From 8e02c60ef6d616b3952a788ce3330d727cb2789d Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 31 Jan 2023 16:56:19 -0300 Subject: [PATCH] [Rule Tuning] Enclose Rule Conditions within Parenthesis (#2486) --- ...er_or_listener_established_via_netcat.toml | 5 ++-- .../execution_shell_evasion_linux_binary.toml | 5 ++-- .../persistence_chkconfig_service_add.toml | 8 ++++--- .../windows/collection_winrar_encryption.toml | 4 +++- .../credential_access_cmdline_dump_tool.toml | 24 ++++++++++--------- ...e_evasion_clearing_windows_event_logs.toml | 4 +++- ...efense_evasion_disabling_windows_logs.toml | 5 ++-- ...sion_execution_windefend_unusual_path.toml | 4 +++- rules/windows/discovery_admin_recon.toml | 4 +++- ...ote_system_discovery_commands_windows.toml | 4 +++- ...ateral_movement_evasion_rdp_shadowing.toml | 2 +- 11 files changed, 43 insertions(+), 26 deletions(-) diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 642f74354..e53426a10 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/01/19" [rule] author = ["Elastic"] @@ -79,7 +79,8 @@ type = "eql" query = ''' sequence by process.entity_id - [process where process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and ( + [process where event.type == "start" and + process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and ( /* bind shell to echo for command execution */ (process.args:("-l","-p") and process.args:("-c","echo","$*")) /* bind shell to specific port */ diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 6ceca787c..13c902745 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/01/19" [rule] author = ["Elastic"] @@ -103,7 +103,7 @@ type = "eql" query = ''' process where event.type == "start" and - + ( /* launch shells from unusual process */ (process.name == "capsh" and process.args == "--") or @@ -137,6 +137,7 @@ process where event.type == "start" and (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args in ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")) or (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2")) or (process.parent.name in ("nawk", "mawk", "awk", "gawk") and process.parent.args : "BEGIN {system(*)}") + ) ''' diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index d512fa84e..217271f11 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/01/19" integration = ["endpoint"] [rule] @@ -28,8 +28,10 @@ type = "eql" query = ''' process where event.type == "start" and - ((process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or - (process.args : "*chkconfig" and process.args : "--add")) +( + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or + (process.args : "*chkconfig" and process.args : "--add") +) ''' [[rule.threat]] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 92253b0ef..1a5b7fda4 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/01/19" [rule] author = ["Elastic"] @@ -64,6 +64,7 @@ type = "eql" query = ''' process where event.type == "start" and +( ((process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or process.pe.original_file_name == "Command line RAR") and process.args == "a" and process.args : ("-hp*", "-p*", "-dw", "-tb", "-ta", "/hp*", "/p*", "/dw", "/tb", "/ta")) @@ -74,6 +75,7 @@ process where event.type == "start" and /* uncomment if noisy for backup software related FPs */ /* not process.parent.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") */ +) ''' diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 7ae7b0236..d45678412 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/01/19" [rule] author = ["Elastic"] @@ -73,16 +73,18 @@ type = "eql" query = ''' process where event.type == "start" and -/* update here with any new lolbas with dump capability */ -(process.pe.original_file_name == "procdump" and process.args : "-ma") or -(process.name : "ProcessDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Cisco Systems\\.*""") or -(process.pe.original_file_name == "WriteMiniDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Steam\\.*""") or -(process.pe.original_file_name == "RUNDLL32.EXE" and (process.args : "MiniDump*" or process.command_line : "*comsvcs.dll*#24*")) or -(process.pe.original_file_name == "RdrLeakDiag.exe" and process.args : "/fullmemdmp") or -(process.pe.original_file_name == "SqlDumper.exe" and process.args : "0x01100*") or -(process.pe.original_file_name == "TTTracer.exe" and process.args : "-dumpFull" and process.args : "-attach") or -(process.pe.original_file_name == "ntdsutil.exe" and process.args : "create*full*") or -(process.pe.original_file_name == "diskshadow.exe" and process.args : "/s") +( + /* update here with any new lolbas with dump capability */ + (process.pe.original_file_name == "procdump" and process.args : "-ma") or + (process.name : "ProcessDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \ (x86\))?\\Cisco Systems\\.*""") or + (process.pe.original_file_name == "WriteMiniDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Steam\\.*""") or + (process.pe.original_file_name == "RUNDLL32.EXE" and (process.args : "MiniDump*" or process. command_line : "*comsvcs.dll*#24*")) or + (process.pe.original_file_name == "RdrLeakDiag.exe" and process.args : "/fullmemdmp") or + (process.pe.original_file_name == "SqlDumper.exe" and process.args : "0x01100*") or + (process.pe.original_file_name == "TTTracer.exe" and process.args : "-dumpFull" and process.args : "-attach") or + (process.pe.original_file_name == "ntdsutil.exe" and process.args : "create*full*") or + (process.pe.original_file_name == "diskshadow.exe" and process.args : "/s") +) ''' diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index d86e1f7ee..875d019ce 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/01/19" [rule] author = ["Elastic"] @@ -70,6 +70,7 @@ type = "eql" query = ''' process where event.type == "start" and +( ( (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and process.args : ("/e:false", "cl", "clear-log") @@ -78,6 +79,7 @@ process where event.type == "start" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Clear-EventLog" ) +) ''' diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 87c263cc9..475862b77 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/01/19" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -73,7 +73,7 @@ type = "eql" query = ''' process where event.type == "start" and - +( ((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and process.args : "EventLog-*" and process.args : ("stop", "delete")) or @@ -82,6 +82,7 @@ process where event.type == "start" and process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled") or ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable") +) ''' diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index bed22ced9..10cb8f36c 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/01/19" [rule] author = ["Elastic", "Dennis Perto"] @@ -35,6 +35,7 @@ type = "eql" query = ''' process where event.type == "start" and +( (process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or (process.name : "MsMpEng.exe" and not process.executable : ("?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", @@ -42,6 +43,7 @@ process where event.type == "start" and "?:\\Program Files (x86)\\Windows Defender\\*.exe", "?:\\Program Files\\Microsoft Security Client\\*.exe", "?:\\Program Files (x86)\\Microsoft Security Client\\*.exe")) +) ''' diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 1f9e52cd8..73a8dc7b0 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/18" +updated_date = "2023/01/19" [rule] author = ["Elastic"] @@ -62,6 +62,7 @@ type = "eql" query = ''' process where event.type == "start" and +( (((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe")) and @@ -73,6 +74,7 @@ process where event.type == "start" and ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and process.args : ("group", "useraccount")) +) ''' diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 21f479ee0..cd19d4390 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/01/19" [rule] author = ["Elastic"] @@ -55,8 +55,10 @@ type = "eql" query = ''' process where event.type == "start" and +( ((process.name : "nbtstat.exe" and process.args : ("-n", "-s")) or (process.name : "arp.exe" and process.args : "-a")) +) ''' diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 2246851dd..5d26dfbbb 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -41,7 +41,7 @@ any where (event.category == "registry" and registry.path : "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow" ) or - (event.category == "process" and + (event.category == "process" and event.type == "start" and (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or (process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*") )