From 4476ac52a8b40bea711d2d2ea29405d790698e99 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 15 Sep 2025 09:38:03 -0700 Subject: [PATCH] [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091) * [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms * ++ * ++ * Update credential_access_dcsync_replication_rights.toml * Update persistence_webshell_detection.toml * ++ * Update persistence_webshell_detection.toml --- ...tial_access_dcsync_replication_rights.toml | 53 ++++++------- ...al_access_lsass_memdump_handle_access.toml | 77 +++++++++++-------- ...ement_unusual_dns_service_file_writes.toml | 36 ++++----- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 49 ++++++++---- .../persistence_webshell_detection.toml | 62 ++++++++++++--- 5 files changed, 170 insertions(+), 107 deletions(-) diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 510eb4004..43c9f1c9b 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -11,9 +11,15 @@ This rule identifies when a User Account starts the Active Directory Replication technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. """ +false_positives = [ + """ + Service accounts that perform replication may trigger this alert on the first run per AD object, but they'll be + suppressed in subsequent runs since this rule uses the new_terms rule type. + """ +] from = "now-9m" index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Potential Credential Access via DCSync" note = """## Triage and analysis @@ -62,7 +68,7 @@ references = [ "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] -risk_score = 73 +risk_score = 47 rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1" setup = """## Setup @@ -80,7 +86,7 @@ DS Access > Audit Directory Service Access (Success,Failure) ``` """ -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -93,33 +99,16 @@ tags = [ "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -any where event.code == "4662" and - winlog.event_data.Properties : ( - - /* Control Access Rights/Permissions Symbol */ - - "*DS-Replication-Get-Changes*", - "*DS-Replication-Get-Changes-All*", - "*DS-Replication-Get-Changes-In-Filtered-Set*", - - /* Identifying GUID used in ACE */ - - "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", - "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", - "*89e95b76-444d-4c62-991a-0facbeda640c*") - - /* The right to perform an operation controlled by an extended access right. */ - - and winlog.event_data.AccessMask : "0x100" and - not winlog.event_data.SubjectUserName : ( - "*$", "MSOL_*", "OpenDNS_Connector", "adconnect", "SyncADConnect", - "SyncADConnectCM", "aadsync", "svcAzureADSync", "-" - ) - - /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */ +host.os.type:"windows" and event.code:"4662" and + winlog.event_data.Properties:( + *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or + *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or + *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c* + ) and winlog.event_data.AccessMask : "0x100" and + not winlog.event_data.SubjectUserName:(*$ or MSOL_*) ''' @@ -158,3 +147,9 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[rule.new_terms] +field = "new_terms_fields" +value = ["winlog.event_data.SubjectUserSid", "winlog.event_data.ObjectName"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-12h" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index eb631b3b3..efe069697 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ Comsvcs etc. It detects this behavior at a low level and does not depend on a sp """ from = "now-9m" index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "LSASS Memory Dump Handle Access" note = """## Triage and analysis @@ -103,7 +103,7 @@ references = [ "http://findingbad.blogspot.com/2017/", "https://www.elastic.co/security-labs/detect-credential-access", ] -risk_score = 73 +risk_score = 47 rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de" setup = """## Setup @@ -122,9 +122,9 @@ Audit File System (Success,Failure) Audit Handle Manipulation (Success,Failure) ``` -Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights. +Also, this event generates only if the object's [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights. """ -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -134,35 +134,45 @@ tags = [ "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -any where event.code == "4656" and - - winlog.event_data.ObjectName : ( - "?:\\Windows\\System32\\lsass.exe", - "\\Device\\HarddiskVolume?\\Windows\\System32\\lsass.exe", - "\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and - - /* The right to perform an operation controlled by an extended access right. */ - - (winlog.event_data.AccessMask : ("0x1fffff" , "0x1010", "0x120089", "0x1F3FFF") or - winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from process memory")) - - /* Common Noisy False Positives */ - - and not winlog.event_data.ProcessName : ( - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\Windows\\system32\\wbem\\WmiPrvSE.exe", - "?:\\Windows\\System32\\dllhost.exe", - "?:\\Windows\\System32\\svchost.exe", - "?:\\Windows\\System32\\msiexec.exe", - "?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", - "?:\\Windows\\explorer.exe", - "?:\\Windows\\System32\\poqexec.exe") +host.os.type:"windows" and event.code:"4656" and + ( + winlog.event_data.AccessMask : ("0x1fffff" or "0x1010" or "0x120089" or "0x1F3FFF") or + winlog.event_data.AccessMaskDescription : ("READ_CONTROL" or "Read from process memory") + ) and + winlog.event_data.ObjectName : *\\Windows\\System32\\lsass.exe and + not winlog.event_data.ProcessName : ( + "C:\Windows\System32\wbem\WmiPrvSE.exe" or + "C:\Windows\SysWOW64\wbem\WmiPrvSE.exe" or + "C:\Windows\System32\dllhost.exe" or + "C:\Windows\System32\svchost.exe" or + "C:\Windows\System32\msiexec.exe" or + "C:\Windows\explorer.exe" + ) ''' +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."winlog.event_data.ProcessName"] +case_insensitive = true +value = "C:\\\\Program Files (x86)\\\\*.exe" + +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."winlog.event_data.ProcessName"] +case_insensitive = true +value = "C:\\\\Program Files\\\\*.exe" + +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."winlog.event_data.ProcessName"] +case_insensitive = true +value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe" [[rule.threat]] framework = "MITRE