From 857ec6ba9495b638c3e46fdf0d701ace07d0e5bd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 8 Dec 2021 03:32:39 -0300 Subject: [PATCH] [Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620) * Replaces event.code with event.category * bump updated_date Co-authored-by: Justin Ibarra (cherry picked from commit 851c5667305fec661d75ecbff474b1f91aec6668) --- rules/windows/collection_posh_audio_capture.toml | 4 ++-- rules/windows/credential_access_posh_minidump.toml | 4 ++-- rules/windows/defense_evasion_posh_process_injection.toml | 4 ++-- rules/windows/discovery_posh_suspicious_api_functions.toml | 4 ++-- rules/windows/execution_posh_portable_executable.toml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index d9c3c5934..c6c4e2891 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2021/10/19" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and +event.category:process and powershell.file.script_block_text : ( Get-MicrophoneAudio or (waveInGetNumDevs and mciSendStringA) ) diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 6d237ea2e..98dbdae3e 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2021/10/05" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) +event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) ''' diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 0c121d731..5da9035a6 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/14" maturity = "production" -updated_date = "2021/10/14" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and +event.category:process and powershell.file.script_block_text : ( (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index efcecc666..52e8e87e2 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2021/10/14" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and +event.category:process and powershell.file.script_block_text : ( NetShareEnum or NetWkstaUserEnum or diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index d1e82fbaf..165bb6e9a 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2021/10/15" +updated_date = "2021/11/17" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:"4104" and +event.category:process and powershell.file.script_block_text : ( TVqQAAMAAAAEAAAA )