From 207dc55edede4de34837fbc7746ca1337cb5b439 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 9 Aug 2024 12:26:58 -0300 Subject: [PATCH] [Rule Tuning] Windows File-based Rules Tuning (#3963) * [Rule Tuning] Windows File-based Rules Tuning * Update credential_access_lsass_memdump_file_created.toml * . --- ...and_and_control_ingress_transfer_bits.toml | 4 ++-- ...d_control_teamviewer_remote_file_copy.toml | 14 ++++------- .../windows/credential_access_kirbi_file.toml | 6 ++--- ...ial_access_lsass_memdump_file_created.toml | 12 +++------- ...l_access_moving_registry_hive_via_smb.toml | 3 ++- ...defense_evasion_amsi_bypass_dllhijack.toml | 23 +++++++++++++++++-- .../execution_downloaded_shortcut_files.toml | 6 ++--- .../execution_downloaded_url_file.toml | 9 ++++---- .../execution_ms_office_written_file.toml | 5 ++-- ...nt_execution_via_file_shares_sequence.toml | 12 ++++++++-- ...ement_unusual_dns_service_file_writes.toml | 15 ++++-------- ...tion_printspooler_suspicious_spl_file.toml | 14 +++-------- 12 files changed, 63 insertions(+), 60 deletions(-) diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index d0be4efa7..cfd445b29 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/06" [transform] [[transform.osquery]] @@ -139,7 +139,7 @@ file where host.os.type == "windows" and event.action == "rename" and not file.path : ( "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp", "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe", - "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\AcroServicesUpdater2_x64.exe", + "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\AcroServicesUpdater*.exe", "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe" ) ''' diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index d7526688a..fee6b2117 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/06" [transform] [[transform.osquery]] @@ -93,14 +93,6 @@ references = [ ] risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -122,7 +114,9 @@ file where host.os.type == "windows" and event.type == "creation" and process.na file.path : ( "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*.js", "?:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\update.exe", - "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe" + "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe", + "?:\\Users\\*\\AppData\\Local\\TeamViewer\\CustomConfigs\\???????\\TeamViewer_Resource_??.dll", + "?:\\Users\\*\\AppData\\Local\\TeamViewer\\CustomConfigs\\???????\\TeamViewer*.exe" ) and process.code_signature.trusted == true ) ''' diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index 7c001c891..69d9d63c9 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/08/07" +updated_date = "2024/08/09" [rule] author = ["Elastic"] @@ -18,9 +18,9 @@ index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "lo language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" -risk_score = 47 +risk_score = 73 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" -severity = "medium" +severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 062926c20..a1654d9da 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/07/04" +updated_date = "2024/08/06" [transform] [[transform.osquery]] @@ -96,14 +96,6 @@ This rule looks for the creation of memory dump files with file names compatible references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"] risk_score = 73 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -127,10 +119,12 @@ file where host.os.type == "windows" and event.action != "deletion" and not ( process.executable : ( "?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\SqlDumper.exe", + "?:\\Program Files\\Microsoft SQL Server Reporting Services\\SSRS\\ReportServer\\bin\\SqlDumper.exe", "?:\\Windows\\System32\\dllhost.exe" ) and file.path : ( "?:\\*\\Reporting Services\\Logfiles\\SQLDmpr*.mdmp", + "?:\\Program Files\\Microsoft SQL Server Reporting Services\\SSRS\\Logfiles\\SQLDmpr*.mdmp", "?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\ErrorDumps\\SQLDmpr*.mdmp", "?:\\Program Files\\Microsoft SQL Server\\*\\MSSQL\\LOG\\SQLDmpr*.mdmp" ) diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 7c1240d4b..8f794a534 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/06" [rule] author = ["Elastic"] @@ -74,6 +74,7 @@ file where host.os.type == "windows" and event.type == "creation" and not file.path : ( "?:\\*\\UPM_Profile\\NTUSER.DAT", "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOOD.LOAD", + "?:\\*\\UPM_Profile\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat*", "?:\\Windows\\Netwrix\\Temp\\????????.???.offreg", "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*" ) diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 9572cd024..c190bad82 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/25" +updated_date = "2024/08/06" [transform] [[transform.osquery]] @@ -112,7 +112,26 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.path != null and - file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*", "?:\\$WINDOWS.