[Tuning] Lateral Movement Rules (#4736)

* Update lateral_movement_incoming_winrm_shell_execution.toml * Update execution_suspicious_cmd_wmi.toml * Update lateral_movement_incoming_wmi.toml * Update lateral_movement_powershell_remoting_target.toml * Update lateral_movement_incoming_wmi.toml * Update execution_suspicious_cmd_wmi.toml --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2025-05-21 15:59:45 +01:00
parent 22cf1f0ced
commit 2c2b3e7d12
4 changed files with 13 additions and 13 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/10/19"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/05/20"

 [rule]
 author = ["Elastic"]
@@ -64,9 +64,9 @@ references = [
    "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
    "https://www.elastic.co/security-labs/operation-bleeding-bear",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a"
-severity = "medium"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -86,8 +86,9 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and
- process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>")
+ process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and process.args : "/c" and process.args:"/Q" and 
+ process.args : "2>&1" and process.args: "1>"  and 
+ process.args : ("C:\\windows\\temp\\*.txt", "\\Windows\\Temp\\*", "-encodehex", "\\\\127.0.0.1\\C$\\Windows\\Temp\\*", "\\\\127.0.0.1\\ADMIN$\\__*.*")
 '''


@@ -2,7 +2,7 @@
 creation_date = "2020/11/24"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/05/20"

 [rule]
 author = ["Elastic"]
@@ -78,7 +78,7 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan=30s
   [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and
-    destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"]
+    destination.port in (5985, 5986) and source.ip != "127.0.0.1" and source.ip != "::1"]
   [process where host.os.type == "windows" and
    event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"]
 '''
@@ -2,7 +2,7 @@
 creation_date = "2020/11/15"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/05/20"

 [rule]
 author = ["Elastic"]
@@ -69,13 +69,12 @@ tags = [
 type = "eql"

 query = '''
-sequence by host.id with maxspan = 2s
+sequence by host.id with maxspan = 20s

 /* Accepted Incoming RPC connection by Winmgmt service */

  [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and
-   source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152
-  ]
+   source.ip != "127.0.0.1" and source.ip != "::1" and destination.port == 135]

  /* Excluding Common FPs Nessus and SCCM */

@@ -2,7 +2,7 @@
 creation_date = "2020/11/24"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/05/20"

 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan = 30s
   [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and
-    network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"]
+    source.ip != "127.0.0.1" and source.ip != "::1"]
   [process where host.os.type == "windows" and
    event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"]
 '''