ATT&CK" @@ -182,3 +192,10 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["winlog.event_data.ProcessName", "winlog.event_data.SubjectUserName"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-1d" diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index d6fab3b87..53c9462d2 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -12,24 +12,17 @@ may indicate activity related to remote code execution or other forms of exploit """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" -name = "Unusual File Modification by dns.exe" -note = """## Triage and analysis - -### Investigating Unusual File Modification by dns.exe -Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: -- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. -- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care. -""" +name = "Unusual File Operation by dns.exe" references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability", ] -risk_score = 73 +risk_score = 47 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -39,18 +32,14 @@ tags = [ "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Resources: Investigation Guide", ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and - not file.name : "dns.log" and not - (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*") and - - /* DNS logs with custom names, header converts to "DNS Server log" */ - not ?file.Ext.header_bytes : "444e5320536572766572206c6f67*" +event.category : "file" and host.os.type : "windows" and + event.type : ("creation" or "deletion" or "change") and process.name : "dns.exe" and + not file.extension : ("old" or "temp" or "bak" or "dns" or "arpa" or "log") ''' @@ -67,3 +56,10 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["file.path", "host.id"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 9eadb3b12..848ae070e 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ index = [ "logs-windows.sysmon_operational-*", "winlogbeat-*", ] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" note = """## Triage and analysis @@ -59,9 +59,9 @@ The xp_cmdshell procedure is disabled by default, but when used, it has the same - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"] -risk_score = 73 +risk_score = 47 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -77,21 +77,32 @@ tags = [ "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and +host.os.type:windows and event.category:process and event.type:start and +process.parent.name:"sqlservr.exe" and process.command_line : * and +( ( - (process.name : "cmd.exe" and - not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", - "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")) or - - (process.name : "vpnbridge.exe" or ?process.pe.original_file_name : "vpnbridge.exe") or - - (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") or - - (process.name : "bitsadmin.exe" or ?process.pe.original_file_name == "bitsadmin.exe") - ) + (process.name.caseless : "cmd.exe" or process.pe.original_file_name : "Cmd.Exe") and + not process.args : ( + \\\\* or diskfree or rmdir or mkdir or dir or DIR or del or rename or bcp or md or ren or REN or send or echo or + ECHO or TYPE or type or EXIST or forfiles or sqlcmd or SQLCMD or dtexec or Sort-Object or cat or copy or COPY or + move or MOVE or CD\\ or show or rd or powercfg or "C:\SPAN4\DATA\RISKPARAM.SPN" or ("@ECHO" and "@FOR") or + ("@echo" and "@for") or (SET and PATH=*) or ("-ExecutionPolicy" and "-File") or MSSQLFDLauncher$DATEV_DBENGINE or + (wmic and (cpu or computersystem or logicaldisk or os or ComputerSystem or volume)) or -s\:C\:\\WINDOWS\\SERVIC* or + D\:\\* or E\:\\* or F\:\\* or Z\:\\* or "C:\Program Files\Amazon\AWSCLIV2\aws.exe" or C\:\\7-Zip\\7z.exe* or + C\:\\FTP* or *\(Get-Item* or C\:\\ProgramData\\Daktronics* + ) and + not process.command_line : ( + "\"C:\\Windows\\system32\\cmd.exe\" /c " or + "\"C:\\Windows\\System32\\cmd.exe\"" + ) + ) or + process.name.caseless:("bitsadmin.exe" or "certutil.exe" or "vpnbridge.exe") or + process.name:("bitsadmin.exe" or "certutil.exe" or "vpnbridge.exe") or + process.pe.original_file_name:("CertUtil.exe" or "bitsadmin.exe" or "vpnbridge.exe") +) ''' @@ -130,3 +141,9 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.command_line"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 90a360e35..d89d4b377 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ index = [ "logs-windows.sysmon_operational-*", "winlogbeat-*", ] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Web Shell Detection: Script Process Child of Common Web Processes" note = """## Triage and analysis @@ -95,25 +95,56 @@ tags = [ "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and - process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") and +host.os.type:windows and event.category:process and event.type:start and process.args : * and + process.parent.name:("w3wp.exe" or "httpd.exe" or "nginx.exe" or "php.exe" or "php-cgi.exe" or "tomcat.exe") and + ( + process.name : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe") or + process.name.caseless : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe") + ) and not ( - process.parent.name : ("php.exe", "httpd.exe") and process.name : "cmd.exe" and process.command_line : ( - "cmd.exe /c mode CON", - "cmd.exe /s /c \"mode CON\"", - "cmd.exe /c \"mode\"", - "cmd.exe /s /c \"tput colors 2>&1\"" - ) + "cmd.exe /c mode CON" or + "cmd.exe /s /c \"mode CON\"" or + "cmd.exe /c \"mode\"" or + "cmd.exe /s /c \"tput colors 2>&1\"" or + "cmd.exe /s /c \"stty 2> NUL\"" or + "cmd.exe /s /c \"stty 2>&1\"" or + "cmd.exe /c \"stty 2>&1\"" or + "cmd.exe /s /c \"ipconfig /all 2>&1\"" or + "cmd.exe /s /c \"echo '%os%'\"" or + *.\\install\\awk.exe* + ) or + process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir) ) ''' +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."process.command_line"] +case_insensitive = true +value = "*?:\\\\Program Files\\\\*" + + +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."process.command_line"] +case_insensitive = true +value = "*?:\\\\Program Files (x86)\\\\*" + +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."process.command_line"] +case_insensitive = true +value = "*?:\\\\Program Files (x86)\\\\*" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -176,3 +207,10 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.command_line"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d"