[Rule Tuning] Update rules using case sensitive wildcard function (#904)

* update rules using case sensitive wildcard function * add appropriate spacing * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update == * Apply suggestions from code review * remove info update index * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update persistence_evasion_hidden_local_account_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2021-02-04 10:23:32 -05:00
parent 37ccdad0ee
commit 236c630c90
15 changed files with 93 additions and 99 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/05/04"
 maturity = "production"
-updated_date = "2020/12/22"
+updated_date = "2021/02/04"

 [rule]
 author = ["Elastic"]
@@ -23,11 +23,11 @@ type = "eql"
 query = '''
 process where event.type in ("start", "process_started") and
 (
-  (process.name in ("rm", "echo") and wildcard(process.args, ".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or
-  (process.name == "history" and process.args == "-c") or
-  (process.name == "export" and process.args in ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
-  (process.name == "unset" and process.args == "HISTFILE") or
-  (process.name == "set" and process.args == "history" and process.args == "+o")
+  (process.name : ("rm", "echo") and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or
+  (process.name : "history" and process.args : "-c") or
+  (process.name : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
+  (process.name : "unset" and process.args : "HISTFILE") or
+  (process.name : "set" and process.args : "history" and process.args : "+o")
 )
 '''

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/03"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2021/01/21"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ type = "eql"

 query = '''
 process where event.type in ("start", "process_started") and
- process.name == "touch" and wildcard(process.args, "-r", "-t", "-a*","-m*")
+ process.name : "touch" and process.args : ("-r", "-t", "-a*","-m*")
 '''


@@ -43,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1070/006/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -24,41 +24,46 @@ type = "eql"

 query = '''
 network where network.protocol == "dns" and
-             /* Add new WebSvc domains here */
-              wildcard(dns.question.name, "*.githubusercontent.*",
-                                          "*.pastebin.*",
-                                          "*drive.google.*",
-                                          "*docs.live.*",
-                                          "*api.dropboxapi.*",
-                                          "*dropboxusercontent.*",
-                                          "*onedrive.*",
-                                          "*4shared.*",
-                                          "*.file.io",
-                                          "*filebin.net",
-                                          "*slack-files.com",
-                                          "*ghostbin.*",
-                                          "*ngrok.*",
-                                          "*portmap.*",
-                                          "*serveo.net",
-                                          "*localtunnel.me",
-                                          "*pagekite.me",
-                                          "*localxpose.io",
-                                          "*notabug.org"
-                      ) and
-                          /* Insert noisy false positives here */
-              not process.name in ("MicrosoftEdgeCP.exe",
-                                    "MicrosoftEdge.exe",
-                                    "iexplore.exe",
-                                    "chrome.exe",
-                                    "msedge.exe",
-                                    "opera.exe",
-                                    "firefox.exe",
-                                    "Dropbox.exe",
-                                    "slack.exe",
-                                    "svchost.exe",
-                                    "thunderbird.exe",
-                                    "outlook.exe",
-                                    "OneDrive.exe")
+    /* Add new WebSvc domains here */
+    dns.question.name :
+    (
+        "*.githubusercontent.*",
+        "*.pastebin.*",
+        "*drive.google.*",
+        "*docs.live.*",
+        "*api.dropboxapi.*",
+        "*dropboxusercontent.*",
+        "*onedrive.*",
+        "*4shared.*",
+        "*.file.io",
+        "*filebin.net",
+        "*slack-files.com",
+        "*ghostbin.*",
+        "*ngrok.*",
+        "*portmap.*",
+        "*serveo.net",
+        "*localtunnel.me",
+        "*pagekite.me",
+        "*localxpose.io",
+        "*notabug.org"
+    ) and
+    /* Insert noisy false positives here */
+    not process.name :
+    (
+        "MicrosoftEdgeCP.exe",
+        "MicrosoftEdge.exe",
+        "iexplore.exe",
+        "chrome.exe",
+        "msedge.exe",
+        "opera.exe",
+        "firefox.exe",
+        "Dropbox.exe",
+        "slack.exe",
+        "svchost.exe",
+        "thunderbird.exe",
+        "outlook.exe",
+        "OneDrive.exe"
+    )
 '''


@@ -74,4 +79,3 @@ reference = "https://attack.mitre.org/techniques/T1102/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-
@@ -23,15 +23,18 @@ type = "eql"

 query = '''
 sequence by host.id, process.entity_id with maxspan = 1s
-  [process where event.type:"start" and process.parent.name:"iexplore.exe" and process.parent.args:"-Embedding"]
+  [process where event.type == "start" and process.parent.name : "iexplore.exe" and process.parent.args : "-Embedding"]
  /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */
-  [network where network.protocol : "dns" and process.name:"iexplore.exe" and
-   not wildcard(dns.question.name, "*.microsoft.com", 
-                                   "*.digicert.com", 
-                                   "*.msocsp.com", 
-                                   "*.windowsupdate.com", 
-                                   "*.bing.com",
-                                   "*.identrust.com")
+  [network where network.protocol == "dns" and process.name : "iexplore.exe" and
+   not dns.question.name :
+   (
+    "*.microsoft.com",
+    "*.digicert.com",
+    "*.msocsp.com",
+    "*.windowsupdate.com",
+    "*.bing.com",
+    "*.identrust.com"
+    )
  ]
 '''

