[Rule Tuning] Unusual Network Connection via RunDLL32 (#693)

* [Rule Tuning] Unusual Network Connection via RunDLL32 * excluding dns traffic * Update rules/windows/execution_unusual_network_connection_via_rundll32.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2020-12-08 12:01:17 +01:00
parent 844a56b125
commit bb93988926
2 changed files with 9 additions and 59 deletions
@@ -1,49 +0,0 @@
-[metadata]
-creation_date = "2020/09/02"
-maturity = "development"
-updated_date = "2020/11/03"
-
-[rule]
-author = ["Elastic"]
-description = """
-Identifies unusual instances of Rundll32.exe making outbound network connections. This may indicate adversarial activity
-and may identify malicious DLLs.
-"""
-from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*"]
-language = "eql"
-license = "Elastic License"
-name = "Unusual Network Connection Sequence via RunDLL32"
-risk_score = 21
-rule_id = "2b347f66-6739-4ae3-bd94-195036dde8b3"
-severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
-type = "eql"
-
-query = '''
-/* duplicate of Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886 */
-
-sequence by process.entity_id with maxspan=2h
-  [process where event.type in ("start", "process_started") and
-                                    /* uncomment once in winlogbeat */
-     (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ ) and
-     process.args_count < 2]
-  [network where
-                                     /* uncomment once in winlogbeat */
-     (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ )]
-'''
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1085"
-name = "Rundll32"
-reference = "https://attack.mitre.org/techniques/T1085/"
-
-
-[rule.threat.tactic]
-id = "TA0005"
-name = "Defense Evasion"
-reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -1,30 +1,30 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/12/07"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity
-and may identify malicious DLLs.
+Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command
+and Control activity.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License"
 name = "Unusual Network Connection via RunDLL32"
-risk_score = 21
+risk_score = 47
 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886"
-severity = "low"
+severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 type = "eql"

 query = '''
-sequence by process.entity_id
-  [process where process.name : "rundll32.exe" and event.type == "start"]
-  [network where process.name : "rundll32.exe" and
-     not cidrmatch(destination.ip, "10.0.0.0/8",  "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")]
+sequence by host.id, process.entity_id with maxspan=1m
+  [process where event.type in ("start", "process_started", "info") and process.name : "rundll32.exe" and process.args_count == 1]
+  [network where process.name : "rundll32.exe" and network.protocol != "dns" and network.direction == "outgoing" and
+   not cidrmatch(destination.ip, "10.0.0.0/8",  "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")]
 '''


@@ -40,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1085/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-