[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016)
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 * Update defense_evasion_amsi_bypass_dllhijack.toml * Update command_and_control_outlook_home_page.toml * Update command_and_control_outlook_home_page.toml * Update defense_evasion_amsi_bypass_dllhijack.toml * Update rules/windows/command_and_control_port_forwarding_added_registry.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Jonhnathan
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2024/08/01"
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/06/12"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -18,6 +18,7 @@ index = [
|
||||
"endgame-*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -60,9 +61,9 @@ references = [
|
||||
"https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/",
|
||||
"https://github.com/trustedsec/specula",
|
||||
]
|
||||
risk_score = 47
|
||||
risk_score = 73
|
||||
rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6"
|
||||
severity = "medium"
|
||||
severity = "high"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Windows",
|
||||
@@ -75,6 +76,7 @@ tags = [
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
"Resources: Investigation Guide",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
@@ -84,7 +86,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi
|
||||
registry.path : (
|
||||
"*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\*",
|
||||
"*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Today\\*"
|
||||
) and registry.data.strings : "*://*"
|
||||
) and registry.data.strings : ("*://*", "*http*")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/25"
|
||||
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
|
||||
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/03/20"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -18,6 +18,7 @@ index = [
|
||||
"endgame-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -81,16 +82,14 @@ tags = [
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
registry where host.os.type == "windows" and registry.path : (
|
||||
"HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*",
|
||||
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*",
|
||||
"MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*"
|
||||
)
|
||||
registry where host.os.type == "windows" and event.type == "change" and
|
||||
registry.path : "*\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" and registry.data.strings != null
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/31"
|
||||
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
|
||||
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/03/20"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,6 +15,7 @@ index = [
|
||||
"endgame-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -83,6 +84,7 @@ tags = [
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2023/01/17"
|
||||
integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"]
|
||||
integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/05/05"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -44,6 +44,7 @@ index = [
|
||||
"endgame-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -111,38 +112,38 @@ tags = [
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
file where host.os.type == "windows" and event.type != "deletion" and file.path != null and
|
||||
file.name : ("amsi.dll", "amsi") and
|
||||
file.name : ("amsi.dll", "amsi") and
|
||||
event.action != "A process changed a file creation time" and
|
||||
not file.path : (
|
||||
"?:\\$SysReset\\CloudImage\\Package_for_RollupFix*",
|
||||
"?:\\$SysReset\\CloudImage\\Package_for_RollupFix*\\amsi.dll",
|
||||
"?:\\Windows\\system32\\amsi.dll",
|
||||
"?:\\Windows\\Syswow64\\amsi.dll",
|
||||
"?:\\$WINDOWS.~BT\\DUImageSandbox\\*",
|
||||
"?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*",
|
||||
"?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*",
|
||||
"?:\\$WINDOWS.~BT\\Work\\*\\*",
|
||||
"?:\\$WINDOWS.~BT\\Store\\Offline\\File\\C$\\Windows\\SoftwareDistribution\\Download.bak\\*",
|
||||
"?:\\Windows\\CbsTemp\\*\\f\\amsi.dll",
|
||||
"?:\\$WINDOWS.~BT\\*\\amsi.dll",
|
||||
"?:\\Windows\\CbsTemp\\*\\amsi.dll",
|
||||
"?:\\Windows\\SoftwareDistribution\\Download\\*",
|
||||
"?:\\Windows\\WinSxS\\amd64_microsoft-antimalware-scan-interface_*\\amsi.dll"
|
||||
) and
|
||||
not
|
||||
(
|
||||
process.executable : "C:\\Windows\\System32\\wbengine.exe" and
|
||||
file.path : (
|
||||
"\\Device\\HarddiskVolume??\\Windows\\system32\\amsi.dll",
|
||||
"\\Device\\HarddiskVolume??\\Windows\\syswow64\\amsi.dll",
|
||||
"\\Device\\HarddiskVolume??\\Windows\\WinSxS\\*\\amsi.dll",
|
||||
"\\\\?\\Volume{*}\\Windows\\WinSxS\\*\\amsi.dll",
|
||||
"\\\\?\\Volume{*}\\Windows\\system32\\amsi.dll",
|
||||
"\\\\?\\Volume{*}\\Windows\\syswow64\\amsi.dll"
|
||||
)
|
||||
)
|
||||
"?:\\Windows\\WinSxS\\*\\amsi.dll",
|
||||
"?:\\Windows\\servicing\\*\\amsi.dll",
|
||||
"\\\\?\\Volume{*}\\Windows\\WinSxS\\*\\amsi.dll",
|
||||
"\\\\?\\Volume{*}\\Windows\\system32\\amsi.dll",
|
||||
"\\\\?\\Volume{*}\\Windows\\syswow64\\amsi.dll",
|
||||
|
||||
/* Crowdstrike specific exclusion as it uses NT Object paths */
|
||||
"\\Device\\HarddiskVolume*\\Windows\\system32\\amsi.dll",
|
||||
"\\Device\\HarddiskVolume*\\Windows\\syswow64\\amsi.dll",
|
||||
"\\Device\\HarddiskVolume*\\Windows\\WinSxS\\*\\amsi.dll",
|
||||
"\\Device\\HarddiskVolume*\\$SysReset\\CloudImage\\Package_for_RollupFix*\\amsi.dll",
|
||||
"\\Device\\HarddiskVolume*\\$WINDOWS.~BT\\*\\amsi.dll",
|
||||
"\\Device\\HarddiskVolume*\\Windows\\SoftwareDistribution\\Download\\*\\amsi.dll",
|
||||
"\\Device\\HarddiskVolume*\\Windows\\CbsTemp\\*\\amsi.dll",
|
||||
"\\Device\\HarddiskVolume*\\Windows\\servicing\\*\\amsi.dll"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2021/06/01"
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
|
||||
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/03/20"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -18,6 +18,7 @@ index = [
|
||||
"endgame-*",
|
||||
"logs-m365_defender.event-*",
|
||||
"logs-sentinel_one_cloud_funnel.*",
|
||||
"logs-crowdstrike.fdr*",
|
||||
]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
@@ -90,6 +91,7 @@ tags = [
|
||||
"Data Source: Sysmon",
|
||||
"Data Source: Microsoft Defender for Endpoint",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Crowdstrike",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
Reference in New Issue
Block a user