security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Tune PowerShell rule FPs related to MS ATP (#2729)

Browse Source
This commit is contained in:
Jonhnathan
2023-04-20 12:37:06 -03:00
committed by GitHub
parent 2705df81e2
commit b1e3215cd5
4 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_posh_compressed.toml
+4 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/27"
updated_date = "2023/04/20"
[transform]
[[transform.osquery]]
@@ -138,7 +138,9 @@ event.category:process and host.os.type:windows and
"IO.Compression.GzipStream"
) and
FromBase64String
) and not user.id : "S-1-5-18"
) and not
(user.id:("S-1-5-18" or "S-1-5-19") and
file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads")
'''
rules/windows/defense_evasion_posh_process_injection.toml
+4 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
updated_date = "2023/04/20"
[rule]
author = ["Elastic"]
@@ -94,7 +94,9 @@ event.category:process and host.os.type:windows and
LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and
(WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or
SuspendThread or ResumeThread or GetDelegateForFunctionPointer)
) and not user.id : "S-1-5-18"
) and not
(user.id:("S-1-5-18" or "S-1-5-19") and
file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM")
'''
rules/windows/discovery_posh_suspicious_api_functions.toml
+4 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
updated_date = "2023/04/20"
[rule]
author = ["Elastic"]
@@ -109,7 +109,9 @@ event.category:process and host.os.type:windows and
LsaEnumerateTrustedDomains or
NetScheduleJobEnum or
NetUserModalsGet
) and not user.id : "S-1-5-18"
) and not
(user.id:("S-1-5-18" or "S-1-5-19") and
file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection")
'''
rules/windows/privilege_escalation_posh_token_impersonation.toml
+4 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
updated_date = "2023/04/20"
[rule]
author = ["Elastic"]
@@ -73,7 +73,9 @@ event.category:process and host.os.type:windows and
"CreatePRocessAsUserW" or
"CreateProcessAsUserA")
)
) and not user.id : "S-1-5-18"
) and not
(user.id:("S-1-5-18" or "S-1-5-19") and
file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads")
'''