From 236c630c9032056487c8b9d8d7ddc09dfd3521cb Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Thu, 4 Feb 2021 10:23:32 -0500 Subject: [PATCH] [Rule Tuning] Update rules using case sensitive wildcard function (#904) * update rules using case sensitive wildcard function * add appropriate spacing * Apply suggestions from code review Co-authored-by: Justin Ibarra * update == * Apply suggestions from code review * remove info update index * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update persistence_evasion_hidden_local_account_creation.toml Co-authored-by: Justin Ibarra --- ...deletion_of_bash_command_line_history.toml | 12 +-- .../defense_evasion_timestomp_touch.toml | 5 +- ...ommand_and_control_common_webservices.toml | 76 ++++++++++--------- .../command_and_control_iexplore_via_com.toml | 20 ++--- ..._evasion_sdelete_like_filename_rename.toml | 3 +- ...defense_evasion_suspicious_wmi_script.toml | 7 +- .../windows/execution_suspicious_cmd_wmi.toml | 5 +- .../windows/lateral_movement_cmd_service.toml | 14 +--- .../lateral_movement_rdp_tunnel_plink.toml | 8 +- .../windows/persistence_app_compat_shim.toml | 7 +- ...evasion_hidden_local_account_creation.toml | 4 +- .../persistence_ms_office_addins_file.toml | 12 +-- .../persistence_ms_outlook_vba_template.toml | 3 +- ...lege_escalation_uac_bypass_com_clipup.toml | 9 +-- ...ge_escalation_uac_bypass_com_ieinstal.toml | 7 +- 15 files changed, 93 insertions(+), 99 deletions(-) diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index 7f7854151..d5b7e5222 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/04" maturity = "production" -updated_date = "2020/12/22" +updated_date = "2021/02/04" [rule] author = ["Elastic"] @@ -23,11 +23,11 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and ( - (process.name in ("rm", "echo") and wildcard(process.args, ".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or - (process.name == "history" and process.args == "-c") or - (process.name == "export" and process.args in ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or - (process.name == "unset" and process.args == "HISTFILE") or - (process.name == "set" and process.args == "history" and process.args == "+o") + (process.name : ("rm", "echo") and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or + (process.name : "history" and process.args : "-c") or + (process.name : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or + (process.name : "unset" and process.args : "HISTFILE") or + (process.name : "set" and process.args : "history" and process.args : "+o") ) ''' diff --git a/rules/linux/defense_evasion_timestomp_touch.toml b/rules/linux/defense_evasion_timestomp_touch.toml index 18e67aa37..538e83340 100644 --- a/rules/linux/defense_evasion_timestomp_touch.toml +++ b/rules/linux/defense_evasion_timestomp_touch.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2021/01/21" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.name == "touch" and wildcard(process.args, "-r", "-t", "-a*","-m*") + process.name : "touch" and process.args : ("-r", "-t", "-a*","-m*") ''' @@ -43,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1070/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 7e1d68135..efe91f0ab 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -24,41 +24,46 @@ type = "eql" query = ''' network where network.protocol == "dns" and - /* Add new WebSvc domains here */ - wildcard(dns.question.name, "*.githubusercontent.*", - "*.pastebin.*", - "*drive.google.*", - "*docs.live.*", - "*api.dropboxapi.*", - "*dropboxusercontent.*", - "*onedrive.*", - "*4shared.*", - "*.file.io", - "*filebin.net", - "*slack-files.com", - "*ghostbin.*", - "*ngrok.*", - "*portmap.*", - "*serveo.net", - "*localtunnel.me", - "*pagekite.me", - "*localxpose.io", - "*notabug.org" - ) and - /* Insert noisy false positives here */ - not process.name in ("MicrosoftEdgeCP.exe", - "MicrosoftEdge.exe", - "iexplore.exe", - "chrome.exe", - "msedge.exe", - "opera.exe", - "firefox.exe", - "Dropbox.exe", - "slack.exe", - "svchost.exe", - "thunderbird.exe", - "outlook.exe", - "OneDrive.exe") + /* Add new WebSvc domains here */ + dns.question.name : + ( + "*.githubusercontent.*", + "*.pastebin.*", + "*drive.google.*", + "*docs.live.*", + "*api.dropboxapi.*", + "*dropboxusercontent.*", + "*onedrive.*", + "*4shared.*", + "*.file.io", + "*filebin.net", + "*slack-files.com", + "*ghostbin.*", + "*ngrok.*", + "*portmap.*", + "*serveo.net", + "*localtunnel.me", + "*pagekite.me", + "*localxpose.io", + "*notabug.org" + ) and + /* Insert noisy false positives here */ + not process.name : + ( + "MicrosoftEdgeCP.exe", + "MicrosoftEdge.exe", + "iexplore.exe", + "chrome.exe", + "msedge.exe", + "opera.exe", + "firefox.exe", + "Dropbox.exe", + "slack.exe", + "svchost.exe", + "thunderbird.exe", + "outlook.exe", + "OneDrive.exe" + ) ''' @@ -74,4 +79,3 @@ reference = "https://attack.mitre.org/techniques/T1102/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 506a063e1..aae58f98a 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -23,15 +23,18 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan = 1s - [process where event.type:"start" and process.parent.name:"iexplore.exe" and process.parent.args:"-Embedding"] + [process where event.type == "start" and process.parent.name : "iexplore.exe" and process.parent.args : "-Embedding"] /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */ - [network where network.protocol : "dns" and process.name:"iexplore.exe" and - not wildcard(dns.question.name, "*.microsoft.com", - "*.digicert.com", - "*.msocsp.com", - "*.windowsupdate.com", - "*.bing.com", - "*.identrust.com") + [network where network.protocol == "dns" and process.name : "iexplore.exe" and + not dns.question.name : + ( + "*.microsoft.com", + "*.digicert.com", + "*.msocsp.com", + "*.windowsupdate.com", + "*.bing.com", + "*.identrust.com" + ) ] ''' @@ -48,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index f0910331f..2bc41c086 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -22,7 +22,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' -file where event.type == "change" and wildcard(file.name,"*AAA.AAA") +file where event.type == "change" and file.name : "*AAA.AAA" ''' @@ -43,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index e8da57355..82e258ba7 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/20" +updated_date = "2021/01/21" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies WMIC whitelisting bypass techniques by alerting on suspicious executi libraries it may be indicative of a whitelist bypass. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" name = "Suspicious WMIC XSL Script Execution" @@ -21,7 +21,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' -sequence by process.entity_id with maxspan=2m +sequence by process.entity_id with maxspan = 2m [process where event.type in ("start", "process_started") and (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and process.args : ("format*:*", "/format*:*", "*-format*:*") and @@ -42,4 +42,3 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index dc4cf8e1f..5e6af2304 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -22,8 +22,8 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.parent.name == "WmiPrvSE.exe" and process.name == "cmd.exe" and - wildcard(process.args, "\\\\127.0.0.1\\*") and process.args in ("2>&1", "1>") + process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and + process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") ''' @@ -39,4 +39,3 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 699681a6e..39308c844 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -21,16 +21,11 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] type = "eql" query = ''' -sequence by process.entity_id with maxspan=1m +sequence by process.entity_id with maxspan = 1m [process where event.type in ("start", "process_started") and - /* uncomment once in winlogbeat */ - (process.name == "sc.exe" /* or process.pe.original_file_name == "sc.exe" */ ) and - /* case insensitive */ - wildcard(process.args, "\\\\*") and wildcard(process.args, "binPath=*", "binpath=*") and - (process.args : "create" or - process.args : "config" or - process.args : "failure" or - process.args : "start")] + (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and + process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and + process.args : ("create", "config", "failure", "start")] [network where process.name : "sc.exe" and destination.ip != "127.0.0.1"] ''' @@ -81,4 +76,3 @@ reference = "https://attack.mitre.org/techniques/T1569/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_rdp_tunnel_plink.toml b/rules/windows/lateral_movement_rdp_tunnel_plink.toml index dea64cab9..d013e33af 100644 --- a/rules/windows/lateral_movement_rdp_tunnel_plink.toml +++ b/rules/windows/lateral_movement_rdp_tunnel_plink.toml @@ -22,9 +22,10 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] type = "eql" query = ''' -process where event.type in ("start", "process_started", "info") and -/* RDP port and usual SSH tunneling related switches in commandline */ -wildcard(process.args, "*:3389") and wildcard(process.args,"-L", "-P", "-R", "-pw", "-ssh") +process where event.type in ("start", "process_started") and + /* RDP port and usual SSH tunneling related switches in command line */ + process.args : "*:3389" and + process.args : ("-L", "-P", "-R", "-pw", "-ssh") ''' @@ -40,4 +41,3 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 58a9ce856..1f154763c 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -21,11 +21,11 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "eql" query = ''' -sequence by process.entity_id with maxspan=5m +sequence by process.entity_id with maxspan = 5m [process where event.type in ("start", "process_started") and - not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")] + not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")] [registry where event.type in ("creation", "change") and - wildcard(registry.path, "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb")] + registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"] ''' @@ -46,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1546/011/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index f10112484..7aa8dd579 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/04" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Pe type = "eql" query = ''' -registry where wildcard(registry.path, "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\") +registry where registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" ''' diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index c77ac9224..1cce7da22 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -20,10 +20,13 @@ type = "eql" query = ''' file where event.type != "deletion" and - wildcard(file.extension,"wll","xll","ppa","ppam","xla","xlam") and - wildcard(file.path, "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") + file.extension : ("wll","xll","ppa","ppam","xla","xlam") and + file.path : + ( + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" + ) ''' @@ -39,4 +42,3 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index da98ec8e0..2a57b1903 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -24,7 +24,7 @@ type = "eql" query = ''' file where event.type != "deletion" and - wildcard(file.path, "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM") + file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" ''' @@ -40,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 66ae4c810..1cd851228 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -22,10 +22,10 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation" type = "eql" query = ''' -process where event.type in ("start", "process_started", "info") and process.name == "Clipup.exe" and -process.executable != "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name == "dllhost.exe" and - /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ - wildcard(process.parent.args,"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}") +process where event.type in ("start", "process_started") and process.name : "Clipup.exe" and + not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and + /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ + process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" ''' @@ -46,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 48f7816be..d956d12ff 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -22,9 +22,9 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation" type = "eql" query = ''' -process where event.type in ("start", "process_started", "info") and - wildcard(process.executable, "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe") and - process.parent.name == "ieinstal.exe" and process.parent.args == "-Embedding" +process where event.type in ("start", "process_started") and + process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and + process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" /* uncomment once in winlogbeat */ /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ @@ -48,4 +48,3 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -