From 49074ddeaa25a1bedb130fd7a3aff3de561d6330 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 5 Apr 2022 16:32:37 -0300 Subject: [PATCH] [Rule Tuning] Add EQL optional field syntax (#1910) * Add optional EQL syntax * Add min_stack_version --- rules/windows/discovery_net_command_system_account.toml | 8 +++++--- ...egister_server_program_connecting_to_the_internet.toml | 6 ++++-- .../persistence_local_scheduled_task_creation.toml | 6 ++++-- rules/windows/privilege_escalation_installertakeover.toml | 8 +++++--- ...lege_escalation_unusual_printspooler_childprocess.toml | 8 +++++--- 5 files changed, 23 insertions(+), 13 deletions(-) diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 49979348d..f962e79ee 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" +min_stack_version = "7.16.0" +updated_date = "2022/04/04" [rule] author = ["Elastic"] @@ -27,8 +29,8 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - (process.Ext.token.integrity_level_name : "System" or - winlog.event_data.IntegrityLevel : "System") and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and process.name : "whoami.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe") ''' diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index d46a6b8d4..7e477ba1a 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" +min_stack_version = "7.16.0" +updated_date = "2022/04/04" [rule] author = ["Elastic"] @@ -32,7 +34,7 @@ sequence by process.entity_id [process where event.type == "start" and process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe") and not ( - (process.Ext.token.integrity_level_name : "System" or winlog.event_data.IntegrityLevel : "System") and + (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and (process.parent.name : "msiexec.exe" or process.parent.executable : ("C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe")) ) ] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 3e991198a..3abb7cd7c 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" +min_stack_version = "7.16.0" +updated_date = "2022/04/04" [rule] author = ["Elastic"] @@ -34,7 +36,7 @@ sequence with maxspan=1m (process.name : "schtasks.exe" or process.pe.original_file_name == "schtasks.exe") and process.args : ("/create", "-create") and process.args : ("/RU", "/SC", "/TN", "/TR", "/F", "/XML") and /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */ - not (process.Ext.token.integrity_level_name : "System" or winlog.event_data.IntegrityLevel : "System") + not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") ] by process.parent.entity_id ''' diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 3553524eb..5948f5065 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/25" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" +min_stack_version = "7.16.0" +updated_date = "2022/04/04" [rule] author = ["Elastic"] @@ -60,8 +62,8 @@ query = ''' /* This rule is compatible with both Sysmon and Elastic Endpoint */ process where event.type == "start" and - (process.Ext.token.integrity_level_name : "System" or - winlog.event_data.IntegrityLevel : "System") and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and ( (process.name : "elevation_service.exe" and not process.pe.original_file_name == "elevation_service.exe") or diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 8c6d5b010..de4993705 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/06" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" +min_stack_version = "7.16.0" +updated_date = "2022/04/04" [rule] author = ["Elastic"] @@ -38,8 +40,8 @@ type = "eql" query = ''' process where event.type == "start" and process.parent.name : "spoolsv.exe" and - (process.Ext.token.integrity_level_name : "System" or - winlog.event_data.IntegrityLevel : "System") and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and /* exclusions for FP control below */ not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and