From 4b6ad77338ada69042c941abc544f3e3dc53728e Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Thu, 3 Dec 2020 11:00:24 +0100 Subject: [PATCH] [Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667) --- ...command_and_control_remote_file_copy_desktopimgdownldr.toml | 3 +-- .../windows/command_and_control_remote_file_copy_mpcmdrun.toml | 3 +-- .../windows/credential_access_credential_dumping_msbuild.toml | 2 +- rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml | 3 +-- .../credential_access_iis_connectionstrings_dumping.toml | 3 +-- .../defense_evasion_execution_msbuild_started_renamed.toml | 2 +- .../defense_evasion_execution_suspicious_explorer_winword.toml | 3 +-- rules/windows/defense_evasion_iis_httplogging_disabled.toml | 3 +-- rules/windows/defense_evasion_masquerading_renamed_autoit.toml | 3 +-- rules/windows/execution_suspicious_psexesvc.toml | 3 +-- 10 files changed, 10 insertions(+), 18 deletions(-) diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 9a41ab03e..41014df39 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -23,8 +23,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe or - winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and + (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\:http* ''' diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 956ee44c2..d5e47c50f 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -25,8 +25,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe or - winlog.event_data.OriginalFileName:MpCmdRun.exe) and + (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and process.args:(("-DownloadFile" or "-downloadfile") and "-url" and "-path") ''' diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index e0849f013..c800a91a3 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -23,7 +23,7 @@ type = "query" query = ''' event.category:process and event.type:change and - (winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or + (process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or dll.name:(vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe ''' diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 226ec61f9..20f239bd3 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -24,8 +24,7 @@ type = "query" query = ''' event.category:process AND event.type:(start OR process_started) AND - (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe or - winlog.event_data.OriginalFileName:appcmd.exe) AND + (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe) AND process.args:(/[lL][iI][sS][tT]/ AND /\/[tT][eE][xX][tT]\:[pP][aA][sS][sS][wW][oO][rR][dD]/) ''' diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index b9706edf1..16b3cb0ea 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -28,8 +28,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe or - winlog.event_data.OriginalFileName:aspnet_regiis.exe) and + (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe) and process.args:(connectionStrings and "-pdf") ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 5f9b0a4fb..8a28677cb 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -23,7 +23,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and + process.pe.original_file_name:MSBuild.exe and not process.name: MSBuild.exe ''' diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 5213647ae..3982806f5 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -23,8 +23,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) or - winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE)) and + process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or process.executable:("C:\Windows\explorer.exe" or C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 2dfbd2e2a..5847bb728 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -23,8 +23,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or - winlog.event_data.OriginalFileName:appcmd.exe) and + (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and process.args:/dontLog\:\"True\" and not process.parent.name:iissetup.exe ''' diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 1e523bb8d..b3f7248c6 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -22,8 +22,7 @@ type = "query" query = ''' event.category:process AND event.type:(start OR process_started) AND - (process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ OR - winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/) AND + process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ AND NOT process.name:/[aA][uU][tT][oO][iI][tT]\d{1,3}\.[eE][xX][eE]/ ''' diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 2ec1c33e6..96200f2b8 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -22,8 +22,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or - winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and + process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) and process.parent.name:services.exe and not process.name:(psexesvc.exe or PSEXESVC.exe) '''