[Rule Tuning] Windows BBR Rule Tuning - 2 (#3580)

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2024-04-08 09:34:26 -03:00
parent 109e8a85a5
commit 1bc59bdc04
10 changed files with 95 additions and 40 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/11"
+updated_date = "2024/04/05"
 bypass_bbr_timing = true

 [rule]
@@ -15,7 +15,7 @@ indicate an attempt to conceal malicious activity, bypass security features such
 executing malware.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Masquerading as Browser Process"
@@ -79,7 +79,7 @@ process where host.os.type == "windows" and event.type == "start" and
     and not
      (
        process.name : "msedgewebview2.exe" and
-        process.code_signature.subject_name : ("Bromium, Inc.", "Amazon.com Services LLC") and process.code_signature.trusted == true
+        process.code_signature.subject_name : ("Bromium, Inc.", "Amazon.com Services LLC", "Code Systems Corporation") and process.code_signature.trusted == true
      )
    ) or

@@ -144,7 +144,8 @@ process where host.os.type == "windows" and event.type == "start" and
        "AVG Technologies USA, LLC",
        "Avast Software s.r.o.",
        "PIRIFORM SOFTWARE LIMITED",
-        "NortonLifeLock Inc."
+        "NortonLifeLock Inc.",
+        "Opera Norway AS"
       ) and process.code_signature.trusted == true
      )
    )
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/11"
+updated_date = "2024/04/05"
 bypass_bbr_timing = true

 [rule]
@@ -14,7 +14,7 @@ Identifies suspicious instances of default system32 executables, either unsigned
 This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Masquerading as System32 Executable"
@@ -46,13 +46,30 @@ process where host.os.type == "windows" and event.type == "start" and
      "?:\\Windows\\Temp\\{*}\\taskkill.exe",
      "?:\\Users\\*\\AppData\\Local\\Temp\\{*}\\taskkill.exe",
      "?:\\$WINDOWS.~BT\\NewOS\\Windows\\System32\\ie4ushowIE.exe",
-      "?:\\Program Files\\Git\\usr\\bin\\find.exe"
+      "?:\\Program Files\\Git\\usr\\bin\\find.exe",
+      "?:\\Program Files (x86)\\Axence\\nVision Agent 2\\nss\\certutil.exe"
    )
  ) and
  not
  (
    (process.name: "ucsvc.exe" and process.code_signature.subject_name == "Wellbia.com Co., Ltd." and process.code_signature.status: "trusted") or
-    (process.name: "pnputil.exe" and process.code_signature.subject_name: "Lenovo" and process.code_signature.status: "trusted")
+    (process.name: "pnputil.exe" and process.code_signature.subject_name: ("Lenovo", "HP Inc.", "Dell Inc") and process.code_signature.status: "trusted") or
+    (process.name: "convert.exe" and process.code_signature.subject_name: "ImageMagick Studio LLC" and process.code_signature.status: "trusted") or
+    (process.name: "systeminfo.exe" and process.code_signature.subject_name: "Arctic Wolf Networks, Inc." and process.code_signature.status: "trusted") or
+    (
+      process.name: "certutil.exe" and
+      process.code_signature.subject_name: (
+        "Intel(R) Online Connect Access",
+        "Fortinet Technologies (Canada) ULC"
+      ) and process.code_signature.status: "trusted"
+    ) or
+    (
+      process.name: "sfc.exe" and
+      process.code_signature.subject_name: (
+        "Cisco Systems, Inc.",
+        "CISCO SYSTEMS CANADA CO"
+      ) and process.code_signature.status: "trusted"
+    )
  )
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/27"
+updated_date = "2024/04/05"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ references = [
 ]
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.library-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unsigned BITS Service Client Process"
@@ -32,7 +32,8 @@ type = "eql"

 query = '''
 library where dll.name : "Bitsproxy.dll" and process.executable != null and
-not process.code_signature.trusted == true
+not process.code_signature.trusted == true and
+not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/11"
+updated_date = "2024/04/05"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies processes running with unusual extensions that are not typically vali
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Process Extension"
@@ -37,7 +37,13 @@ process where host.os.type == "windows" and event.type == "start" and
      "vmmemWSL",
      "?:\\Program Files\\Dell\\SupportAssistAgent\\*.p5x",
      "?:\\Program Files\\Docker\\Docker\\com.docker.service",
-      "?:\\Users\\*\\AppData\\Local\\Intel\\AGS\\Libs\\AGSRunner.bin"
+      "?:\\Users\\*\\AppData\\Local\\Intel\\AGS\\Libs\\AGSRunner.bin",
+      "\\Device\\Mup\\*\\Software Management\\Select.Html.dep",
+      "?:\\DJJApplications\\MedicalRecords\\bin\\Select.Html.dep",
+      "?:\\ProgramData\\Software Management\\Select.Html.dep",
+      "?:\\Program Files (x86)\\EnCase Applications\\Examiner Service\\EnCase64\\enhkey.dll",
+      "?:\\Program Files (x86)\\Panda Security\\WAC\\PSNAEInj64.dll",
+      "?:\\Program Files (x86)\\Johnson Controls\\LicenseActivator\\crp32002.ngn"
    ) and
  not (
    (process.name : "C9632CF058AE4321B6B0B5EA39B710FE" and process.code_signature.subject_name == "Dell Inc") or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/12/13"
+updated_date = "2024/04/05"
 bypass_bbr_timing = true

