security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Add EQL optional field syntax (#1910)

Browse Source 
* Add optional EQL syntax

* Add min_stack_version
This commit is contained in:
Jonhnathan
2022-04-05 16:32:37 -03:00
committed by GitHub
parent 6bdfddac8e
commit 49074ddeaa
5 changed files with 23 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/discovery_net_command_system_account.toml
+5 -3
View File
@@ -1,7 +1,9 @@
[metadata]
creation_date = "2020/03/18"
maturity = "production"
updated_date = "2022/03/31"
min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
min_stack_version = "7.16.0"
updated_date = "2022/04/04"
[rule]
author = ["Elastic"]
@@ -27,8 +29,8 @@ type = "eql"
query = '''
process where event.type in ("start", "process_started") and
(process.Ext.token.integrity_level_name : "System" or
winlog.event_data.IntegrityLevel : "System") and
(?process.Ext.token.integrity_level_name : "System" or
?winlog.event_data.IntegrityLevel : "System") and
process.name : "whoami.exe" or
(process.name : "net1.exe" and not process.parent.name : "net.exe")
'''
rules/windows/execution_register_server_program_connecting_to_the_internet.toml
+4 -2
View File
@@ -1,7 +1,9 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2022/02/14"
min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
min_stack_version = "7.16.0"
updated_date = "2022/04/04"
[rule]
author = ["Elastic"]
@@ -32,7 +34,7 @@ sequence by process.entity_id
[process where event.type == "start" and
process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe") and
not (
(process.Ext.token.integrity_level_name : "System" or winlog.event_data.IntegrityLevel : "System") and
(?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
(process.parent.name : "msiexec.exe" or process.parent.executable : ("C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe"))
)
]
rules/windows/persistence_local_scheduled_task_creation.toml
+4 -2
View File
@@ -1,7 +1,9 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2022/03/31"
min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
min_stack_version = "7.16.0"
updated_date = "2022/04/04"
[rule]
author = ["Elastic"]
@@ -34,7 +36,7 @@ sequence with maxspan=1m
(process.name : "schtasks.exe" or process.pe.original_file_name == "schtasks.exe") and
process.args : ("/create", "-create") and process.args : ("/RU", "/SC", "/TN", "/TR", "/F", "/XML") and
/* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */
not (process.Ext.token.integrity_level_name : "System" or winlog.event_data.IntegrityLevel : "System")
not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System")
] by process.parent.entity_id
'''
rules/windows/privilege_escalation_installertakeover.toml
+5 -3
View File
@@ -1,7 +1,9 @@
[metadata]
creation_date = "2021/11/25"
maturity = "production"
updated_date = "2022/03/31"
min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
min_stack_version = "7.16.0"
updated_date = "2022/04/04"
[rule]
author = ["Elastic"]
@@ -60,8 +62,8 @@ query = '''
/* This rule is compatible with both Sysmon and Elastic Endpoint */
process where event.type == "start" and
(process.Ext.token.integrity_level_name : "System" or
winlog.event_data.IntegrityLevel : "System") and
(?process.Ext.token.integrity_level_name : "System" or
?winlog.event_data.IntegrityLevel : "System") and
(
(process.name : "elevation_service.exe" and
not process.pe.original_file_name == "elevation_service.exe") or
rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
+5 -3
View File
@@ -1,7 +1,9 @@
[metadata]
creation_date = "2021/07/06"
maturity = "production"
updated_date = "2022/03/31"
min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
min_stack_version = "7.16.0"
updated_date = "2022/04/04"
[rule]
author = ["Elastic"]
@@ -38,8 +40,8 @@ type = "eql"
query = '''
process where event.type == "start" and
process.parent.name : "spoolsv.exe" and
(process.Ext.token.integrity_level_name : "System" or
winlog.event_data.IntegrityLevel : "System") and
(?process.Ext.token.integrity_level_name : "System" or
?winlog.event_data.IntegrityLevel : "System") and
/* exclusions for FP control below */
not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and