From 9dc4500cd727f9e84dc5ba258e5a494eab1a2b9b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 13 Jan 2022 16:40:10 -0300 Subject: [PATCH] [Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704) * Replace source.address to source.ip for compatibility * Change query * Missing and condition (cherry picked from commit cbf07986462f04ba3c168b312ef99dcb912438c3) --- rules/windows/lateral_movement_dcom_hta.toml | 4 ++-- rules/windows/lateral_movement_dcom_mmc20.toml | 6 +++--- ...ateral_movement_dcom_shellwindow_shellbrowserwindow.toml | 4 ++-- .../lateral_movement_executable_tool_transfer_smb.toml | 6 +++--- .../lateral_movement_incoming_winrm_shell_execution.toml | 4 ++-- rules/windows/lateral_movement_incoming_wmi.toml | 5 ++--- .../lateral_movement_powershell_remoting_target.toml | 4 ++-- rules/windows/lateral_movement_rdp_sharprdp_target.toml | 4 ++-- rules/windows/lateral_movement_remote_services.toml | 4 ++-- rules/windows/lateral_movement_scheduled_task_target.toml | 4 ++-- 10 files changed, 22 insertions(+), 23 deletions(-) diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 4383fb2f0..fd2abc55f 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ sequence with maxspan=1m ] by host.id, process.entity_id [network where event.type == "start" and process.name : "mshta.exe" and network.direction : ("incoming", "ingress") and network.transport == "tcp" and - source.port > 49151 and destination.port > 49151 and not source.address in ("127.0.0.1", "::1") + source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id ''' diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 238fe0352..b8c2de134 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -24,8 +24,8 @@ type = "eql" query = ''' sequence by host.id with maxspan=1m - [network where event.type == "start" and process.name : "mmc.exe" and - source.port >= 49152 and destination.port >= 49152 and source.address not in ("127.0.0.1", "::1") and + [network where event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and + destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and network.direction : ("incoming", "ingress") and network.transport == "tcp" ] by process.entity_id [process where event.type in ("start", "process_started") and process.parent.name : "mmc.exe" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index cf73f6e3f..7abcd80c5 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ query = ''' sequence by host.id with maxspan=5s [network where event.type == "start" and process.name : "explorer.exe" and network.direction : ("incoming", "ingress") and network.transport == "tcp" and - source.port > 49151 and destination.port > 49151 and not source.address in ("127.0.0.1", "::1") + source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" ] by process.entity_id [process where event.type in ("start", "process_started") and process.parent.name : "explorer.exe" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index b5e374120..8466fdd5e 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/10" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -23,8 +23,8 @@ type = "eql" query = ''' sequence by host.id with maxspan=30s [network where event.type == "start" and process.pid == 4 and destination.port == 445 and - network.direction : ("incoming", "ingress") and network.transport == "tcp" and - source.address != "127.0.0.1" and source.address != "::1" + network.direction : ("incoming", "ingress") and + network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] by process.entity_id /* add more executable extensions here if they are not noisy in your environment */ [file where event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index bd16dd76d..9a45277bf 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=30s [network where process.pid == 4 and network.direction : ("incoming", "ingress") and - destination.port in (5985, 5986) and network.protocol == "http" and not source.address in ("::1", "127.0.0.1") + destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1" ] [process where event.type == "start" and process.parent.name : "winrshost.exe" and not process.name : "conhost.exe"] ''' diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 49dea0cc8..8ec58a746 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -26,8 +26,7 @@ sequence by host.id with maxspan = 2s /* Accepted Incoming RPC connection by Winmgmt service */ [network where process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and - source.address != "127.0.0.1" and source.address != "::1" and - source.port >= 49152 and destination.port >= 49152 + source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152 ] /* Excluding Common FPs Nessus and SCCM */ diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 091944b80..f1f85f460 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ type = "eql" query = ''' sequence by host.id with maxspan = 30s [network where network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and - network.protocol == "http" and source.address != "127.0.0.1" and source.address != "::1" + network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1" ] [process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"] ''' diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index a862ddc6b..457b8c7b1 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ query = ''' sequence by host.id with maxspan=1m [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and network.direction : ("incoming", "ingress") and network.transport == "tcp" and - source.address != "127.0.0.1" and source.address != "::1" + source.ip != "127.0.0.1" and source.ip != "::1" ] [registry where process.name : "explorer.exe" and diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 35429f877..7c4a6d600 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ query = ''' sequence with maxspan=1s [network where process.name : "services.exe" and network.direction : ("incoming", "ingress") and network.transport == "tcp" and - source.port >= 49152 and destination.port >= 49152 and source.address not in ("127.0.0.1", "::1") + source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 75aef9e70..665641a28 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/01/13" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ query = ''' sequence by host.id, process.entity_id with maxspan = 1m [network where process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and - source.address != "127.0.0.1" and source.address != "::1" + source.ip != "127.0.0.1" and source.ip != "::1" ] [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] '''