security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Tuning Windows - 3 Rules (#3388)

Browse Source 
* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
sbousseaden
2024-02-20 15:56:28 +00:00
committed by GitHub
parent 089e6671aa
commit 853e18950f
3 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/privilege_escalation_create_process_with_token_unpriv.toml
+7 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: process.Ext.effective_parent.executable, process.Ext.effective_parent.name, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time"
min_stack_version = "8.4.0"
updated_date = "2023/10/02"
updated_date = "2024/01/15"
[rule]
author = ["Elastic"]
@@ -49,7 +49,12 @@ process where host.os.type == "windows" and event.action == "start" and
process.command_line : ("*davclnt.dll,DavSetCookie*", "*?:\\Program Files*",
"*\\Windows\\System32\\winethc.dll*", "*\\Windows\\SYSTEM32\\EDGEHTML.dll*",
"*shell32.dll,SHCreateLocalServerRunDll*")) and
not startswith~(process.Ext.effective_parent.name, process.parent.name)
not startswith~(process.Ext.effective_parent.name, process.parent.name) and
not (process.name : "powershell.exe" and process.parent.name : "wmiprvse.exe" and process.Ext.effective_parent.executable : "?:\\Windows\\System32\\wsmprovhost.exe") and
not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\RuntimeBroker.exe" and process.parent.executable : "?:\\Windows\\System32\\sihost.exe") and
not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\sethc.exe" and process.parent.executable : "?:\\Windows\\System32\\svchost.exe") and
not (process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe" and
process.parent.executable : ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\twain_32\\*.exe"))
'''
rules/windows/privilege_escalation_make_token_local.toml
+7 -4
View File
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/04"
updated_date = "2024/01/15"
[rule]
author = ["Elastic"]
@@ -39,13 +39,16 @@ query = '''
authentication where
host.os.type : "windows" and winlog.event_data.LogonProcessName : "Advapi*" and
winlog.logon.type == "Interactive" and winlog.event_data.SubjectUserSid : ("S-1-5-21*", "S-1-12-*") and
winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*") and
winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*") and process.executable : "C:\\*" and
not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and
not process.executable :
("?:\\Windows\\System32\\winlogon.exe",
"?:\\Windows\\System32\\wininit.exe",
"?:\\Program Files\\Okta\\Okta Verify\\OktaVerify.exe",
"?:\\Program Files (x86)\\Okta\\Okta Verify\\OktaVerify.exe")
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe",
"?:\\Windows\\System32\\inetsrv\\w3wp.exe",
"?:\\Windows\\SysWOW64\\msiexec.exe")
'''
rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/11/15"
updated_date = "2024/01/15"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ")
event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files*
'''