From b1e3215cd57380319a9c127d77e68571cb7dfd9d Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 20 Apr 2023 12:37:06 -0300 Subject: [PATCH] [Rule Tuning] Tune PowerShell rule FPs related to MS ATP (#2729) --- rules/windows/defense_evasion_posh_compressed.toml | 6 ++++-- rules/windows/defense_evasion_posh_process_injection.toml | 6 ++++-- rules/windows/discovery_posh_suspicious_api_functions.toml | 6 ++++-- .../privilege_escalation_posh_token_impersonation.toml | 6 ++++-- 4 files changed, 16 insertions(+), 8 deletions(-) diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 78c92d01f..1d6cb8f6f 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/04/20" [transform] [[transform.osquery]] @@ -138,7 +138,9 @@ event.category:process and host.os.type:windows and "IO.Compression.GzipStream" ) and FromBase64String - ) and not user.id : "S-1-5-18" + ) and not + (user.id:("S-1-5-18" or "S-1-5-19") and + file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads") ''' diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 4ee9b0824..27dd49538 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/04/20" [rule] author = ["Elastic"] @@ -94,7 +94,9 @@ event.category:process and host.os.type:windows and LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or SuspendThread or ResumeThread or GetDelegateForFunctionPointer) - ) and not user.id : "S-1-5-18" + ) and not + (user.id:("S-1-5-18" or "S-1-5-19") and + file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM") ''' diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index cc2a30ede..c766c950d 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/04/20" [rule] author = ["Elastic"] @@ -109,7 +109,9 @@ event.category:process and host.os.type:windows and LsaEnumerateTrustedDomains or NetScheduleJobEnum or NetUserModalsGet - ) and not user.id : "S-1-5-18" + ) and not + (user.id:("S-1-5-18" or "S-1-5-19") and + file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection") ''' diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 8bb7130fd..a140b2df8 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/04/20" [rule] author = ["Elastic"] @@ -73,7 +73,9 @@ event.category:process and host.os.type:windows and "CreatePRocessAsUserW" or "CreateProcessAsUserA") ) - ) and not user.id : "S-1-5-18" + ) and not + (user.id:("S-1-5-18" or "S-1-5-19") and + file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads") '''