From 35589e47a7ba9a391b692faaa99eee4947fb84b5 Mon Sep 17 00:00:00 2001 From: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Date: Thu, 14 Dec 2023 09:21:46 -0900 Subject: [PATCH] [Rule Tuning] Optimize query for Direct Outbound SMB Connection (#3329) * [Rule Tuning] Optimize query for Direct Outbound SMB Connection --------- Co-authored-by: brokensound77 Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit a7b9a61942ecca9d955e9d3cc497e585e4b27523) --- ...vement_direct_outbound_smb_connection.toml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 776590723..3e9263f4f 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/12/13" [transform] [[transform.osquery]] @@ -101,13 +101,17 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic type = "eql" query = ''' -sequence by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and process.pid != 4 and - not (process.executable : "D:\\EnterpriseCare\\tools\\jre.1\\bin\\java.exe" and process.args : "com.emeraldcube.prism.launcher.Invoker") and - not (process.executable : "C:\\Docusnap 11\\Tools\\nmap\\nmap.exe" and process.args : "smb-os-discovery.nse") and +sequence by process.entity_id with maxspan=2m + [process where host.os.type == "windows" and event.type == "start" and process.pid != 4 and + not user.id : ("S-1-5-19", "S-1-5-20") and + not (process.code_signature.trusted == true and not process.code_signature.subject_name : ("Microsoft*", "Famatech Corp.", "Insecure.Com LLC")) and + not (process.name : "powershell.exe" and process.args : "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_*.ps1") and + not (process.executable : "?:\\EnterpriseCare\\tools\\*\\bin\\java.exe" and process.args : "com.*.launcher.Invoker") and + not (process.executable : "?:\\Docusnap*\\Tools\\*\\nmap.exe" and process.args : "smb-os-discovery.nse") and not process.executable : - ("?:\\Program Files\\SentinelOne\\Sentinel Agent *\\Ranger\\SentinelRanger.exe", - "?:\\Program Files\\Ivanti\\Security Controls\\ST.EngineHost.exe", + ("?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\ProPatches\\Installation\\InstallationSandbox*\\stdeploy.exe", "?:\\Program Files (x86)\\Fortinet\\FSAE\\collectoragent.exe", "?:\\Program Files (x86)\\Nmap\\nmap.exe", "?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe", @@ -117,6 +121,7 @@ sequence by process.entity_id "?:\\Program Files\\Rumble\\rumble-agent-*.exe")] [network where host.os.type == "windows" and destination.port == 445 and process.pid != 4 and not cidrmatch(destination.ip, "127.0.0.1", "::1")] +until [process where host.os.type == "windows" and event.type == "end"] '''