 [rule]
@@ -47,6 +47,10 @@ host.os.type:windows and event.category:process and event.type:start and
        "hklm" or "HKLM" or registry\:\:*)
      )
    )
+  ) and
+  not process.command_line : (
+    "C:\\Windows\\system32\\reg.exe  query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64" or
+    "reg  query \"HKLM\\Software\\WOW6432Node\\Npcap\" /ve  "
  )
 '''

@@ -4,7 +4,7 @@ integration = ["windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2024/04/05"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ precursor for collection and identify potential systems of interest for Lateral
 """
 from = "now-119m"
 interval = "60m"
-index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Network Share Discovery"
@@ -28,10 +28,10 @@ building_block_type = "default"
 query = '''
 sequence by user.name, source.port, source.ip with maxspan=15s 
 [file where event.action == "network-share-object-access-checked" and 
-  winlog.event_data.ShareName : ("\\*ADMIN$", "\\*C$") and 
+  winlog.event_data.ShareName in ("\\\\*\\ADMIN$", "\\\\*\\C$") and 
  source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]
 [file where event.action == "network-share-object-access-checked" and 
-  winlog.event_data.ShareName : ("\\*ADMIN$", "\\*C$") and 
+  winlog.event_data.ShareName in ("\\\\*\\ADMIN$", "\\\\*\\C$") and 
  source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/19"
+updated_date = "2024/04/05"
 bypass_bbr_timing = true

 [rule]
@@ -12,7 +12,7 @@ author = ["Elastic"]
 building_block_type = "default"
 description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool."
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Network Enumeration"
@@ -73,7 +73,8 @@ process where host.os.type == "windows" and event.type == "start" and
  ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
   ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
       not process.parent.name : "net.exe")) and
-  (process.args : "view" or (process.args : "time" and process.args : "\\\\*"))
+  (process.args : "view" or (process.args : "time" and process.args : "\\\\*")) and
+  not process.command_line : "net  view \\\\localhost "


  /* expand when ancestry is available
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
 min_stack_version = "8.12.0"
-updated_date = "2024/03/12"
+updated_date = "2024/04/05"


 [rule]
@@ -190,6 +190,13 @@ negate = true
 "case_insensitive" = true
 "value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*"

+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.path"]
+"case_insensitive" = true
+"value" = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*"
+

 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/21"
+updated_date = "2024/04/05"
 bypass_bbr_timing = true

 [rule]
@@ -22,7 +22,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.network-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "External IP Lookup from Non-Browser Process"
@@ -103,18 +103,31 @@ network where host.os.type == "windows" and network.protocol == "dns" and
        "*ipstack.com"
    ) and
    /* Insert noisy false positives here */
-    not process.executable :
+    not
    (
-      "?:\\Program Files\\*.exe",
-      "?:\\Program Files (x86)\\*.exe",
-      "?:\\Windows\\System32\\WWAHost.exe",
-      "?:\\Windows\\System32\\smartscreen.exe",
-      "?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
-      "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
-      "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-      "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
-      "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
-      "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"
+      (
+        process.executable : (
+            "?:\\Program Files\\*.exe",
+            "?:\\Program Files (x86)\\*.exe",
+            "?:\\Windows\\Prey\\versions\\*\\bin\\node.exe",
+            "?:\\Windows\\System32\\WWAHost.exe",
+            "?:\\Windows\\System32\\smartscreen.exe",
+            "?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
+            "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
+            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
+            "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
+            "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
+            "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"
+        ) and process.code_signature.trusted == true
+      ) or
+      (
+        (process.name : "Evernote.exe" and process.code_signature.subject_name : "Evernote Corporation" and process.code_signature.trusted == true) or
+        (process.name : "firefox.exe" and process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true) or
+        (process.name : "Loom.exe" and process.code_signature.subject_name : "Loom, Inc." and process.code_signature.trusted == true) or
+        (process.name : "opera.exe" and process.code_signature.subject_name : "Opera Norway AS" and process.code_signature.trusted == true) or
+        (process.name : "brave.exe" and process.code_signature.subject_name : "Brave Software, Inc." and process.code_signature.trusted == true) or
+        (process.name : "vivaldi.exe" and process.code_signature.subject_name : "Vivaldi Technologies AS" and process.code_signature.trusted == true)
+      )
    )
 '''