[Rule Tuning] Windows File-based Rules Tuning (#3963)

* [Rule Tuning] Windows File-based Rules Tuning * Update credential_access_lsass_memdump_file_created.toml * .
2024-08-09 12:26:58 -03:00
parent f5069763b6
commit 207dc55ede
12 changed files with 63 additions and 60 deletions
@@ -2,7 +2,7 @@
 creation_date = "2023/01/13"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/06"

 [transform]
 [[transform.osquery]]
@@ -139,7 +139,7 @@ file where host.os.type == "windows" and event.action == "rename" and
  not file.path : (
        "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp",
        "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe",
-        "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\AcroServicesUpdater2_x64.exe",
+        "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\AcroServicesUpdater*.exe",
        "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe"
  )
 '''
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/06"

 [transform]
 [[transform.osquery]]
@@ -93,14 +93,6 @@ references = [
 ]
 risk_score = 47
 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
    "Domain: Endpoint",
@@ -122,7 +114,9 @@ file where host.os.type == "windows" and event.type == "creation" and process.na
    file.path : (
      "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*.js",
      "?:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\update.exe",
-      "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe"
+      "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe",
+      "?:\\Users\\*\\AppData\\Local\\TeamViewer\\CustomConfigs\\???????\\TeamViewer_Resource_??.dll",
+      "?:\\Users\\*\\AppData\\Local\\TeamViewer\\CustomConfigs\\???????\\TeamViewer*.exe"
    ) and process.code_signature.trusted == true
  )
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/08/07"
+updated_date = "2024/08/09"

 [rule]
 author = ["Elastic"]
@@ -18,9 +18,9 @@ index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "lo
 language = "eql"
 license = "Elastic License v2"
 name = "Kirbi File Creation"
-risk_score = 47
+risk_score = 73
 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
-severity = "medium"
+severity = "high"
 tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -2,7 +2,7 @@
 creation_date = "2020/11/24"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/07/04"
+updated_date = "2024/08/06"

 [transform]
 [[transform.osquery]]
@@ -96,14 +96,6 @@ This rule looks for the creation of memory dump files with file names compatible
 references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"]
 risk_score = 73
 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "high"
 tags = [
    "Domain: Endpoint",
@@ -127,10 +119,12 @@ file where host.os.type == "windows" and event.action != "deletion" and
  not (
        process.executable : (
          "?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\SqlDumper.exe",
+          "?:\\Program Files\\Microsoft SQL Server Reporting Services\\SSRS\\ReportServer\\bin\\SqlDumper.exe",
          "?:\\Windows\\System32\\dllhost.exe"
        ) and
        file.path : (
          "?:\\*\\Reporting Services\\Logfiles\\SQLDmpr*.mdmp",
+          "?:\\Program Files\\Microsoft SQL Server Reporting Services\\SSRS\\Logfiles\\SQLDmpr*.mdmp",
          "?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\ErrorDumps\\SQLDmpr*.mdmp",
          "?:\\Program Files\\Microsoft SQL Server\\*\\MSSQL\\LOG\\SQLDmpr*.mdmp"
        )
@@ -2,7 +2,7 @@
 creation_date = "2022/02/16"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/06"

 [rule]
 author = ["Elastic"]
@@ -74,6 +74,7 @@ file where host.os.type == "windows" and event.type == "creation" and
 not file.path : (
    "?:\\*\\UPM_Profile\\NTUSER.DAT",
    "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOOD.LOAD",
+    "?:\\*\\UPM_Profile\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat*",
    "?:\\Windows\\Netwrix\\Temp\\????????.???.offreg",
    "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*"
 )
@@ -4,7 +4,7 @@ integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defende
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2024/06/25"
+updated_date = "2024/08/06"

