diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index 0f0e3021d..7aab9f82d 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -24,13 +24,24 @@ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"] -timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and - process.Ext.effective_parent.name != null and - not process.Ext.effective_parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") +sequence with maxspan=1m +[process where host.os.type == "windows" and event.action == "start" and + ( + process.name : ( + "rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", + "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe" + ) or + ( + (process.code_signature.trusted == false or process.code_signature.exists == false) and + (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) + ) + ) +] by process.executable +[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and + process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable ''' diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 641d08ab0..a0d2d78b9 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -65,17 +65,24 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or - process.pe.original_file_name == "Command line RAR") and - process.args == "a" and process.args : ("-hp*", "-p*", "-dw", "-tb", "-ta", "/hp*", "/p*", "/dw", "/tb", "/ta")) - - or - (process.pe.original_file_name in ("7z.exe", "7za.exe") and - process.args == "a" and process.args : ("-p*", "-sdel")) - - /* uncomment if noisy for backup software related FPs */ - /* not process.parent.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") */ -) + ( + ( + process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or + process.pe.original_file_name == "Command line RAR" + ) and + process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*") + ) or + ( + process.pe.original_file_name in ("7z.exe", "7za.exe") and + process.args == "a" and process.args : "-p*" + ) +) and + not process.parent.executable : ( + "C:\\Program Files\\*.exe", + "C:\\Program Files (x86)\\*.exe", + "?:\\ManageEngine\\*\\jre\\bin\\java.exe", + "?:\\Nox\\bin\\Nox.exe" + ) ''' diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 274cbb41b..2e6a01b59 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2023/10/16" [transform] [[transform.osquery]] @@ -140,19 +140,24 @@ network where host.os.type == "windows" and network.protocol == "dns" and ) and /* Insert noisy false positives here */ not ( - process.executable : ( - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\Windows\\System32\\WWAHost.exe", - "?:\\Windows\\System32\\smartscreen.exe", - "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", - "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", - "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", - "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", - "?:\\Windows\\system32\\mobsync.exe", - "?:\\Windows\\SysWOW64\\mobsync.exe" + ( + process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe", + "?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe" + ) and process.code_signature.trusted == true ) or /* Discord App */ @@ -168,6 +173,21 @@ network where host.os.type == "windows" and network.protocol == "dns" and /* Firefox */ (process.name : "firefox.exe" and (process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true) + ) or + + /* Dropbox */ + (process.name : "Dropbox.exe" and (process.code_signature.subject_name : "Dropbox, Inc" and + process.code_signature.trusted == true) and dns.question.name : ("api.dropboxapi.com", "*.dropboxusercontent.com") + ) or + + /* Obsidian - Plugins are stored on raw.githubusercontent.com */ + (process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and + process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com" + ) or + + /* WebExperienceHostApp */ + (process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and + process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com") ) ) ''' diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 2fd96ee97..cb20e2c2f 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" note = """## Triage and analysis @@ -64,10 +64,12 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ] -type = "threshold" +type = "eql" query = ''' -event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*) +sequence by host.id with maxspan=5m +[process where host.os.type == "windows" and event.type == "start" and + process.name : "nslookup.exe" and process.args:("-querytype=*", "-qt=*", "-q=*", "-type=*")] with runs = 10 ''' @@ -92,7 +94,3 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threshold] -field = ["host.id"] -value = 15 - diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml similarity index 88% rename from rules/windows/command_and_control_certutil_network_connection.toml rename to rules_building_block/command_and_control_certutil_network_connection.toml index 6645af86b..35d06368a 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -4,7 +4,8 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" +bypass_bbr_timing = true [transform] [[transform.osquery]] @@ -34,6 +35,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. @@ -102,18 +104,17 @@ risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" type = "eql" query = ''' -sequence by process.entity_id - [process where host.os.type == "windows" and process.name : "certutil.exe" and event.type == "start"] - [network where host.os.type == "windows" and process.name : "certutil.exe" and - not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", - "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", - "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", - "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", - "FE80::/10", "FF00::/8")] +network where host.os.type == "windows" and process.name : "certutil.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", + "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", + "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8") '''