[Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091)

* [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms * ++ * ++ * Update credential_access_dcsync_replication_rights.toml * Update persistence_webshell_detection.toml * ++ * Update persistence_webshell_detection.toml
2025-09-15 09:38:03 -07:00
parent 7bd9c52852
commit 4476ac52a8
5 changed files with 170 additions and 107 deletions
@@ -2,7 +2,7 @@
 creation_date = "2022/02/08"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"

 [rule]
 author = ["Elastic"]
@@ -11,9 +11,15 @@ This rule identifies when a User Account starts the Active Directory Replication
 technique to get credential information of individual accounts or the entire domain, thus compromising the entire
 domain.
 """
+false_positives = [
+  """
+  Service accounts that perform replication may trigger this alert on the first run per AD object, but they'll be
+  suppressed in subsequent runs since this rule uses the new_terms rule type.
+  """
+]
 from = "now-9m"
 index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "Potential Credential Access via DCSync"
 note = """## Triage and analysis
@@ -62,7 +68,7 @@ references = [
    "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync",
    "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry",
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1"
 setup = """## Setup

@@ -80,7 +86,7 @@ DS Access >
 Audit Directory Service Access (Success,Failure)
 ```
 """
-severity = "high"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -93,33 +99,16 @@ tags = [
    "Data Source: Windows Security Event Logs",
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"

 query = '''
-any where event.code == "4662" and
-  winlog.event_data.Properties : (
-
-    /* Control Access Rights/Permissions Symbol */
-
-    "*DS-Replication-Get-Changes*",
-    "*DS-Replication-Get-Changes-All*",
-    "*DS-Replication-Get-Changes-In-Filtered-Set*",
-
-    /* Identifying GUID used in ACE */
-
-    "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",
-    "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*",
-    "*89e95b76-444d-4c62-991a-0facbeda640c*")
-
-    /* The right to perform an operation controlled by an extended access right. */
-
-    and winlog.event_data.AccessMask : "0x100" and
-    not winlog.event_data.SubjectUserName : (
-          "*$", "MSOL_*", "OpenDNS_Connector", "adconnect", "SyncADConnect",
-          "SyncADConnectCM", "aadsync", "svcAzureADSync", "-"
-        )
-
-    /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */
+host.os.type:"windows" and event.code:"4662" and
+  winlog.event_data.Properties:(
+    *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
+    *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
+    *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*
+  ) and winlog.event_data.AccessMask : "0x100" and
+  not winlog.event_data.SubjectUserName:(*$ or MSOL_*)
 '''


@@ -158,3 +147,9 @@ id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"

+[rule.new_terms]
+field = "new_terms_fields"
+value = ["winlog.event_data.SubjectUserSid", "winlog.event_data.ObjectName"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-12h"
@@ -2,7 +2,7 @@
 creation_date = "2022/02/16"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"

 [transform]
 [[transform.osquery]]
@@ -40,7 +40,7 @@ Comsvcs etc. It detects this behavior at a low level and does not depend on a sp
 """
 from = "now-9m"
 index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "LSASS Memory Dump Handle Access"
 note = """## Triage and analysis
@@ -103,7 +103,7 @@ references = [
    "http://findingbad.blogspot.com/2017/",
    "https://www.elastic.co/security-labs/detect-credential-access",
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de"
 setup = """## Setup

@@ -122,9 +122,9 @@ Audit File System (Success,Failure)
 Audit Handle Manipulation (Success,Failure)
 ```

-Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.
+Also, this event generates only if the object's [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.
 """
-severity = "high"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -134,35 +134,45 @@ tags = [
    "Data Source: Windows Security Event Logs",
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"

