[Rules Tuning] diverse tuning (#2506)

* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_remote_services.toml

* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_rdp_enabled_registry.toml

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_updated.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update rules/windows/persistence_scheduled_task_updated.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

rules/windows/credential_access_saved_creds_vault_winlog.toml

@@ -38,12 +38,14 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
  /* 2 consecutive vault reads from same pid for web creds */
 
  [any where event.code : "5382" and
-  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and
-  not winlog.event_data.SubjectLogonId : "0x3e7"]
+  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
+  not winlog.event_data.SubjectLogonId : "0x3e7" and 
+  not winlog.event_data.Resource : "http://localhost/"]
 
  [any where event.code : "5382" and
-  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and
-  not winlog.event_data.SubjectLogonId : "0x3e7"]
+  (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
+  not winlog.event_data.SubjectLogonId : "0x3e7" and 
+  not winlog.event_data.Resource : "http://localhost/"]
 '''
 
 

rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

@@ -32,9 +32,9 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan=30s
    [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and
-    destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"
-   ]
-   [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "winrshost.exe" and not process.name : "conhost.exe"]
+    destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"]
+   [process where host.os.type == "windows" and 
+    event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"]
 '''
 
 

rules/windows/lateral_movement_powershell_remoting_target.toml

@@ -36,7 +36,8 @@ query = '''
 sequence by host.id with maxspan = 30s
    [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and
     network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"]
-   [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"]
+   [process where host.os.type == "windows" and 
+    event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"]
 '''
 
 

rules/windows/lateral_movement_rdp_enabled_registry.toml

@@ -65,14 +65,16 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-registry where host.os.type == "windows" and event.type in ("creation", "change") and
-  registry.path : (
-    "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections",
-    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections"
-  ) and
+registry where host.os.type == "windows" and 
+ event.type in ("creation", "change") and
+  registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and
   registry.data.strings : ("0", "0x00000000") and
-  not (process.name : "svchost.exe" and user.domain == "NT AUTHORITY") and
-  not process.executable : "C:\\Windows\\System32\\SystemPropertiesRemote.exe"
+  not process.executable : ("?:\\Windows\\System32\\SystemPropertiesRemote.exe", 
+                            "?:\\Windows\\System32\\SystemPropertiesComputerName.exe", 
+                            "?:\\Windows\\System32\\SystemPropertiesAdvanced.exe", 
+                            "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", 
+                            "?:\\Windows\\WinSxS\\*\\TiWorker.exe", 
+                            "?:\\Windows\\system32\\svchost.exe")
 '''
 
 

rules/windows/lateral_movement_remote_services.toml

@@ -112,10 +112,10 @@ sequence with maxspan=1s
       network.direction : ("incoming", "ingress") and network.transport == "tcp" and
       source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1"
    ] by host.id, process.entity_id
-
-   [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "services.exe" and
-       not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and
-       not (process.name : "msiexec.exe" and process.args : "/V") and
+   [process where host.os.type == "windows" and 
+       event.type == "start" and process.parent.name : "services.exe" and
+       not (process.executable : "?:\\Windows\\System32\\svchost.exe" and process.args : "tiledatamodelsvc") and
+       not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "/V") and
        not process.executable :
                ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",
                 "?:\\Windows\\System32\\VSSVC.exe",

rules/windows/persistence_scheduled_task_updated.toml

@@ -6,6 +6,7 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s
 min_stack_version = "8.3.0"
 updated_date = "2023/06/22"
 
+
 [rule]
 author = ["Elastic"]
 description = """
@@ -20,9 +21,9 @@ language = "eql"
 license = "Elastic License v2"
 name = "A scheduled task was updated"
 references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"]
-risk_score = 21
+risk_score = 47
 rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb"
-severity = "low"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -31,13 +32,22 @@ query = '''
 iam where event.action == "scheduled-task-updated" and
 
  /* excluding tasks created by the computer account */
- not user.name : "*$" and
+ not user.name : "*$" and 
+ not winlog.event_data.TaskName : "*Microsoft*" and 
  not winlog.event_data.TaskName :
           ("\\User_Feed_Synchronization-*",
            "\\OneDrive Reporting Task-S-1-5-21*",
            "\\OneDrive Reporting Task-S-1-12-1-*",
            "\\Hewlett-Packard\\HP Web Products Detection",
-           "\\Hewlett-Packard\\HPDeviceCheck")
+           "\\Hewlett-Packard\\HPDeviceCheck", 
+           "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant", 
+           "\\IpamDnsProvisioning",  
+           "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun", 
+           "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun", 
+           "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun", 
+           "\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*", 
+           "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and 
+  not winlog.event_data.SubjectUserSid :  ("S-1-5-18", "S-1-5-19", "S-1-5-20")
 '''
 
 

rules/windows/privilege_escalation_persistence_phantom_dll.toml

@@ -100,8 +100,13 @@ any where host.os.type == "windows" and
   (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
                "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
                "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", 
-               "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll")
-   and not file.code_signature.status == "Valid")
+               "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and 
+   not file.path : ("?:\\Windows\\System32\\wbemcomn.dll", "?:\\Windows\\SysWOW64\\wbemcomn.dll") and 
+   not file.hash.sha256 : 
+            ("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f", 
+             "b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4", 
+             "c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662") and 
+   not file.code_signature.status == "Valid")
   )
 '''