security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035)

Browse Source 
* [Rule Tuning] 3rd Party EDR Compatibility - 10

* min_stack for merge, bump updated_date
This commit is contained in:
Jonhnathan
2024-10-11 15:58:37 -03:00
committed by GitHub
parent 8938f09668
commit 7b655759ab
10 changed files with 89 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/execution_enumeration_via_wmiprvse.toml
+14 -33
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2021/01/19"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -14,23 +16,18 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
name = "Enumeration Command Spawned via WMIPrvSE"
risk_score = 21
rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "low"
tags = [
"Domain: Endpoint",
@@ -40,6 +37,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -48,28 +48,9 @@ query = '''
process where host.os.type == "windows" and event.type == "start" and process.command_line != null and
process.name:
(
"arp.exe",
"dsquery.exe",
"dsget.exe",
"gpresult.exe",
"hostname.exe",
"ipconfig.exe",
"nbtstat.exe",
"net.exe",
"net1.exe",
"netsh.exe",
"netstat.exe",
"nltest.exe",
"ping.exe",
"qprocess.exe",
"quser.exe",
"qwinsta.exe",
"reg.exe",
"sc.exe",
"systeminfo.exe",
"tasklist.exe",
"tracert.exe",
"whoami.exe"
"arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe",
"net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe",
"qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe"
) and
process.parent.name:"wmiprvse.exe" and
not (
rules/windows/execution_from_unusual_path_cmdline.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/30"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[transform]
[[transform.osquery]]
@@ -40,9 +42,12 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -104,14 +109,6 @@ references = [
]
risk_score = 47
rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -123,6 +120,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_initial_access_via_msc_file.toml
+7 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2024/05/12"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies the execution of a child process from a Microsoft Common Console file
command in an MSC file in order to trick victims into executing malicious commands.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Unusual Execution via Microsoft Common Console File"
@@ -53,6 +55,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_mofcomp.toml
+6 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
integration = ["endpoint", "m365_defender", "system"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ files to build their own namespaces and classes into the Windows Management Inst
establish persistence using WMI Event Subscription.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*"]
language = "eql"
license = "Elastic License v2"
name = "Mofcomp Activity"
@@ -25,6 +25,9 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Elastic Endgame",
"Data Source: System",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_shared_modules_local_sxs_dll.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/28"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -12,7 +14,7 @@ shared modules to execute malicious payloads by instructing the Windows module l
paths.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Execution via local SxS Shared Module"
@@ -23,14 +25,6 @@ The SxS DotLocal folder is a legitimate feature that can be abused to hijack sta
references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"]
risk_score = 47
rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -40,6 +34,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_suspicious_cmd_wmi.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/19"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"winlogbeat-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -27,14 +32,6 @@ references = [
]
risk_score = 47
rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -44,6 +41,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_suspicious_pdf_reader.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/03/30"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -14,9 +16,12 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -71,14 +76,6 @@ This rule looks for commonly abused built-in utilities spawned by a PDF reader p
"""
risk_score = 21
rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "low"
tags = [
"Domain: Endpoint",
@@ -90,6 +87,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_suspicious_psexesvc.toml
+4 -11
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/08/14"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies suspicious psexec activity which is executing from the psexec service
evade detection.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Process Execution via Renamed PsExec Executable"
@@ -48,14 +48,6 @@ This rule identifies instances where the PsExec service component is executed us
"""
risk_score = 47
rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -67,6 +59,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_via_compiled_html_file.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[transform]
[[transform.osquery]]
@@ -48,9 +50,12 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -114,14 +119,6 @@ When users double-click CHM files, the HTML Help executable program (`hh.exe`) w
"""
risk_score = 47
rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -132,6 +129,9 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/execution_via_hidden_shell_conhost.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/08/17"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Detects when the Console Window Host (conhost.exe) process is spawned by a suspi
indicative of code injection.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Conhost Spawned By Suspicious Parent Process"
@@ -68,14 +70,6 @@ references = [
]
risk_score = 73
rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -88,6 +82,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"