From 6b71ad7ab9db4ea2cd50e47a957b00bafad37578 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:01:45 -0300 Subject: [PATCH] [Rule Tuning] 3rd Party EDR Compatibility - 7 (#4031) * [Rule Tuning] 3rd Party EDR Compatibility - 7 * min_stack for merge, bump updated_date --- ..._powershell_windows_firewall_disabled.toml | 33 +++++++++++-------- ...ense_evasion_proxy_execution_via_msdt.toml | 16 +++------ ...eg_disable_enableglobalqueryblocklist.toml | 20 ++++++++--- ...defense_evasion_root_dir_ads_creation.toml | 12 +++++-- ...ion_scheduledjobs_at_protocol_enabled.toml | 21 +++++------- ..._evasion_sdelete_like_filename_rename.toml | 10 ++++-- .../defense_evasion_sip_provider_mod.toml | 10 ++++-- ...ackdoor_service_disabled_via_registry.toml | 32 +++++++++--------- ..._evasion_suspicious_certutil_commands.toml | 14 ++++++-- ...n_suspicious_managedcode_host_process.toml | 11 +++++-- 10 files changed, 108 insertions(+), 71 deletions(-) diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index abd9a87b4..66267ee25 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2021/10/15" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Austin Songer"] @@ -18,7 +20,16 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" name = "Windows Firewall Disabled via PowerShell" @@ -63,14 +74,6 @@ references = [ ] risk_score = 47 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -81,6 +84,10 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -89,8 +96,8 @@ query = ''' process where host.os.type == "windows" and event.action == "start" and (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name == "PowerShell.EXE") and process.args : "*Set-NetFirewallProfile*" and - (process.args : "*-Enabled*" and process.args : "*False*") and - (process.args : "*-All*" or process.args : ("*Public*", "*Domain*", "*Private*")) + process.args : "*-Enabled*" and process.args : "*False*" and + process.args : ("*-All*", "*Public*", "*Domain*", "*Private*") ''' diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index debc6c67d..553b57711 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/05/31" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard ( binary execution via malicious process arguments. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Microsoft Diagnostics Wizard Execution" @@ -21,14 +21,6 @@ references = [ ] risk_score = 73 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -37,6 +29,8 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index 41f26de34..d997fd0d1 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/05/31" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -13,7 +15,14 @@ modify or disable the GQBL, allowing exploitation of hosts running WPAD with def and lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] +index = [ + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*" +] language = "eql" license = "Elastic License v2" name = "DNS Global Query Block List Modified or Disabled" @@ -31,7 +40,10 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", - "Data Source: Sysmon" + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index f3e782745..df0cd93bf 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/03/14" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -16,6 +18,9 @@ index = [ "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", ] language = "eql" license = "Elastic License v2" @@ -31,6 +36,9 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index c1fad3056..6305d62ad 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/23" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -12,21 +14,13 @@ move laterally or persist locally. The AT command has been deprecated since Wind exists for backwards compatibility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Scheduled Tasks AT Command Enabled" references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] risk_score = 47 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -37,6 +31,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -45,7 +41,8 @@ query = ''' registry where host.os.type == "windows" and event.type == "change" and registry.path : ( "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", + "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" ) and registry.data.strings : ("1", "0x00000001") ''' diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index de7148408..407c0a738 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/08/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Detects file name patterns generated by the use of Sysinternals SDelete utility file overwrite and rename operations. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Secure File Deletion via SDelete Utility" @@ -60,6 +62,8 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 7c33e64c8..76f6288a2 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2021/01/20" -integration = ["endpoint"] +integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ Windows cryptographic system to validate file signatures on the system. This may validation checks or inject code into critical processes. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "SIP Provider Modification" @@ -28,6 +30,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index e79c1ad61..25244f5d4 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/12/14" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Identifies a SolarWinds binary modifying the start type of a service to be disab technique to manipulate relevant security services. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "SolarWinds Process Disabling Services via Registry" @@ -20,14 +22,6 @@ references = [ ] risk_score = 47 rule_id = "b9960fef-82c6-4816-befa-44745030e917" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -38,17 +32,14 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and - registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start" - ) and - registry.data.strings : ("4", "0x00000004") and process.name : ( "SolarWinds.BusinessLayerHost*.exe", "ConfigurationWizard*.exe", @@ -56,7 +47,14 @@ registry where host.os.type == "windows" and event.type == "change" and registry "NetFlowService*.exe", "SolarWinds.Administration*.exe", "SolarWinds.Collector.Service*.exe", - "SolarwindsDiagnostics*.exe") + "SolarwindsDiagnostics*.exe" + ) and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start", + "MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start" + ) and + registry.data.strings : ("4", "0x00000004") ''' diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index c2e3ee568..3f4b39bda 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [transform] [[transform.osquery]] @@ -41,9 +43,12 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -117,6 +122,9 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 3ed7d721f..95bbb77f5 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/08/21" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Identifies a suspicious managed code hosting process which could indicate code i code execution. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" @@ -28,6 +30,9 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql"