[Rule Tuning] Convert to EQL 5 existing rules (#414)

* [Rule Tuning] 5 rules

* [Rule Tuning] Converted two IIS CredAccess rules to EQL

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/evasion_rundll32_no_arguments.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* deleted. rule looks incompatible with endpoint

* fixing units testing error

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* desc

* fixed tags duplicate

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_rundll32_no_arguments.toml

* adjusted process args count to 1

adjusted process args count to 1 to account for winlogbeat Windows process creation events 4688 with missing cmdline value (avoid FPs).

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

@@ -11,7 +11,7 @@ with IIS web server access via a web shell can decrypt and dump the IIS AppPool
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
-language = "lucene"
+language = "eql"
 license = "Elastic License"
 max_signals = 33
 name = "Microsoft IIS Service Account Password Dumped"
@@ -20,12 +20,12 @@ risk_score = 73
 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process AND event.type:(start OR process_started) AND
-  (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe) AND
-  process.args:(/[lL][iI][sS][tT]/ AND /\/[tT][eE][xX][tT]\:[pP][aA][sS][sS][wW][oO][rR][dD]/)
+process where event.type in ("start", "process_started") and
+   (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and 
+   process.args : "/list" and process.args : "/text*password"
 '''
 
 
@@ -41,4 +41,3 @@ reference = "https://attack.mitre.org/techniques/T1003/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-

rules/windows/credential_access_iis_connectionstrings_dumping.toml

@@ -12,7 +12,7 @@ password using aspnet_regiis command.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License"
 max_signals = 33
 name = "Microsoft IIS Connection Strings Decryption"
@@ -24,12 +24,12 @@ risk_score = 73
 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and event.type:(start or process_started) and
-  (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe) and
-  process.args:(connectionStrings and "-pdf")
+process where event.type in ("start", "process_started") and
+  (process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and
+  process.args : "connectionStrings" and process.args : "-pdf"
 '''
 
 
@@ -45,4 +45,3 @@ reference = "https://attack.mitre.org/techniques/T1003/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-

rules/windows/defense_evasion_masquerading_renamed_autoit.toml

@@ -6,24 +6,23 @@ updated_date = "2020/11/03"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable
+Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable
 to avoid detection.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
-language = "lucene"
+language = "eql"
 license = "Elastic License"
 name = "Renamed AutoIt Scripts Interpreter"
 risk_score = 47
 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process AND event.type:(start OR process_started) AND
-  process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ AND
-  NOT process.name:/[aA][uU][tT][oO][iI][tT]\d{1,3}\.[eE][xX][eE]/
+process where event.type in ("start", "process_started", "info") and
+  process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe"
 '''
 
 
@@ -39,4 +38,3 @@ reference = "https://attack.mitre.org/techniques/T1036/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/windows/defense_evasion_rundll32_no_arguments.toml

@@ -23,9 +23,8 @@ type = "eql"
 query = '''
 sequence with maxspan=1h
   [process where event.type in ("start", "process_started") and
-                                    /* uncomment once in winlogbeat */
-     (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ ) and
-     process.args_count < 2
+     (process.name : "rundll32.exe" or process.pe.original_file_name == "RUNDLL32.EXE") and
+      process.args_count == 1
   ] by process.entity_id
   [process where event.type in ("start", "process_started") and process.parent.name : "rundll32.exe"
   ] by process.parent.entity_id

rules/windows/defense_evasion_sdelete_like_filename_rename.toml

@@ -11,7 +11,7 @@ file overwrite and rename operations.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
-language = "lucene"
+language = "eql"
 license = "Elastic License"
 name = "Potential Secure File Deletion via SDelete Utility"
 note = "Verify process details such as command line and hash to confirm this activity legitimacy."
@@ -19,10 +19,11 @@ risk_score = 21
 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
-type = "query"
+type = "eql"
+
 
 query = '''
-event.category:file AND event.type:change AND file.name:/.+A+\.AAA/
+file where event.type == "change" and wildcard(file.name,"*AAA.AAA")
 '''
 
 

rules/windows/defense_evasion_suspicious_zoom_child_process.toml

@@ -9,29 +9,21 @@ description = """
 A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details
 such as command line, network connections, file writes and associated file signature details as well.
 """
-false_positives = ["New Zoom Executable"]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License"
 name = "Suspicious Zoom Child Process"
 risk_score = 47
 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
-type = "query"
+type = "eql"
+
 
 query = '''
-event.category:process and event.type:(start or process_started) and
- process.parent.name:Zoom.exe and
- not process.name:(Zoom.exe or WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or cpthost.exe or
-   CptInstall.exe or CptService.exe or Installer.exe or zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or
-   plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or APcptControl.exe or CrashSender*.exe or aomhost64.exe or
-   Magnify.exe or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or RoomConnector.exe or tabtip.exe or Explorer.exe or
-   chrome.exe or firefox.exe or iexplore.exe or outlook.exe or lync.exe or ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or
-   narrator.exe or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or mphost.exe or APcptControl.exe or winword.exe or
-   excel.exe or powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or zAssistant.exe or msiexec.exe or msedge.exe or
-   dwm.exe or vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe)
+process where event.type in ("start", "process_started", "info") and
+ process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe")
 '''
 
 
@@ -59,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1055/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-