From 3f2a709370391390c8f53fcc8302fedfc89ca091 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 11 Oct 2023 17:57:32 -0300 Subject: [PATCH] [Rule Tuning] PowerShell Rules Tuning (#3169) --- .../collection_mailbox_export_winlog.toml | 9 ++++-- .../collection_posh_clipboard_capture.toml | 22 ++++++++----- rules/windows/collection_posh_mailbox.toml | 4 +-- ...credential_access_posh_request_ticket.toml | 6 ++-- .../defense_evasion_posh_compressed.toml | 9 +++--- .../execution_posh_hacktool_functions.toml | 9 +++--- rules/windows/execution_posh_psreflect.toml | 6 ++-- ...e_escalation_posh_token_impersonation.toml | 12 ++++--- .../collection_posh_compression.toml | 10 ++++-- ..._evasion_powershell_clear_logs_script.toml | 5 ++- .../discovery_posh_generic.toml | 31 ++++++++++++------- .../lateral_movement_posh_winrm_activity.toml | 10 +++++- 12 files changed, 86 insertions(+), 47 deletions(-) diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 2cf82c64e..7c12a1ffc 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/11" [rule] author = ["Elastic"] @@ -70,8 +70,11 @@ type = "query" query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest" and - not (file.path : (*Microsoft* and *Exchange* and *RemotePowerShell* or *AppData* and *Local*) and - file.name:(*.psd1 or *.psm1)) + not ( + file.path : ( + ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\* + ) and file.name:(*.psd1 or *.psm1) + ) ''' diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index f7e9a2d0e..8c2019cbd 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/11" [rule] author = ["Elastic"] @@ -94,14 +94,20 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "]::GetText" or ".Paste()" - )) or powershell.file.script_block_text : "Get-Clipboard" - and not powershell.file.script_block_text : ( + )) or powershell.file.script_block_text : "Get-Clipboard" and + not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" - ) - and not user.id : "S-1-5-18" - and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1) - and not ( - file.path : *WindowsPowerShell*Modules*.ps1 and + ) and + not user.id : "S-1-5-18" and + not file.path : ( + ?\:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1 or + ?\:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1 or + ?\:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1 or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psd1 or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psm1 + ) and + not ( + file.path : ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\*Modules*.ps1 and file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1") ) ''' diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index cc89a83a2..edc8573fd 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/10/11" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ event.category:process and host.os.type:windows and "Microsoft.Exchange.WebServices.Data.Folder" or "Microsoft.Exchange.WebServices.Data.FileAttachment" ) - ) + ) and not user.id : "S-1-5-18" ''' diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 6e562f4ff..60304a4f6 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/11" [rule] author = ["Elastic"] @@ -84,8 +84,8 @@ query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : ( KerberosRequestorSecurityToken - ) and not user.id : "S-1-5-18" - and not powershell.file.script_block_text : ( + ) and not user.id : ("S-1-5-18" or "S-1-5-20") and + not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" ) ''' diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 89c00a98a..97ac8536d 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/11" [transform] [[transform.osquery]] @@ -138,10 +138,9 @@ event.category:process and host.os.type:windows and "IO.Compression.GzipStream" ) and FromBase64String - ) and not - (user.id:("S-1-5-18" or "S-1-5-19") and - file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads") - and not user.id : "S-1-5-18" + ) and + not file.path: ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\Downloads\\\\* and + not user.id : "S-1-5-18" ''' diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index c80403035..9f8ece14a 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2023/07/17" +updated_date = "2023/10/11" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -224,10 +224,11 @@ event.category:process and host.os.type:windows and "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" - ) - and not powershell.file.script_block_text : ( + ) and + not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" - ) + ) and + not user.id : ("S-1-5-18" or "S-1-5-19") ''' diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 947263e11..096063ec4 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/11" [transform] [[transform.osquery]] @@ -152,7 +152,9 @@ event.category:process and host.os.type:windows and "Reflection.Emit.OpCodes" or "Reflection.Emit.CustomAttributeBuilder" or "Runtime.InteropServices.DllImportAttribute" - ) and not user.id : "S-1-5-18" + ) and + not user.id : "S-1-5-18" and + not file.path : ?