security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Windows DR Tuning - 1 (#3198)

Browse Source 
* [Rule Tuning] Windows DR Tuning - 1

* Update collection_winrar_encryption.toml
This commit is contained in:
Jonhnathan
2023-10-26 17:20:32 -03:00
committed by GitHub
parent 36b0a49e7d
commit a5240e4063
5 changed files with 86 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/collection_email_outlook_mailbox_via_com.toml
+16 -5
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.4.0"
updated_date = "2023/06/22"
updated_date = "2023/10/16"
[rule]
author = ["Elastic"]
@@ -24,13 +24,24 @@ risk_score = 47
rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
process.Ext.effective_parent.name != null and
not process.Ext.effective_parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")
sequence with maxspan=1m
[process where host.os.type == "windows" and event.action == "start" and
(
process.name : (
"rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe",
"cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe"
) or
(
(process.code_signature.trusted == false or process.code_signature.exists == false) and
(process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)
)
)
] by process.executable
[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable
'''
rules/windows/collection_winrar_encryption.toml
+19 -12
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/09"
updated_date = "2023/10/16"
[rule]
author = ["Elastic"]
@@ -65,17 +65,24 @@ type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
(
((process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or
process.pe.original_file_name == "Command line RAR") and
process.args == "a" and process.args : ("-hp*", "-p*", "-dw", "-tb", "-ta", "/hp*", "/p*", "/dw", "/tb", "/ta"))
or
(process.pe.original_file_name in ("7z.exe", "7za.exe") and
process.args == "a" and process.args : ("-p*", "-sdel"))
/* uncomment if noisy for backup software related FPs */
/* not process.parent.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") */
)
(
(
process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or
process.pe.original_file_name == "Command line RAR"
) and
process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*")
) or
(
process.pe.original_file_name in ("7z.exe", "7za.exe") and
process.args == "a" and process.args : "-p*"
)
) and
not process.parent.executable : (
"C:\\Program Files\\*.exe",
"C:\\Program Files (x86)\\*.exe",
"?:\\ManageEngine\\*\\jre\\bin\\java.exe",
"?:\\Nox\\bin\\Nox.exe"
)
'''
rules/windows/command_and_control_common_webservices.toml
+34 -14
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/09"
updated_date = "2023/10/16"
[transform]
[[transform.osquery]]
@@ -140,19 +140,24 @@ network where host.os.type == "windows" and network.protocol == "dns" and
) and
/* Insert noisy false positives here */
not (
process.executable : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\WWAHost.exe",
"?:\\Windows\\System32\\smartscreen.exe",
"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
"?:\\Windows\\system32\\mobsync.exe",
"?:\\Windows\\SysWOW64\\mobsync.exe"
(
process.executable : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\WWAHost.exe",
"?:\\Windows\\System32\\smartscreen.exe",
"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe",
"?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
"?:\\Windows\\system32\\mobsync.exe",
"?:\\Windows\\SysWOW64\\mobsync.exe"
) and process.code_signature.trusted == true
) or
/* Discord App */
@@ -168,6 +173,21 @@ network where host.os.type == "windows" and network.protocol == "dns" and
/* Firefox */
(process.name : "firefox.exe" and (process.code_signature.subject_name : "Mozilla Corporation" and
process.code_signature.trusted == true)
) or
/* Dropbox */
(process.name : "Dropbox.exe" and (process.code_signature.subject_name : "Dropbox, Inc" and
process.code_signature.trusted == true) and dns.question.name : ("api.dropboxapi.com", "*.dropboxusercontent.com")
) or
/* Obsidian - Plugins are stored on raw.githubusercontent.com */
(process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and
process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com"
) or
/* WebExperienceHostApp */
(process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and
process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com")
)
)
'''
rules/windows/command_and_control_dns_tunneling_nslookup.toml
+6 -8
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/09"
updated_date = "2023/10/16"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ may indicate command and control activity utilizing the DNS protocol.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
language = "kuery"
language = "eql"
license = "Elastic License v2"
name = "Potential DNS Tunneling via NsLookup"
note = """## Triage and analysis
@@ -64,10 +64,12 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
type = "threshold"
type = "eql"
query = '''
event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)
sequence by host.id with maxspan=5m
[process where host.os.type == "windows" and event.type == "start" and
process.name : "nslookup.exe" and process.args:("-querytype=*", "-qt=*", "-q=*", "-type=*")] with runs = 10
'''
@@ -92,7 +94,3 @@ id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[rule.threshold]
field = ["host.id"]
value = 15
rules/windows/command_and_control_certutil_network_connection.toml → rules_building_block/command_and_control_certutil_network_connection.toml
+11 -10
View File
@@ -4,7 +4,8 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/10/16"
bypass_bbr_timing = true
[transform]
[[transform.osquery]]
@@ -34,6 +35,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or
malware, from a remote URL.
@@ -102,18 +104,17 @@ risk_score = 21
rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sequence by process.entity_id
[process where host.os.type == "windows" and process.name : "certutil.exe" and event.type == "start"]
[network where host.os.type == "windows" and process.name : "certutil.exe" and
not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
"192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
"192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
"FE80::/10", "FF00::/8")]
network where host.os.type == "windows" and process.name : "certutil.exe" and
not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
"192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
"192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
"FE80::/10", "FF00::/8")
'''