From 979ca1dfab68d8584f53ea46390d6de890090971 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 2 Aug 2022 18:40:26 +0200 Subject: [PATCH] [Rules Tuning] Add support for Sysmon ImageLoad Events (#2215) * [Rules Tuning] Add support for Sysmon ImageLoad Events added correct event.category and event.action to rules using library events to support sysmon eventid 7. `event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded*")` `dll.name` --> `file.name` * added Suspicious RDP ActiveX Client Loaded * Delete workspace.xml (cherry picked from commit 50bb821708811f4cc537d11bf3578479b514c131) --- .../credential_access_credential_dumping_msbuild.toml | 5 +++-- .../windows/defense_evasion_suspicious_wmi_script.toml | 5 +++-- .../execution_scheduled_task_powershell_source.toml | 5 +++-- .../execution_suspicious_image_load_wmi_ms_office.toml | 10 +++++----- .../execution_suspicious_powershell_imgload.toml | 7 +++++-- ...initial_access_scripts_process_started_via_wmi.toml | 5 +++-- ...teral_movement_suspicious_rdp_client_imageload.toml | 5 +++-- .../persistence_local_scheduled_task_scripting.toml | 6 ++++-- ...suspicious_image_load_scheduled_task_ms_office.toml | 10 +++++----- 9 files changed, 34 insertions(+), 24 deletions(-) diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 3206b27b2..35c56fb4b 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/05" +updated_date = "2022/08/02" [rule] author = ["Elastic"] @@ -83,7 +83,8 @@ type = "eql" query = ''' sequence by process.entity_id [process where event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")] - [library where dll.name : ("vaultcli.dll", "SAMLib.DLL")] + [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : ("vaultcli.dll", "SAMLib.DLL") or file.name : ("vaultcli.dll", "SAMLib.DLL"))] ''' diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 9dddd6cb0..cb2491910 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2022/08/02" [rule] author = ["Elastic"] @@ -26,7 +26,8 @@ sequence by process.entity_id with maxspan = 2m (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and process.args : ("format*:*", "/format*:*", "*-format*:*") and not process.command_line : "* /format:table *"] -[library where event.type == "start" and dll.name : ("jscript.dll", "vbscript.dll")] +[any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] ''' diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 71bc29fc9..eea8d7e2d 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/10/17" +updated_date = "2022/08/02" [rule] author = ["Elastic"] @@ -26,7 +26,8 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan = 5s - [library where dll.name : "taskschd.dll" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] ''' diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 04bcda410..8f6361259 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/02" [rule] author = ["Elastic"] @@ -30,10 +30,10 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and - event.action : "load" and - event.category : "library" and - dll.name : "wmiutils.dll" +any where + (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") ''' diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 2641bb5d9..c543dd0a1 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/17" maturity = "production" min_stack_comments = "EQL regex syntax introduced in 7.12" min_stack_version = "7.12.0" -updated_date = "2022/05/21" +updated_date = "2022/08/02" [rule] author = ["Elastic"] @@ -100,7 +100,10 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -library where dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and +any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") or + file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll")) and + /* add false positives relevant to your environment here */ not process.executable : ("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\sdiagnhost.exe") and not process.executable regex~ """C:\\Program Files( \(x86\))?\\*\.exe""" and diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 70ba707d0..636783ea4 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/27" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2022/08/02" [rule] author = ["Elastic"] @@ -22,7 +22,8 @@ type = "eql" query = ''' sequence by host.id with maxspan = 5s - [library where dll.name : "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")] + [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")] [process where event.type in ("start", "process_started") and process.parent.name : "wmiprvse.exe" and user.domain != "NT AUTHORITY" and diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 1014076b3..c83e5f1c0 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/02" [rule] author = ["Elastic"] @@ -27,7 +27,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -library where dll.name : "mstscax.dll" and +any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "mstscax.dll" or file.name : "mstscax.dll") and /* depending on noise in your env add here extra paths */ process.executable : ( diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 4f2851651..c18d24c6f 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/10/17" +updated_date = "2022/08/02" [rule] author = ["Elastic"] @@ -26,7 +26,9 @@ type = "eql" query = ''' sequence by host.id with maxspan = 30s - [library where dll.name : "taskschd.dll" and process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") and + process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")] [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] ''' diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 604baa4f9..18f8d8db4 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/02" [rule] author = ["Elastic"] @@ -32,10 +32,10 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and - event.action : "load" and - event.category : "library" and - dll.name : "taskschd.dll" +any where + (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") '''