\:\\\\ProgramData\\\\MaaS360\\\\Cloud?Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1* ''' diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index e86397efb..9212e2a50 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/11" [rule] author = ["Elastic"] @@ -73,10 +73,12 @@ event.category:process and host.os.type:windows and "CreatePRocessAsUserW" or "CreateProcessAsUserA") ) - ) and not - (user.id:("S-1-5-18" or "S-1-5-19") and - file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads") - and not powershell.file.script_block_text : ( + ) and + not ( + user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and + file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads" + ) and + not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" ) ''' diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 1982b9c30..1d1b3d612 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/18" +updated_date = "2023/10/11" [rule] @@ -63,7 +63,13 @@ event.category:process and host.os.type:windows and "ZipArchiveMode" ) or powershell.file.script_block_text : "Compress-Archive" -) and not file.path : *ProgramData*Microsoft*Windows*Defender*Advanced*Threat*Protection*DataCollection* +) and + not file.path : ( + ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\Downloads\\\\* or + ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\DataCollection\\\\* or + ?\:\\\\Program?Files\\\\Microsoft?Dependency?Agent\\\\plugins\\\\* or + ?\:\\\\Program?Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1 + ) ''' diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml index a14ffedf1..1360e9a62 100644 --- a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml +++ b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/06" +updated_date = "2023/10/11" [rule] author = ["Elastic"] @@ -55,6 +55,9 @@ event.category:process and host.os.type:windows and "Remove-EventLog" or ("Eventing.Reader.EventLogSession" and ".ClearLog") or ("Diagnostics.EventLog" and ".Clear") + ) and + not file.path : ( + ?\:\\\\*\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1 ) ''' diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index 26cda1b53..29a7a9cdd 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/16" +updated_date = "2023/10/11" [rule] @@ -132,16 +132,25 @@ event.category:process and host.os.type:windows and "CSFalcon" or "TmPfw" or "kvoop" ) ) - ) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") - and not file.path : ( - *WindowsPowerShell*Modules*.psd1 or - *WindowsPowerShell*Modules*.psm1 or - "C:\\Program Files\\Microsoft Azure AD Sync\\Extensions\\AADConnector.psm1" - ) - and not (file.path : ( - *Windows*TEMP*SDIAG* or - *WINDOWS*TEMP*SDIAG* or - *windows*TEMP*SDIAG*) and file.name : "CL_Utility.ps1") + ) and + not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and + not file.path : ( + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psd1 or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psm1 or + ?\:\\\\Program?Files\\\\Microsoft?Azure?AD?Sync\\\\Extensions\\\\AADConnector.psm1* or + *ServiceNow?MID?Server*agent\\\\scripts\\\\PowerShell\\\\*.psm1 or + ?\:\\\\*\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1 + ) and + not ( + file.path : ( + ?\:\\\\*\\\\TEMP\\\\SDIAG* or + ?\:\\\\TEMP\\\\SDIAG* or + ?\:\\\\Temp\\\\SDIAG* or + ?\:\\\\temp\\\\SDIAG* or + ?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG* or + ?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\SDIAG* + ) and file.name : "CL_Utility.ps1" + ) ''' diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 3aff00994..8c7359e9f 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/12" +updated_date = "2023/10/11" [rule] author = ["Elastic"] @@ -53,6 +53,14 @@ query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : ( ("Invoke-WmiMethod" or "Invoke-Command" or "Enter-PSSession") and "ComputerName" + ) and + not user.id : "S-1-5-18" and + not file.directory : ( + "C:\\Program Files\\LogicMonitor\\Agent\\tmp" or + ?\:\\\\Program?Files\\\\Microsoft\\\\Exchange?Server\\\\*\\\\bin or + ?\:\\\\Logicmonitor\\\\tmp* or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\* or + ?\:\\\\ExchangeServer\\\\bin* ) '''