From 96fd9f86a2a7560ea3b99d4978ae8ac0a055fae2 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 15 Aug 2022 16:15:48 +0200 Subject: [PATCH] [Rule Tuning] Reduce FPs (#2223) 9 rules tuned to exclude common noisy FP patterns. Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Removed changes from: - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit b89d6185b2c26321f0c3bc0781857ee5669e0f9e) --- ...e_evasion_create_mod_root_certificate.toml | 14 ++++++++++++-- ...vasion_defender_disabled_via_registry.toml | 9 +++++++-- ...nse_evasion_unusual_ads_file_creation.toml | 19 ++++++++++++++++++- ...inds_backdoor_unusual_child_processes.toml | 7 +++++-- .../execution_via_hidden_shell_conhost.toml | 11 +++++++---- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 6 ++++-- ...vement_direct_outbound_smb_connection.toml | 16 ++++++++++++++-- ...ia_update_orchestrator_service_hijack.toml | 5 +++-- 8 files changed, 70 insertions(+), 17 deletions(-) diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index b1279f067..2a022aee2 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/01" maturity = "production" -updated_date = "2022/07/22" +updated_date = "2022/08/03" [rule] author = ["Elastic"] @@ -96,7 +96,17 @@ registry where event.type in ("creation", "change") and "HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob" - ) + ) and + not process.executable : + ("?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\*.exe", + "?:\\Windows\\SysWOW64\\*.exe", + "?:\\Windows\\Sysmon64.exe", + "?:\\Windows\\Sysmon.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Windows\\WinSxS\\*.exe", + "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe") ''' diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index a835976b7..19cfe4d4e 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2022/05/21" +updated_date = "2022/08/03" [rule] author = ["Elastic"] @@ -83,7 +83,12 @@ registry where event.type in ("creation", "change") and registry.path:"HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start" and registry.data.strings in ("3", "4", "0x00000003", "0x00000004") ) - ) + ) and + + not process.executable : + ("?:\\WINDOWS\\system32\\services.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\NTRmv.exe") ''' diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index d1ac29d5c..714cab64f 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/03" [rule] author = ["Elastic"] @@ -27,8 +27,25 @@ type = "eql" query = ''' file where event.type == "creation" and + file.path : "C:\\*:*" and not file.path : "C:\\*:zone.identifier*" and + + not process.executable : + ("?:\\windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\Windows\\explorer.exe", + "?:\\Windows\\System32\\sihost.exe", + "?:\\Windows\\System32\\PickerHost.exe", + "?:\\Windows\\System32\\SearchProtocolHost.exe", + "?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", + "?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe", + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe", + "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe") and + file.extension : ( "pdf", diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index f9bc6e9a4..842b7e305 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/04/20" +updated_date = "2022/08/03" [rule] author = ["Elastic"] @@ -40,7 +40,10 @@ process where event.type in ("start", "process_started") and "Database-Maint.exe", "SolarWinds.Orion.ApiPoller.Service.exe", "WerFault.exe", - "WerMgr.exe") + "WerMgr.exe", + "SolarWinds.BusinessLayerHost.exe", + "SolarWinds.BusinessLayerHostx64.exe") and + not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe") ''' diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index ee9f680a4..b3b3a3dde 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/05/21" +updated_date = "2022/08/03" [rule] author = ["Elastic"] @@ -89,9 +89,12 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and process.name : "conhost.exe" and - process.parent.name : ("svchost.exe", "lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", - "dllhost.exe", "rundll32.exe", "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", - "wermgr.exe", "csrss.exe", "ctfmon.exe") + process.parent.name : ("lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", "dllhost.exe", "rundll32.exe", + "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", "ctfmon.exe") and + not (process.parent.name : "rundll32.exe" and + process.parent.args : ("?:\\Windows\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc", + "?:\\WINDOWS\\system32\\PcaSvc.dll,PcaPatchSdbTask", + "?:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie")) ''' diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index bfb0704ba..c10dc9be6 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/03" [rule] author = ["Elastic"] @@ -27,7 +27,9 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.name : "cmd.exe" and process.parent.name : "sqlservr.exe" + process.name : "cmd.exe" and process.parent.name : "sqlservr.exe" and + not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", + "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins") ''' diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 7f5558968..39a9850fe 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/05" +updated_date = "2022/08/03" [rule] author = ["Elastic"] @@ -73,7 +73,19 @@ type = "eql" query = ''' sequence by process.entity_id - [process where event.type == "start" and process.pid != 4] + [process where event.type == "start" and host.os.name == "Windows" and process.pid != 4 and + not (process.executable : "D:\\EnterpriseCare\\tools\\jre.1\\bin\\java.exe" and process.args : "com.emeraldcube.prism.launcher.Invoker") and + not (process.executable : "C:\\Docusnap 11\\Tools\\nmap\\nmap.exe" and process.args : "smb-os-discovery.nse") and + not process.executable : + ("?:\\Program Files\\SentinelOne\\Sentinel Agent *\\Ranger\\SentinelRanger.exe", + "?:\\Program Files\\Ivanti\\Security Controls\\ST.EngineHost.exe", + "?:\\Program Files (x86)\\Fortinet\\FSAE\\collectoragent.exe", + "?:\\Program Files (x86)\\Nmap\\nmap.exe", + "?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe", + "?:\\Program Files\\CloudMatters\\auvik\\AuvikService-release-*\\AuvikService.exe", + "?:\\Program Files\\uptime software\\uptime\\UptimeDataCollector.exe", + "?:\\Program Files\\CloudMatters\\auvik\\AuvikAgentService.exe", + "?:\\Program Files\\Rumble\\rumble-agent-*.exe")] [network where destination.port == 445 and process.pid != 4 and not cidrmatch(destination.ip, "127.0.0.1", "::1")] ''' diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 829f3f98a..dc0524bd6 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/07/29" +updated_date = "2022/08/03" [rule] author = ["Elastic"] @@ -42,7 +42,8 @@ process where event.type == "start" and "?:\\Windows\\System32\\MoUsoCoreWorker.exe", "?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe", "?:\\Windows\\System32\\UsoCoreWorker.exe", - "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") + "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") and + not process.name : ("MoUsoCoreWorker.exe", "OfficeC2RClient.exe") '''