[Rule Tuning] Windows DR Tuning - 7 (#3344)

* [Rule Tuning] Windows Rule Tuning -1 * Update command_and_control_ingress_transfer_bits.toml
2023-12-18 14:27:55 -03:00
parent 91a757a018
commit 2f468ddcba
5 changed files with 17 additions and 9 deletions
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2023/12/12"

 [rule]
 author = ["Elastic"]
@@ -72,7 +72,9 @@ event.category:process and host.os.type:windows and
  powershell.file.script_block_text : "New-MailboxExportRequest" and
  not (
    file.path : (
-      ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*
+      ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\* or
+      ?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1* or
+      ?\:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1*
    ) and file.name:(*.psd1 or *.psm1)
  )
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/22"
+updated_date = "2023/12/13"

 [rule]
 author = ["Elastic"]
@@ -39,6 +39,7 @@ file where host.os.type == "windows" and event.action == "rename" and
  not file.path : (
        "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp",
        "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe",
+        "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\AcroServicesUpdater2_x64.exe",
        "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe"
  )
 '''
@@ -4,7 +4,7 @@ maturity = "production"
 integration = ["endpoint"]
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/14"

 [rule]
 author = ["Elastic"]
@@ -90,7 +90,10 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S
                "Audinate Pty Ltd",
                "CyberArk Software Ltd.",
                "McAfeeSysPrep",
-                "NVIDIA Corporation PE Sign v2016") and
+                "NVIDIA Corporation PE Sign v2016",
+                "Trend Micro, Inc.",
+                "Fortinet Technologies (Canada) Inc.",
+                "Carbon Black, Inc.") and
       dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and

     not dll.hash.sha256 :
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/14"

 [rule]
 author = ["Elastic"]
@@ -87,7 +87,8 @@ event.category:process and host.os.type:windows and
    KerberosRequestorSecurityToken
  ) and not user.id : ("S-1-5-18" or "S-1-5-20") and
  not powershell.file.script_block_text : (
-    "sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs")
+    ("sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs")) or
+    ("function global" and "\\windows\\sentinel\\4")
  )
 '''

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/12/14"

 [rule]
 author = ["Elastic", "Anabella Cristaldi"]
@@ -56,7 +56,8 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog"
+event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" and
+  not winlog.provider_name:"AD FS Auditing"
 '''