security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Windows BBR Tuning - 5 (#3385)

Browse Source 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2024-02-14 10:23:06 -03:00
committed by GitHub
parent ae00f30574
commit 97e49795ab
5 changed files with 22 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/initial_access_execution_from_removable_media.toml → rules/windows/initial_access_execution_from_removable_media.toml
+2 -4
View File
@@ -4,8 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/27"
bypass_bbr_timing = true
updated_date = "2024/01/12"
[rule]
author = ["Elastic"]
@@ -22,8 +21,7 @@ name = "Execution from a Removable Media with Network Connection"
risk_score = 21
rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"]
building_block_type = "default"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"]
type = "eql"
query = '''
rules_building_block/initial_access_execution_remote_via_msiexec.toml → rules/windows/initial_access_execution_remote_via_msiexec.toml
+2 -4
View File
@@ -4,8 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/28"
bypass_bbr_timing = true
updated_date = "2024/01/12"
[rule]
author = ["Elastic"]
@@ -21,8 +20,7 @@ name = "Potential Remote File Execution via MSIEXEC"
risk_score = 21
rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
building_block_type = "default"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
type = "eql"
query = '''
rules_building_block/initial_access_xsl_script_execution_via_com.toml → rules/windows/initial_access_xsl_script_execution_via_com.toml
+2 -4
View File
@@ -4,8 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/27"
bypass_bbr_timing = true
updated_date = "2024/01/12"
[rule]
author = ["Elastic"]
@@ -21,8 +20,7 @@ name = "Remote XSL Script Execution via COM"
risk_score = 21
rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
building_block_type = "default"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
type = "eql"
query = '''
rules_building_block/lateral_movement_posh_winrm_activity.toml
+5 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2024/01/12"
[rule]
author = ["Elastic"]
@@ -61,6 +61,10 @@ event.category:process and host.os.type:windows and
?\:\\\\Logicmonitor\\\\tmp* or
?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\* or
?\:\\\\ExchangeServer\\\\bin*
) and not
powershell.file.script_block_text : (
"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')" and
"function Invoke-Command {"
)
'''
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml
+11 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/29"
updated_date = "2024/01/12"
[rule]
author = ["Elastic"]
@@ -30,8 +30,16 @@ type = "eql"
query = '''
network where host.os.type == "windows" and
event.action == "connection_attempted" and destination.port == 3389 and
not process.executable : "?:\\Windows\\System32\\mstsc.exe" and
destination.ip != "::1" and destination.ip != "127.0.0.1"
destination.ip != "::1" and destination.ip != "127.0.0.1" and
not (
process.executable : (
"?:\\Windows\\System32\\mstsc.exe",
"?:\\Program Files (x86)\\mRemoteNG\\mRemoteNG.exe",
"?:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe",
"?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe",
"?:\\Program Files (x86)\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.exe"
) and process.code_signature.trusted == true
)
'''