From 74d8186aeb106ced02513ef2d1deaac0dee6c9bb Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 13 Aug 2024 12:55:08 -0400 Subject: [PATCH] [Rule Tuning] Tuning `MsBuild Making Network Connections` (#3482) * tuning 'MsBuild Making Network Connections' * added performance note; added comments in query * adjusted array search * linting * updated query logic;updated date * updated query logic * fixed query error * changed query logic * removing min-stack * reverting change * updated network sequence event --- ...on_msbuild_making_network_connections.toml | 38 ++++++++++++++++--- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index ac7a2d074..f2a978729 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/08" [transform] [[transform.osquery]] @@ -48,6 +48,10 @@ license = "Elastic License v2" name = "MsBuild Making Network Connections" note = """## Triage and analysis +### Performance + +The performance impact of this rule is expected to be low to medium because of the first sequence, which looks for MsBuild.exe process execution. The events for this first sequence may be noisy, consider adding exceptions. + ### Investigating MsBuild Making Network Connections By examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation. @@ -101,6 +105,7 @@ This rule looks for the `Msbuild.exe` utility execution, followed by a network c - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/"] risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" @@ -116,11 +121,32 @@ tags = [ type = "eql" query = ''' -sequence by process.entity_id - [process where host.os.type == "windows" and process.name : "MSBuild.exe" and event.type == "start"] - [network where host.os.type == "windows" and process.name : "MSBuild.exe" and - not cidrmatch(destination.ip, "127.0.0.1", "::1") and - not dns.question.name : "localhost"] +sequence by process.entity_id with maxspan=30s + + /* Look for MSBuild.exe process execution */ + /* The events for this first sequence may be noisy, consider adding exceptions */ + [process where host.os.type == "windows" + and ( + process.pe.original_file_name: "MSBuild.exe" or + process.name: "MSBuild.exe" + ) + and event.type == "start" and user.id != "S-1-5-18"] + + /* Followed by a network connection to an external address */ + /* Exclude domains that are known to be benign */ + [network where host.os.type == "windows" + and event.action: ("connection_attempted", "lookup_requested") + and ( + process.pe.original_file_name: "MSBuild.exe" or + process.name: "MSBuild.exe" + ) + and not user.id != "S-1-5-18" and + not cidrmatch(destination.ip, "127.0.0.1", "::1") and + not dns.question.name : ( + "localhost", + "dc.services.visualstudio.com", + "vortex.data.microsoft.com", + "api.nuget.org")] '''