From 5b183e66fa7c81ef6925b3028e1ce1e7970210e1 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Fri, 29 Jul 2022 16:11:16 -0400 Subject: [PATCH] [Rule Tuning] Persistence via Update Orchestrator Service Hijack (#2195) * [Rule Tuning] Persistence via Update Orchestrator Service Hijack I changed the query to exclude FPs for safe executables found in telemetry: MoUsoCoreWorker.exe and OfficeC2RClient.exe. Changed the query type to KQL to account for the wildcard needed to capture 2 of the executable paths found in telemetry. I'm open to changing back to eql with suggestions. * Update persistence_via_update_orchestrator_service_hijack.toml revert back to eql Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 386a8202c0d98b87bc5dc25721b818d88c8ab784) --- ...ia_update_orchestrator_service_hijack.toml | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index f73f22305..829f3f98a 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/07/29" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "CVE-2020-1313"] timestamp_override = "event.ingested" type = "eql" @@ -31,14 +31,18 @@ process where event.type == "start" and process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and process.parent.args : "UsoSvc" and not process.executable : - ( - "C:\\Windows\\System32\\UsoClient.exe", - "C:\\Windows\\System32\\MusNotification.exe", - "C:\\Windows\\System32\\MusNotificationUx.exe", - "C:\\Windows\\System32\\MusNotifyIcon.exe", - "C:\\Windows\\System32\\WerFault.exe", - "C:\\Windows\\System32\\WerMgr.exe" - ) + ("?:\\ProgramData\\Microsoft\\Windows\\UUS\\Packages\\*\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoClient.exe", + "?:\\Windows\\System32\\MusNotification.exe", + "?:\\Windows\\System32\\MusNotificationUx.exe", + "?:\\Windows\\System32\\MusNotifyIcon.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\WerMgr.exe", + "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\MoUsoCoreWorker.exe", + "?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoCoreWorker.exe", + "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") '''