@@ -48,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1071/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-
@@ -22,7 +22,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"

 query = '''
-file where event.type == "change" and wildcard(file.name,"*AAA.AAA")
+file where event.type == "change" and file.name : "*AAA.AAA"
 '''


@@ -43,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1070/004/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/01/20"
+updated_date = "2021/01/21"

 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies WMIC whitelisting bypass techniques by alerting on suspicious executi
 libraries it may be indicative of a whitelist bypass.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License"
 name = "Suspicious WMIC XSL Script Execution"
@@ -21,7 +21,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"

 query = '''
-sequence by process.entity_id with maxspan=2m
+sequence by process.entity_id with maxspan = 2m
 [process where event.type in ("start", "process_started") and
   (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and
   process.args : ("format*:*", "/format*:*", "*-format*:*") and
@@ -42,4 +42,3 @@ reference = "https://attack.mitre.org/techniques/T1220/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -22,8 +22,8 @@ type = "eql"

 query = '''
 process where event.type in ("start", "process_started") and
- process.parent.name == "WmiPrvSE.exe" and process.name == "cmd.exe" and
- wildcard(process.args, "\\\\127.0.0.1\\*") and process.args in ("2>&1", "1>")
+ process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and
+ process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>")
 '''


@@ -39,4 +39,3 @@ reference = "https://attack.mitre.org/techniques/T1047/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -21,16 +21,11 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
 type = "eql"

 query = '''
-sequence by process.entity_id with maxspan=1m
+sequence by process.entity_id with maxspan = 1m
  [process where event.type in ("start", "process_started") and
-                               /* uncomment once in winlogbeat */
-     (process.name == "sc.exe" /* or process.pe.original_file_name == "sc.exe" */ ) and
-                                                   /* case insensitive */
-      wildcard(process.args, "\\\\*") and wildcard(process.args, "binPath=*", "binpath=*") and
-      (process.args : "create" or
-       process.args : "config" or
-       process.args : "failure" or
-       process.args : "start")]
+     (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and
+      process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and
+      process.args : ("create", "config", "failure", "start")]
  [network where process.name : "sc.exe" and destination.ip != "127.0.0.1"]
 '''

@@ -81,4 +76,3 @@ reference = "https://attack.mitre.org/techniques/T1569/002/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -22,9 +22,10 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and 
-/* RDP port and usual SSH tunneling related switches in commandline */
-wildcard(process.args, "*:3389") and wildcard(process.args,"-L", "-P", "-R", "-pw", "-ssh")
+process where event.type in ("start", "process_started") and
+  /* RDP port and usual SSH tunneling related switches in command line */
+  process.args : "*:3389" and
+  process.args : ("-L", "-P", "-R", "-pw", "-ssh")
 '''


@@ -40,4 +41,3 @@ reference = "https://attack.mitre.org/techniques/T1021/"
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
-
@@ -21,11 +21,11 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
 type = "eql"

 query = '''
-sequence by process.entity_id with maxspan=5m
+sequence by process.entity_id with maxspan = 5m
  [process where event.type in ("start", "process_started") and
-     not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")]
+    not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")]
  [registry where event.type in ("creation", "change") and
-     wildcard(registry.path, "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb")]
+    registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"]
 '''


@@ -46,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1546/011/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/18"
 maturity = "production"
-updated_date = "2020/01/28"
+updated_date = "2021/02/04"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Pe
 type = "eql"

 query = '''
-registry where wildcard(registry.path, "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\")
+registry where registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\"
 '''


@@ -20,10 +20,13 @@ type = "eql"

 query = '''
 file where event.type != "deletion" and
- wildcard(file.extension,"wll","xll","ppa","ppam","xla","xlam") and
- wildcard(file.path, "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
-                     "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
-                     "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*")
+ file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
+ file.path :
+    (
+    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
+    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
+    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
+    )
 '''


@@ -39,4 +42,3 @@ reference = "https://attack.mitre.org/techniques/T1137/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -24,7 +24,7 @@ type = "eql"

 query = '''
 file where event.type != "deletion" and
- wildcard(file.path, "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM")
+ file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM"
 '''


@@ -40,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1137/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -22,10 +22,10 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and process.name == "Clipup.exe" and 
-process.executable != "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name == "dllhost.exe" and
- /* CLSID of the Elevated COM Interface IEditionUpgradeManager */
- wildcard(process.parent.args,"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}")
+process where event.type in ("start", "process_started") and process.name : "Clipup.exe" and
+  not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and
+  /* CLSID of the Elevated COM Interface IEditionUpgradeManager */
+  process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}"
 '''


@@ -46,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1548/002/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
-
@@ -22,9 +22,9 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started", "info") and
- wildcard(process.executable, "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe") and
- process.parent.name == "ieinstal.exe" and process.parent.args == "-Embedding"
+process where event.type in ("start", "process_started") and
+ process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and
+ process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding"

 /* uncomment once in winlogbeat */
 /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */
@@ -48,4 +48,3 @@ reference = "https://attack.mitre.org/techniques/T1548/002/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
-