diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 20f239bd3..813cad4ea 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -11,7 +11,7 @@ with IIS web server access via a web shell can decrypt and dump the IIS AppPool """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "lucene" +language = "eql" license = "Elastic License" max_signals = 33 name = "Microsoft IIS Service Account Password Dumped" @@ -20,12 +20,12 @@ risk_score = 73 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] -type = "query" +type = "eql" query = ''' -event.category:process AND event.type:(start OR process_started) AND - (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe) AND - process.args:(/[lL][iI][sS][tT]/ AND /\/[tT][eE][xX][tT]\:[pP][aA][sS][sS][wW][oO][rR][dD]/) +process where event.type in ("start", "process_started") and + (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and + process.args : "/list" and process.args : "/text*password" ''' @@ -41,4 +41,3 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 16b3cb0ea..d4d28d043 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -12,7 +12,7 @@ password using aspnet_regiis command. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" max_signals = 33 name = "Microsoft IIS Connection Strings Decryption" @@ -24,12 +24,12 @@ risk_score = 73 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] -type = "query" +type = "eql" query = ''' -event.category:process and event.type:(start or process_started) and - (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe) and - process.args:(connectionStrings and "-pdf") +process where event.type in ("start", "process_started") and + (process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and + process.args : "connectionStrings" and process.args : "-pdf" ''' @@ -45,4 +45,3 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index b3f7248c6..18b210646 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -6,24 +6,23 @@ updated_date = "2020/11/03" [rule] author = ["Elastic"] description = """ -Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable +Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "lucene" +language = "eql" license = "Elastic License" name = "Renamed AutoIt Scripts Interpreter" risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] -type = "query" +type = "eql" query = ''' -event.category:process AND event.type:(start OR process_started) AND - process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ AND - NOT process.name:/[aA][uU][tT][oO][iI][tT]\d{1,3}\.[eE][xX][eE]/ +process where event.type in ("start", "process_started", "info") and + process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe" ''' @@ -39,4 +38,3 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index d16a92d85..801363790 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -23,9 +23,8 @@ type = "eql" query = ''' sequence with maxspan=1h [process where event.type in ("start", "process_started") and - /* uncomment once in winlogbeat */ - (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ ) and - process.args_count < 2 + (process.name : "rundll32.exe" or process.pe.original_file_name == "RUNDLL32.EXE") and + process.args_count == 1 ] by process.entity_id [process where event.type in ("start", "process_started") and process.parent.name : "rundll32.exe" ] by process.parent.entity_id diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 5c1495fa6..33eeed9ac 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -11,7 +11,7 @@ file overwrite and rename operations. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "lucene" +language = "eql" license = "Elastic License" name = "Potential Secure File Deletion via SDelete Utility" note = "Verify process details such as command line and hash to confirm this activity legitimacy." @@ -19,10 +19,11 @@ risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] -type = "query" +type = "eql" + query = ''' -event.category:file AND event.type:change AND file.name:/.+A+\.AAA/ +file where event.type == "change" and wildcard(file.name,"*AAA.AAA") ''' diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 993f5dba2..7346de123 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -9,29 +9,21 @@ description = """ A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. """ -false_positives = ["New Zoom Executable"] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Suspicious Zoom Child Process" risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] -type = "query" +type = "eql" + query = ''' -event.category:process and event.type:(start or process_started) and - process.parent.name:Zoom.exe and - not process.name:(Zoom.exe or WerFault.exe or airhost.exe or CptControl.exe or CptHost.exe or cpthost.exe or - CptInstall.exe or CptService.exe or Installer.exe or zCrashReport.exe or Zoom_launcher.exe or zTscoder.exe or - plugin_Launcher.exe or mDNSResponder.exe or zDevHelper.exe or APcptControl.exe or CrashSender*.exe or aomhost64.exe or - Magnify.exe or m_plugin_launcher.exe or com.zoom.us.zTranscode.exe or RoomConnector.exe or tabtip.exe or Explorer.exe or - chrome.exe or firefox.exe or iexplore.exe or outlook.exe or lync.exe or ApplicationFrameHost.exe or ZoomAirhostInstaller.exe or - narrator.exe or NVDA.exe or Magnify.exe or Outlook.exe or m_plugin_launcher.exe or mphost.exe or APcptControl.exe or winword.exe or - excel.exe or powerpnt.exe or ONENOTE.EXE or wpp.exe or debug_message.exe or zAssistant.exe or msiexec.exe or msedge.exe or - dwm.exe or vcredist_x86.exe or Controller.exe or Installer.exe or CptInstall.exe or Zoom_launcher.exe or ShellExperienceHost.exe or wps.exe) +process where event.type in ("start", "process_started", "info") and + process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe") ''' @@ -59,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -