[Rule Tuning] DR Performance-Poor Rules (#3399)

* [Rule Tuning] DR Performance

* .

* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update persistence_startup_folder_scripts.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit edf4da8526)

rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Avoding rule duplication for <= 8.8 stack versions"
 min_stack_version = "8.9.0"
-updated_date = "2023/10/12"
+updated_date = "2024/03/11"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ index = ["logs-endpoint.events.*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Remote File Creation on a Sensitive Directory"
+name = "Deprecated - Remote File Creation on a Sensitive Directory"
 references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"]
 risk_score = 47
 rule_id = "2377946d-0f01-4957-8812-6878985f515d"
@@ -27,16 +27,18 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where (event.action == "creation" or event.action == "modification") and
-process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and not
-user.name:("SYSTEM", "root") and
-(file.path : ("C*\\Users\\*\\AppData\\Roaming*", "C*\\Program*Files\\*",
-    "C*\\Windows\\*", "C*\\Windows\\System\\*",
-    "C*\\Windows\\System32\\*", "/etc/*", "/tmp*",
-    "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*",
-    "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*",
-    "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*",
-    "/lib/systemd/*"
+file where event.action in ("creation", "modification") and
+  not user.name:("SYSTEM", "root") and
+  process.name in ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and
+  (
+    file.path : (
+        "?:\\Users\\*\\AppData\\Roaming*", "?:\\Program Files*",
+        "?:\\Windows\\*", "?:\\Windows\\System\\*",
+        "?:\\Windows\\System32\\*", "/etc/*", "/tmp*",
+        "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*",
+        "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*",
+        "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*",
+        "/lib/systemd/*"
     )
 )
 '''

rules/windows/persistence_registry_uncommon.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/22"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Detects changes to registry persistence keys that are not commonly used or modif
 be an indication of an adversary's attempt to persist in a stealthy manner.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.registry*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Uncommon Registry Persistence Change"
@@ -28,8 +28,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-registry where host.os.type == "windows" and
-  /* uncomment once stable length(registry.data.strings) > 0 and */
+registry where host.os.type == "windows" and event.type in ("creation", "change") and
+ length(registry.data.strings) > 0 and
  registry.path : (
       "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
       "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*",

rules/windows/persistence_startup_folder_scripts.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/18"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2023/10/23"
+updated_date = "2024/01/22"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -39,7 +39,7 @@ Identifies script engines creating files in the Startup folder, or the creation
 Adversaries may abuse this technique to maintain persistence in an environment.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.file*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Persistent Scripts in the Startup Directory"
@@ -116,7 +116,10 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and
+file where host.os.type == "windows" and event.type != "deletion" and
+
+  file.extension : ("lnk", "vbs", "vbe", "wsh", "wsf", "js") and
+  not (startsWith(user.domain, "NT") or endsWith(user.domain, "NT")) and
 
   /* detect shortcuts created by wscript.exe or cscript.exe */
   (file.path : "C:\\*\\Programs\\Startup\\*.lnk" and