diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 2f7b934e9..210b97f19 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2023/10/23" +updated_date = "2023/12/18" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -134,16 +134,17 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "[System.Reflection.Assembly]::Load" or "[Reflection.Assembly]::Load" - ) and not - powershell.file.script_block_text : ( - ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and - "HelpDisplayStrings" - ) and not - (powershell.file.script_block_text : - ("Get-SolutionFiles" or "Get-VisualStudio" or "Select-MSBuildPath") and - not file.name : "PathFunctions.ps1" - ) - and not user.id : "S-1-5-18" + ) and + not powershell.file.script_block_text : ( + ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and + "HelpDisplayStrings" + ) and + not (powershell.file.script_block_text : + ("Get-SolutionFiles" or "Get-VisualStudio" or "Select-MSBuildPath") and + file.name : "PathFunctions.ps1" + ) and + not file.path : C\:\\\\Program?Files\\\\Microsoft?Monitoring?Agent\\\\Agent\\\\Health?Service?State\\\\Monitoring?Host?Temporary?Files*\\\\AvailabilityGroupMonitoring.ps1 and + not user.id : "S-1-5-18" ''' diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index a705510e2..f629b6983 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ sequence by process.entity_id with maxspan = 2m [process where host.os.type == "windows" and event.type == "start" and (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and process.args : ("format*:*", "/format*:*", "*-format*:*") and - not process.command_line : "* /format:table *"] + not process.command_line : ("* /format:table *", "* /format:table")] [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] ''' diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 8f2c91c6b..363e5ca5d 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -39,16 +39,19 @@ file where host.os.type == "windows" and event.code : "2" and not process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", + "?:\\Windows\\system32\\cleanmgr.exe", "?:\\Windows\\system32\\msiexec.exe", "?:\\Windows\\syswow64\\msiexec.exe", "?:\\Windows\\system32\\svchost.exe", "?:\\WINDOWS\\system32\\backgroundTaskHost.exe", "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", "?:\\Users\\*\\AppData\\Local\\slack\\app-*\\slack.exe", "?:\\Users\\*\\AppData\\Local\\GitHubDesktop\\app-*\\GitHubDesktop.exe", "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe") and - not file.extension : ("tmp", "~tmp", "xml") and not user.name : ("SYSTEM", "Local Service", "Network Service") + not file.extension : ("temp", "tmp", "~tmp", "xml", "newcfg") and not user.name : ("SYSTEM", "Local Service", "Network Service") and + not file.name : ("LOG", "temp-index", "license.rtf", "iconcache_*.db") ''' diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index e908eafc5..ad01f23b5 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/21" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.parent.pid == 4 and + process.parent.pid == 4 and process.executable : "?*" and not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") ''' diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 95872150a..bc1c0cc5f 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/12/21" [transform] [[transform.osquery]] @@ -103,7 +103,19 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.name : "fltMC.exe" and process.args : "unload" + process.name : "fltMC.exe" and process.args : "unload" and + not + ( + ( + process.executable : "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\DCFAService64.exe" and + process.args : ("DFMFilter", "DRMFilter") + ) or + ( + process.executable : "?:\\Windows\\SysWOW64\\msiexec.exe" and + process.args : ("BrFilter_*", "BrCow_*") and + user.id : "S-1-5-18" + ) + ) '''