.mitre.org/techniques/T1074/"
+
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"

rules_building_block/defense_evasion_cmstp_execution.toml

@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager
+service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the
+execution of malicious code by supplying INF files that contain malicious commands.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Defense Evasion via CMSTP.exe"
+references = [
+    "https://attack.mitre.org/techniques/T1218/003/",
+]
+risk_score = 21
+rule_id = "bd3d058d-5405-4cee-b890-337f09366ba2"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.name : "cmstp.exe" and process.args == "/s"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+[[rule.threat.technique.subtechnique]]
+id = "T1218.003"
+name = "CMSTP"
+reference = "https://attack.mitre.org/techniques/T1218/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

@@ -0,0 +1,45 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Indirect Command Execution via Forfiles/Pcalua"
+risk_score = 21
+rule_id = "98843d35-645e-4e66-9d6a-5049acd96ce1"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.parent.name : ("pcalua.exe", "forfiles.exe")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1202"
+name = "Indirect Command Execution"
+reference = "https://attack.mitre.org/techniques/T1202/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules_building_block/defense_evasion_installutil_command_activity.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific
+installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through
+a trusted Windows utility.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "InstallUtil Activity"
+risk_score = 21
+rule_id = "90babaa8-5216-4568-992d-d4a01a105d98"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.name : "installutil.exe" and not user.id : "S-1-5-18"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+[[rule.threat.technique.subtechnique]]
+id = "T1218.004"
+name = "InstallUtil"
+reference = "https://attack.mitre.org/techniques/T1218/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules_building_block/execution_settingcontent_ms_file_creation.toml

@@ -0,0 +1,73 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code
+execution while evading defenses.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Creation of SettingContent-ms Files"
+references = [
+    "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39",
+]
+risk_score = 21
+rule_id = "1e6363a6-3af5-41d4-b7ea-d475389c0ceb"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.type == "creation" and
+  file.extension : "settingcontent-ms"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1204"
+name = "User Execution"
+reference = "https://attack.mitre.org/techniques/T1204/"
+
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1204.002"
+    name = "Malicious File"
+    reference = "https://attack.mitre.org/techniques/T1204/002/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1566.001"
+    name = "Spearphishing Attachment"
+    reference = "https://attack.mitre.org/techniques/T1566/001/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"