~BT\\Work\\*\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*") + file.name : ("amsi.dll", "amsi") and + not file.path : ( + "?:\\Windows\\system32\\amsi.dll", + "?:\\Windows\\Syswow64\\amsi.dll", + "?:\\$WINDOWS.~BT\\DUImageSandbox\\*", + "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", + "?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*", + "?:\\$WINDOWS.~BT\\Work\\*\\*", + "?:\\Windows\\SoftwareDistribution\\Download\\*", + "?:\\Windows\\WinSxS\\amd64_microsoft-antimalware-scan-interface_*\\amsi.dll" + ) and + not + ( + process.executable : "C:\\Windows\\System32\\wbengine.exe" and + file.path : ( + "\\Device\\HarddiskVolume??\\Windows\\system32\\amsi.dll", + "\\Device\\HarddiskVolume??\\Windows\\syswow64\\amsi.dll", + "\\Device\\HarddiskVolume??\\Windows\\WinSxS\\*\\amsi.dll" + ) + ) ''' diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 4475a3d53..43fbff23e 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/06" [rule] author = ["Elastic"] @@ -15,9 +15,9 @@ index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Downloaded Shortcut Files" -risk_score = 21 +risk_score = 47 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 14bb98b6e..8b72e8d4a 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/06" [rule] author = ["Elastic"] @@ -15,16 +15,15 @@ index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Downloaded URL Files" -risk_score = 21 +risk_score = 47 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index d441f9758..979a2d927 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/06" [rule] author = ["Elastic"] @@ -90,7 +90,8 @@ sequence with maxspan=2h process.name : "MSACCESS.EXE") ] by host.id, file.path [process where host.os.type == "windows" and event.type == "start" and - not (process.name : "NewOutlookInstaller.exe" and process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + not (process.name : "NewOutlookInstaller.exe" and process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) and + not (process.name : "ShareFileForOutlook-v*.exe" and process.code_signature.subject_name : "Citrix Systems, Inc." and process.code_signature.trusted == true) ] by host.id, process.executable ''' diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 78ee33364..db76d0b7f 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/06" [transform] [[transform.osquery]] @@ -121,8 +121,16 @@ sequence with maxspan=1m /* PDQ related processes */ ( process.name : ( - "PDQInventoryScanner.exe", "PDQInventoryMonitor.exe", "PDQInventory-Scanner-?.exe", "PDQInventoryWakeCommand-?.exe" + "PDQInventoryScanner.exe", "PDQInventoryMonitor.exe", "PDQInventory-Scanner-?.exe", + "PDQInventoryWakeCommand-?.exe", "PDQDeployRunner-?.exe" ) and process.code_signature.trusted == true and process.code_signature.subject_name : "PDQ.com Corporation" + ) or + /* CrowdStrike related processes */ + ( + (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-WindowsSensor.*.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name : "CrowdStrike, Inc.") or + (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-CsInstallerService.exe" and + process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Windows Hardware Compatibility Publisher") ) ) ] by host.id, process.executable diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index dea6f0ce6..26920cfa1 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/06" [rule] author = ["Elastic"] @@ -29,14 +29,6 @@ references = [ ] risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -54,7 +46,10 @@ type = "eql" query = ''' file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and not file.name : "dns.log" and not - (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*") + (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*") and + + /* DNS logs with custom names, header converts to "DNS Server log" */ + not ?file.Ext.header_bytes : "444e5320536572766572206c6f67*" ''' diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index f6e2619c9..1d3dde578 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/06" [transform] [[transform.osquery]] @@ -95,17 +95,9 @@ The Print Spooler service has some known vulnerabilities that attackers can abus - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"] -risk_score = 47 +risk_score = 21 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" +severity = "low" tags = [ "Domain: Endpoint", "OS: Windows",