security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825)

Browse Source 
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests

Removed changes from:
- rules/windows/collection_email_powershell_exchange_mailbox.toml
- rules/windows/command_and_control_rdp_tunnel_plink.toml
- rules/windows/command_and_control_screenconnect_childproc.toml
- rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
- rules/windows/credential_access_kirbi_file.toml
- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
- rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
- rules/windows/defense_evasion_suspicious_zoom_child_process.toml
- rules/windows/execution_command_shell_started_by_unusual_process.toml
- rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
- rules/windows/persistence_adobe_hijack_persistence.toml
- rules/windows/persistence_appcertdlls_registry.toml
- rules/windows/persistence_system_shells_via_services.toml

(selectively cherry picked from commit 54d5b442cf)
This commit is contained in:
Jonhnathan
2024-06-26 11:06:27 -03:00
committed by github-actions[bot]
parent a8a6562872
commit 8bab0df7bf
11 changed files with 34 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/schemas/definitions.py
+2 -1
View File
@@ -41,7 +41,8 @@ NON_DATASET_PACKAGES = ['apm',
'system',
'windows',
'sentinel_one_cloud_funnel',
'ti_rapid7_threat_command']
'ti_rapid7_threat_command',
'm365_defender']
NON_PUBLIC_FIELDS = {
"related_integrations": (Version.parse('8.3.0'), None),
"required_fields": (Version.parse('8.3.0'), None),
rules/windows/credential_access_lsass_openprocess_api.toml
+5 -7
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/03/02"
integration = ["endpoint"]
integration = ["endpoint", "m365_defender"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/25"
[transform]
[[transform.osquery]]
@@ -34,7 +34,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
author = ["Elastic"]
description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n"
from = "now-9m"
index = ["logs-endpoint.events.api-*"]
index = ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"]
language = "eql"
license = "Elastic License v2"
name = "LSASS Process Access via Windows API"
@@ -112,6 +112,7 @@ tags = [
"Tactic: Credential Access",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -119,9 +120,7 @@ type = "eql"
query = '''
api where host.os.type == "windows" and
process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and
not
(
process.executable : (
not process.executable : (
"?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe",
@@ -158,7 +157,6 @@ api where host.os.type == "windows" and
"?:\\Windows\\System32\\RtkAudUService64.exe",
"?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe"
) and process.code_signature.trusted == true
)
'''
rules/windows/defense_evasion_file_creation_mult_extension.toml
+5 -5
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2021/01/19"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/25"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ when the name or location of a file is manipulated as a means of tricking a user
benign file type but is actually executable code.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
language = "eql"
license = "Elastic License v2"
name = "Executable File Creation with Multiple Extensions"
@@ -35,6 +35,7 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -43,8 +44,7 @@ query = '''
file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and
not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl")
file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe")
'''
rules/windows/defense_evasion_masquerading_trusted_directory.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/11/18"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/25"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
"logs-windows.*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*"
]
language = "eql"
license = "Elastic License v2"
@@ -40,6 +41,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/defense_evasion_via_filter_manager.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/25"
[transform]
[[transform.osquery]]
@@ -43,6 +43,7 @@ index = [
"logs-windows.*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*"
]
language = "eql"
license = "Elastic License v2"
@@ -110,6 +111,7 @@ tags = [
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/discovery_whoami_command_activity.toml
+4 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "system", "windows"]
integration = ["endpoint", "system", "windows", "m365_defender"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/25"
[rule]
author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"]
language = "eql"
license = "Elastic License v2"
name = "Whoami Process Activity"
@@ -72,6 +72,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/initial_access_exploit_jetbrains_teamcity.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2024/03/24"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/25"
[rule]
author = ["Elastic"]
@@ -23,6 +23,7 @@ index = [
"logs-windows.*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*"
]
language = "eql"
license = "Elastic License v2"
@@ -41,6 +42,7 @@ tags = [
"Data Source: Elastic Endgame",
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
+4 -2
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/03/17"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/25"
[transform]
[[transform.osquery]]
@@ -43,6 +43,7 @@ index = [
"logs-windows.*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*"
]
language = "eql"
license = "Elastic License v2"
@@ -121,6 +122,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
tests/test_all_rules.py
+2 -1
View File
@@ -311,7 +311,8 @@ class TestRuleTags(BaseRuleTest):
'logs-windows.sysmon_operational-*': {'all': ['Data Source: Sysmon']},
'logs-windows.powershell*': {'all': ['Data Source: PowerShell Logs']},
'logs-sentinel_one_cloud_funnel.*': {'all': ['Data Source: SentinelOne']},
'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']}
'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']},
'logs-m365_defender.event-*': {'all': ['Data Source: Microsoft Defender for Endpoint']}
}
for rule in self.all_rules: