diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 60304a4f6..45c53eeb1 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/11" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ event.category:process and host.os.type:windows and KerberosRequestorSecurityToken ) and not user.id : ("S-1-5-18" or "S-1-5-20") and not powershell.file.script_block_text : ( - "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + "sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs") ) ''' diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 3383e7334..f9718868c 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/03/01" -integration = ["endpoint", "system", "windows"] +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/21" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies remote access to the registry to potentially dump credential data fro registry hive in preparation for credential access and privileges elevation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Credential Access via Registry" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index d4d7e09e8..ef03fbdc3 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -100,6 +100,7 @@ type = "query" query = ''' event.action:"Directory Service Changes" and event.code:5136 and + winlog.event_data.OperationType:"%%14674" and winlog.event_data.ObjectClass:"user" and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" ''' diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index 1ceea773f..9f0cec5e3 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." min_stack_version = "8.8.0" -updated_date = "2023/06/29" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -33,20 +33,25 @@ process where host.os.type == "windows" and event.code == "10" and not winlog.event_data.GrantedAccess : ("0x1000", "0x1400", "0x101400", "0x101000", "0x101001", "0x100000", "0x100040", "0x3200", "0x40", "0x3200") and not process.name : ("procexp64.exe", "procmon.exe", "procexp.exe", "Microsoft.Identity.AadConnect.Health.AadSync.Host.ex") and - not process.executable : - ("?:\\Windows\\System32\\lsm.exe", - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\msiexec.exe", - "?:\\Windows\\CCM\\CcmExec.exe", - "?:\\Windows\\system32\\csrss.exe", - "?:\\Windows\\system32\\wininit.exe", - "?:\\Windows\\system32\\wbem\\wmiprvse.exe", - "?:\\Windows\\system32\\MRT.exe", - "?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*", - "?:\\ProgramData\\WebEx\\webex\\*", - "?:\\Windows\\LTSvc\\LTSVC.exe") and - not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") + not process.executable : ( + "?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*", + "?:\\ProgramData\\WebEx\\webex\\*", + "?:\\Program Files (x86)\\*", + "?:\\Program Files\\*", + "?:\\Windows\\CCM\\CcmExec.exe", + "?:\\Windows\\LTSvc\\LTSVC.exe", + "?:\\Windows\\Sysmon.exe", + "?:\\Windows\\Sysmon64.exe", + "?:\\Windows\\system32\\csrss.exe", + "?:\\Windows\\System32\\lsm.exe", + "?:\\Windows\\system32\\MRT.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\system32\\wbem\\wmiprvse.exe", + "?:\\Windows\\system32\\wininit.exe", + "?:\\Windows\\SystemTemp\\GUM*.tmp\\GoogleUpdate.exe", + "?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe" + ) and + not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") ''' diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 889e8fedf..261319a36 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." min_stack_version = "8.8.0" -updated_date = "2023/10/13" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -40,7 +40,11 @@ process where host.os.type == "windows" and event.code == "10" and winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and /* case of lsass crashing */ - not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe") + not process.executable : ( + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\WerFaultSecure.exe" + ) '''