diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 61f2a435f..06ddbf82b 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/12/21" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -22,23 +22,31 @@ references = [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1" ] -risk_score = 47 +risk_score = 21 rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7" -severity = "medium" +severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type : "start" and - ( - ((process.executable : "?:\\Windows\\System32\\bash.exe" or process.pe.original_file_name == "Bash.exe") and - not process.command_line : ("bash", "bash.exe")) or - process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or - (process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe") or - (process.name : "wsl.exe" and process.args : ("curl", "/etc/shadow", "/etc/passwd", "cat","--system", "root", "-e", "--exec", "bash", "/mnt/c/*")) + ( + ( + (process.executable : "?:\\Windows\\System32\\bash.exe" or process.pe.original_file_name == "Bash.exe") and + not process.command_line : ("bash", "bash.exe") + ) or + process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or + ( + process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe" + ) or + ( + process.name : "wsl.exe" and process.args : ( + "curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/*" + ) and not process.args : ("wsl-bootstrap", "docker-desktop-data", "*.vscode-server*") + ) ) and - not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe") + not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe") ''' diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index dd8781f18..cf82698d6 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/12/21" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -27,19 +27,16 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type : "start" and - process.parent.executable : - ("?:\\Windows\\System32\\wsl.exe", - "?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl.exe", - "?:\\Windows\\System32\\wslhost.exe", - "?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wslhost.exe") and - not process.executable : - ("?:\\Windows\\System32\\conhost.exe", - "?:\\Windows\\System32\\lxss\\wslhost.exe", - "?:\\Windows\\Sys*\\wslconfig.exe", - "?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*") + process.parent.name : ("wsl.exe", "wslhost.exe") and + not process.executable : ( + "?:\\Program Files (x86)\\*", + "?:\\Program Files\\*", + "?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe", + "?:\\Windows\\System32\\conhost.exe", + "?:\\Windows\\System32\\lxss\\wslhost.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\Sys*\\wslconfig.exe" + ) ''' diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 885890710..63e1b81b4 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/21" [rule] author = ["Elastic"] @@ -75,18 +75,20 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - (((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or - ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and - not process.parent.name : "net.exe")) and - process.args : ("group", "user", "localgroup") and - process.args : ("*admin*", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") and - not process.args : "/add") - - or - - ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and - process.args : ("group", "useraccount")) -) and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") + ( + ( + (process.name : "net.exe" or process.pe.original_file_name == "net.exe") or + ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe") + ) and + process.args : ("group", "user", "localgroup") and + process.args : ("*admin*", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") + and not process.args : ("/add", "/delete") + ) or + ( + (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and + process.args : ("group", "useraccount") + ) +) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' [[rule.threat]] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 0b1d7512b..248c6ad92 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/21" [rule] author = ["Elastic"] @@ -66,8 +66,12 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and - (process.name : "whoami.exe" or - (process.name : "net1.exe" and not process.parent.name : "net.exe")) + ( + process.name : "whoami.exe" or + ( + process.name : "net1.exe" and not process.parent.name : "net.exe" and not process.args : ("start", "stop", "/active:*") + ) + ) ''' diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 0bc58e347..42bd18ef4 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/21" [rule] author = ["Elastic"] @@ -111,7 +111,7 @@ event.category:process and host.os.type:windows and NetScheduleJobEnum or NetUserModalsGet ) - and not user.id : ("S-1-5-18" or "S-1-5-19") + and not file.path : ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\DataCollection\\\\* '''