 query = '''
-any where event.code == "4656" and
-
-    winlog.event_data.ObjectName : (
-        "?:\\Windows\\System32\\lsass.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\System32\\lsass.exe",
-        "\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and
-
-    /* The right to perform an operation controlled by an extended access right. */
-
-    (winlog.event_data.AccessMask : ("0x1fffff" , "0x1010", "0x120089", "0x1F3FFF") or
-     winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from process memory"))
-
-     /* Common Noisy False Positives */
-
-    and not winlog.event_data.ProcessName : (
-        "?:\\Program Files\\*.exe",
-        "?:\\Program Files (x86)\\*.exe",
-        "?:\\Windows\\system32\\wbem\\WmiPrvSE.exe",
-        "?:\\Windows\\System32\\dllhost.exe",
-        "?:\\Windows\\System32\\svchost.exe",
-        "?:\\Windows\\System32\\msiexec.exe",
-        "?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
-        "?:\\Windows\\explorer.exe",
-        "?:\\Windows\\System32\\poqexec.exe")
+host.os.type:"windows" and event.code:"4656" and
+  (
+    winlog.event_data.AccessMask : ("0x1fffff" or "0x1010" or "0x120089" or "0x1F3FFF") or
+    winlog.event_data.AccessMaskDescription : ("READ_CONTROL" or "Read from process memory")
+  ) and
+  winlog.event_data.ObjectName : *\\Windows\\System32\\lsass.exe and
+  not winlog.event_data.ProcessName : (
+      "C:\Windows\System32\wbem\WmiPrvSE.exe" or
+      "C:\Windows\SysWOW64\wbem\WmiPrvSE.exe" or
+      "C:\Windows\System32\dllhost.exe" or
+      "C:\Windows\System32\svchost.exe" or
+      "C:\Windows\System32\msiexec.exe" or
+      "C:\Windows\explorer.exe"
+  )
 '''

+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."winlog.event_data.ProcessName"]
+case_insensitive = true
+value = "C:\\\\Program Files (x86)\\\\*.exe"
+
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."winlog.event_data.ProcessName"]
+case_insensitive = true
+value = "C:\\\\Program Files\\\\*.exe"
+
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."winlog.event_data.ProcessName"]
+case_insensitive = true
+value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe"

 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -182,3 +192,10 @@ id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"

+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["winlog.event_data.ProcessName", "winlog.event_data.SubjectUserName"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-1d"
@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"

 [rule]
 author = ["Elastic"]
@@ -12,24 +12,17 @@ may indicate activity related to remote code execution or other forms of exploit
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
-name = "Unusual File Modification by dns.exe"
-note = """## Triage and analysis
-
-### Investigating Unusual File Modification by dns.exe
-Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:
- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.
- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.
-"""
+name = "Unusual File Operation by dns.exe"
 references = [
    "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
    "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
    "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability",
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
-severity = "high"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -39,18 +32,14 @@ tags = [
    "Use Case: Vulnerability",
    "Data Source: Elastic Defend",
    "Data Source: Sysmon",
-    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"

 query = '''
-file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and
-  not file.name : "dns.log" and not
-  (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*") and
-
-  /* DNS logs with custom names, header converts to "DNS Server log" */
-  not ?file.Ext.header_bytes : "444e5320536572766572206c6f67*"
+event.category : "file" and host.os.type : "windows" and
+  event.type : ("creation" or "deletion" or "change") and process.name : "dns.exe" and
+  not file.extension : ("old" or "temp" or "bak" or "dns" or "arpa" or "log")
 '''


@@ -67,3 +56,10 @@ id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"

+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["file.path", "host.id"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ index = [
    "logs-windows.sysmon_operational-*",
    "winlogbeat-*",
 ]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "Execution via MSSQL xp_cmdshell Stored Procedure"
 note = """## Triage and analysis
@@ -59,9 +59,9 @@ The xp_cmdshell procedure is disabled by default, but when used, it has the same
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
 references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"]
-risk_score = 73
+risk_score = 47
 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461"
-severity = "high"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -77,21 +77,32 @@ tags = [
    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"

 query = '''
-process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and 
+host.os.type:windows and event.category:process and event.type:start and
+process.parent.name:"sqlservr.exe" and process.command_line : * and
+(
  (
-   (process.name : "cmd.exe" and 
-    not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", 
-                        "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")) or 
-                        
-   (process.name : "vpnbridge.exe" or ?process.pe.original_file_name : "vpnbridge.exe") or 
-
-   (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") or 
-
-   (process.name : "bitsadmin.exe" or ?process.pe.original_file_name == "bitsadmin.exe")
-  )
+    (process.name.caseless : "cmd.exe" or process.pe.original_file_name : "Cmd.Exe") and
+    not process.args : (
+          \\\\* or diskfree or rmdir or mkdir or dir or DIR or del or rename or bcp or md or ren or REN or send or echo or
+          ECHO or TYPE or type or EXIST or forfiles or sqlcmd or SQLCMD or dtexec or Sort-Object or cat or copy or COPY or
+          move or MOVE or CD\\ or show or rd or powercfg or "C:\SPAN4\DATA\RISKPARAM.SPN" or ("@ECHO" and "@FOR") or
+          ("@echo" and "@for") or (SET and PATH=*) or ("-ExecutionPolicy" and "-File") or MSSQLFDLauncher$DATEV_DBENGINE or
+          (wmic and (cpu or computersystem or logicaldisk or os or ComputerSystem or volume)) or -s\:C\:\\WINDOWS\\SERVIC* or
+          D\:\\* or E\:\\* or F\:\\* or Z\:\\* or "C:\Program Files\Amazon\AWSCLIV2\aws.exe" or C\:\\7-Zip\\7z.exe* or
+          C\:\\FTP* or *\(Get-Item* or C\:\\ProgramData\\Daktronics*
+    ) and
+    not process.command_line : (
+          "\"C:\\Windows\\system32\\cmd.exe\" /c " or
+          "\"C:\\Windows\\System32\\cmd.exe\""
+    )
+  ) or
+  process.name.caseless:("bitsadmin.exe" or "certutil.exe" or "vpnbridge.exe") or
+  process.name:("bitsadmin.exe" or "certutil.exe" or "vpnbridge.exe") or
+  process.pe.original_file_name:("CertUtil.exe" or "bitsadmin.exe" or "vpnbridge.exe")
+)
 '''


@@ -130,3 +141,9 @@ id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"

+[rule.new_terms]
+field = "new_terms_fields"
+value = ["host.id", "process.command_line"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
@@ -2,7 +2,7 @@
 creation_date = "2021/08/24"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"

 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ index = [
    "logs-windows.sysmon_operational-*",
    "winlogbeat-*",
 ]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "Web Shell Detection: Script Process Child of Common Web Processes"
 note = """## Triage and analysis
@@ -95,25 +95,56 @@ tags = [
    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"

 query = '''
-process where host.os.type == "windows" and event.type == "start" and
-  process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and
-  process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") and
+host.os.type:windows and event.category:process and event.type:start and process.args : * and
+  process.parent.name:("w3wp.exe" or "httpd.exe" or "nginx.exe" or "php.exe" or "php-cgi.exe" or "tomcat.exe") and
+  (
+    process.name : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe") or
+    process.name.caseless : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe")
+  ) and
  not
  (
-    process.parent.name : ("php.exe", "httpd.exe") and process.name : "cmd.exe" and
    process.command_line : (
-      "cmd.exe /c mode CON",
-      "cmd.exe /s /c \"mode CON\"",
-      "cmd.exe /c \"mode\"",
-      "cmd.exe /s /c \"tput colors 2>&1\""
-    )
+      "cmd.exe /c mode CON" or
+      "cmd.exe /s /c \"mode CON\"" or
+      "cmd.exe /c \"mode\"" or
+      "cmd.exe /s /c \"tput colors 2>&1\"" or
+      "cmd.exe /s /c \"stty 2> NUL\"" or
+      "cmd.exe /s /c \"stty 2>&1\"" or
+      "cmd.exe /c \"stty 2>&1\"" or
+      "cmd.exe /s /c \"ipconfig /all 2>&1\"" or
+      "cmd.exe /s /c \"echo '%os%'\"" or
+      *.\\install\\awk.exe*
+    ) or
+    process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir)
  )
 '''


+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "*?:\\\\Program Files\\\\*"
+
+
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "*?:\\\\Program Files (x86)\\\\*"
+
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "*?:\\\\Program Files (x86)\\\\*"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -176,3 +207,10 @@ id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"

+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["host.id", "process.command_line"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"