 [transform]
 [[transform.osquery]]
@@ -112,7 +112,26 @@ type = "eql"

 query = '''
 file where host.os.type == "windows" and event.type != "deletion" and file.path != null and
- file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*", "?:\\$WINDOWS.~BT\\Work\\*\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*")
+  file.name : ("amsi.dll", "amsi") and
+  not file.path : (
+    "?:\\Windows\\system32\\amsi.dll",
+    "?:\\Windows\\Syswow64\\amsi.dll",
+    "?:\\$WINDOWS.~BT\\DUImageSandbox\\*",
+    "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*",
+    "?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*",
+    "?:\\$WINDOWS.~BT\\Work\\*\\*",
+    "?:\\Windows\\SoftwareDistribution\\Download\\*",
+    "?:\\Windows\\WinSxS\\amd64_microsoft-antimalware-scan-interface_*\\amsi.dll"
+  ) and
+  not
+  (
+    process.executable : "C:\\Windows\\System32\\wbengine.exe" and
+    file.path : (
+      "\\Device\\HarddiskVolume??\\Windows\\system32\\amsi.dll",
+      "\\Device\\HarddiskVolume??\\Windows\\syswow64\\amsi.dll",
+      "\\Device\\HarddiskVolume??\\Windows\\WinSxS\\*\\amsi.dll"
+    )
+  )
 '''


@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/06"

 [rule]
 author = ["Elastic"]
@@ -15,9 +15,9 @@ index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Downloaded Shortcut Files"
-risk_score = 21
+risk_score = 47
 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07"
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/06"

 [rule]
 author = ["Elastic"]
@@ -15,16 +15,15 @@ index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Downloaded URL Files"
-risk_score = 21
+risk_score = 47
 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb"
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Execution",
-    "Data Source: Elastic Defend",
-    "Rule Type: BBR",
+    "Data Source: Elastic Defend"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/06"

 [rule]
 author = ["Elastic"]
@@ -90,7 +90,8 @@ sequence with maxspan=2h
      process.name : "MSACCESS.EXE")
  ] by host.id, file.path
  [process where host.os.type == "windows" and event.type == "start" and 
-   not (process.name : "NewOutlookInstaller.exe" and process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
+   not (process.name : "NewOutlookInstaller.exe" and process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) and 
+   not (process.name : "ShareFileForOutlook-v*.exe" and process.code_signature.subject_name : "Citrix Systems, Inc." and process.code_signature.trusted == true)
  ] by host.id, process.executable
 '''

@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/06"

 [transform]
 [[transform.osquery]]
@@ -121,8 +121,16 @@ sequence with maxspan=1m
      /* PDQ related processes */
      (
        process.name : (
-          "PDQInventoryScanner.exe", "PDQInventoryMonitor.exe", "PDQInventory-Scanner-?.exe", "PDQInventoryWakeCommand-?.exe"
+          "PDQInventoryScanner.exe", "PDQInventoryMonitor.exe", "PDQInventory-Scanner-?.exe",
+          "PDQInventoryWakeCommand-?.exe", "PDQDeployRunner-?.exe"
        ) and process.code_signature.trusted == true and process.code_signature.subject_name : "PDQ.com Corporation"
+      ) or
+      /* CrowdStrike related processes */
+      (
+        (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-WindowsSensor.*.exe" and 
+         process.code_signature.trusted == true and process.code_signature.subject_name : "CrowdStrike, Inc.") or
+        (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-CsInstallerService.exe" and 
+         process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Windows Hardware Compatibility Publisher")
      )
    )
  ] by host.id, process.executable
@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/06"

 [rule]
 author = ["Elastic"]
@@ -29,14 +29,6 @@ references = [
 ]
 risk_score = 73
 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "high"
 tags = [
    "Domain: Endpoint",
@@ -54,7 +46,10 @@ type = "eql"
 query = '''
 file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and
  not file.name : "dns.log" and not
-  (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*")
+  (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*") and
+
+  /* DNS logs with custom names, header converts to "DNS Server log" */
+  not ?file.Ext.header_bytes : "444e5320536572766572206c6f67*"
 '''


@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/08/06"

 [transform]
 [[transform.osquery]]
@@ -95,17 +95,9 @@ The Print Spooler service has some known vulnerabilities that attackers can abus
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
 references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"]
-risk_score = 47
+risk_score = 21
 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
-severity = "medium"
+severity = "low"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",