[Rule Tuning] Reduce FPs (#2223)

9 rules tuned to exclude common noisy FP patterns. Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Removed changes from: - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit b89d6185b2)
2022-08-15 16:15:48 +02:00
parent a7411d05c4
commit 96fd9f86a2
8 changed files with 70 additions and 17 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/02/01"
 maturity = "production"
-updated_date = "2022/07/22"
+updated_date = "2022/08/03"

 [rule]
 author = ["Elastic"]
@@ -96,7 +96,17 @@ registry where event.type in ("creation", "change") and
      "HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
      "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
      "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
-    )
+    ) and
+  not process.executable :
+              ("?:\\Program Files\\*.exe",
+               "?:\\Program Files (x86)\\*.exe",
+               "?:\\Windows\\System32\\*.exe",
+               "?:\\Windows\\SysWOW64\\*.exe",
+               "?:\\Windows\\Sysmon64.exe",
+               "?:\\Windows\\Sysmon.exe",
+               "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
+               "?:\\Windows\\WinSxS\\*.exe",
+               "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe")
 '''


@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2022/05/21"
+updated_date = "2022/08/03"

 [rule]
 author = ["Elastic"]
@@ -83,7 +83,12 @@ registry where event.type in ("creation", "change") and
      registry.path:"HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start" and
      registry.data.strings in ("3", "4", "0x00000003", "0x00000004")
   )
-  )
+  ) and
+
+  not process.executable :
+           ("?:\\WINDOWS\\system32\\services.exe",
+            "?:\\Windows\\System32\\svchost.exe",
+            "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\NTRmv.exe")
 '''


@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/21"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/08/03"

 [rule]
 author = ["Elastic"]
@@ -27,8 +27,25 @@ type = "eql"

 query = '''
 file where event.type == "creation" and
+
  file.path : "C:\\*:*" and
  not file.path : "C:\\*:zone.identifier*" and
+
+  not process.executable :
+          ("?:\\windows\\System32\\svchost.exe",
+           "?:\\Windows\\System32\\inetsrv\\w3wp.exe",
+           "?:\\Windows\\explorer.exe",
+           "?:\\Windows\\System32\\sihost.exe",
+           "?:\\Windows\\System32\\PickerHost.exe",
+           "?:\\Windows\\System32\\SearchProtocolHost.exe",
+           "?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe",
+           "?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe",
+           "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
+           "?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe",
+           "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
+           "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
+           "?:\\Program Files\\Mozilla Firefox\\firefox.exe") and
+
  file.extension :
    (
      "pdf",
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2022/04/20"
+updated_date = "2022/08/03"

 [rule]
 author = ["Elastic"]
@@ -40,7 +40,10 @@ process where event.type in ("start", "process_started") and
        "Database-Maint.exe",
        "SolarWinds.Orion.ApiPoller.Service.exe",
        "WerFault.exe",
-        "WerMgr.exe")
+        "WerMgr.exe",
+        "SolarWinds.BusinessLayerHost.exe",
+        "SolarWinds.BusinessLayerHostx64.exe") and
+ not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe")
 '''


@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/17"
 maturity = "production"
-updated_date = "2022/05/21"
+updated_date = "2022/08/03"

 [rule]
 author = ["Elastic"]
@@ -89,9 +89,12 @@ type = "eql"
 query = '''
 process where event.type in ("start", "process_started") and
  process.name : "conhost.exe" and
-  process.parent.name : ("svchost.exe", "lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe",
-                         "dllhost.exe", "rundll32.exe", "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe",
-                         "wermgr.exe", "csrss.exe", "ctfmon.exe")
+  process.parent.name : ("lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", "dllhost.exe", "rundll32.exe",
+                         "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", "ctfmon.exe") and
+  not (process.parent.name : "rundll32.exe" and
+       process.parent.args : ("?:\\Windows\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc",
+                              "?:\\WINDOWS\\system32\\PcaSvc.dll,PcaPatchSdbTask",
+                              "?:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie"))
 '''


@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/14"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/08/03"

 [rule]
 author = ["Elastic"]
@@ -27,7 +27,9 @@ type = "eql"

 query = '''
 process where event.type in ("start", "process_started") and
-  process.name : "cmd.exe" and process.parent.name : "sqlservr.exe"
+  process.name : "cmd.exe" and process.parent.name : "sqlservr.exe" and
+  not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*",
+                      "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")
 '''


@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/07/05"
+updated_date = "2022/08/03"

 [rule]
 author = ["Elastic"]
@@ -73,7 +73,19 @@ type = "eql"

 query = '''
 sequence by process.entity_id
-  [process where event.type == "start" and process.pid != 4]
+  [process where event.type == "start" and host.os.name == "Windows" and process.pid != 4 and
+   not (process.executable : "D:\\EnterpriseCare\\tools\\jre.1\\bin\\java.exe" and process.args : "com.emeraldcube.prism.launcher.Invoker") and
+   not (process.executable : "C:\\Docusnap 11\\Tools\\nmap\\nmap.exe" and process.args : "smb-os-discovery.nse") and
+   not process.executable :
+              ("?:\\Program Files\\SentinelOne\\Sentinel Agent *\\Ranger\\SentinelRanger.exe",
+               "?:\\Program Files\\Ivanti\\Security Controls\\ST.EngineHost.exe",
+               "?:\\Program Files (x86)\\Fortinet\\FSAE\\collectoragent.exe",
+               "?:\\Program Files (x86)\\Nmap\\nmap.exe",
+               "?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe",
+               "?:\\Program Files\\CloudMatters\\auvik\\AuvikService-release-*\\AuvikService.exe",
+               "?:\\Program Files\\uptime software\\uptime\\UptimeDataCollector.exe",
+               "?:\\Program Files\\CloudMatters\\auvik\\AuvikAgentService.exe",
+               "?:\\Program Files\\Rumble\\rumble-agent-*.exe")]
  [network where destination.port == 445 and process.pid != 4 and
     not cidrmatch(destination.ip, "127.0.0.1", "::1")]
 '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/17"
 maturity = "production"
-updated_date = "2022/07/29"
+updated_date = "2022/08/03"

 [rule]
 author = ["Elastic"]
@@ -42,7 +42,8 @@ process where event.type == "start" and
          "?:\\Windows\\System32\\MoUsoCoreWorker.exe",
          "?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe",
          "?:\\Windows\\System32\\UsoCoreWorker.exe",
-          "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe")
+          "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") and
+  not process.name : ("MoUsoCoreWorker.exe", "OfficeC2RClient.exe")
 '''