From c6ab29462721af8477aa2ae83b4d45bbd9e8bb86 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 17 Jan 2024 09:44:10 -0300 Subject: [PATCH] [Rule Tuning] Windows DR Tuning - 10 (#3355) * [Rule Tuning] Windows DR Tuning - 10 * Update discovery_whoami_command_activity.toml --- ...very_privileged_localgroup_membership.toml | 9 +++-- .../discovery_whoami_command_activity.toml | 38 +++++++++++-------- ...inds_backdoor_unusual_child_processes.toml | 12 ++++-- ...and_prompt_connecting_to_the_internet.toml | 7 +++- ...le_program_connecting_to_the_internet.toml | 5 ++- 5 files changed, 46 insertions(+), 25 deletions(-) diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 6fedf5fdb..43db99e4f 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/23" +updated_date = "2023/12/21" [transform] [[transform.osquery]] @@ -131,8 +131,10 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera group.name:(*Admin* or "RemoteDesktopUsers") or winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555") ) and - not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or - winlog.event_data.CallerProcessName:("-" or + not ( + winlog.event_data.SubjectUserName: *$ or + winlog.event_data.SubjectUserSid: ("S-1-5-19" or "S-1-5-20") or + winlog.event_data.CallerProcessName:("-" or *\:\\\\Windows\\\\System32\\\\VSSVC.exe or *\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or *\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or @@ -142,6 +144,7 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera *\:\\\\Windows\\\\System32\\\\Netplwiz.exe or *\:\\\\Windows\\\\System32\\\\msiexec.exe or *\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or + *\:\\\\Windows\\\\System32\\\\RuntimeBroker.exe or *\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or *\:\\\\Windows\\\\System32\\\\SrTasks.exe or *\:\\\\Windows\\\\System32\\\\diskshadow.exe or diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 52028b477..110e0f014 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/21" [rule] author = ["Elastic"] @@ -74,21 +74,29 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and ( - - (/* scoped for whoami execution under system privileges */ - (user.domain : ("NT AUTHORITY", "NT-AUTORITÄT", "AUTORITE NT", "IIS APPPOOL") or user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) and - - not (process.parent.name : "cmd.exe" and - process.parent.args : ("chcp 437>nul 2>&1 & C:\\WINDOWS\\System32\\whoami.exe /groups", - "chcp 437>nul 2>&1 & %systemroot%\\system32\\whoami /user", - "C:\\WINDOWS\\System32\\whoami.exe /groups", - "*WINDOWS\\system32\\config\\systemprofile*")) and - not (process.parent.executable : "C:\\Windows\\system32\\inetsrv\\appcmd.exe" and process.parent.args : "LIST") and - not process.parent.executable : ("C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", - "C:\\Program Files\\Cohesity\\cohesity_windows_agent_service.exe")) or - + ( + /* scoped for whoami execution under system privileges */ + ( + user.domain : ("NT *", "* NT", "IIS APPPOOL") and + user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20", "S-1-5-82-*") and + not ?winlog.event_data.SubjectUserName : "*$" + ) and + not ( + process.parent.name : "cmd.exe" and + process.parent.args : ( + "chcp 437>nul 2>&1 & C:\\WINDOWS\\System32\\whoami.exe /groups", + "chcp 437>nul 2>&1 & %systemroot%\\system32\\whoami /user", + "C:\\WINDOWS\\System32\\whoami.exe /groups", + "*WINDOWS\\system32\\config\\systemprofile*" + ) + ) and + not (process.parent.executable : "C:\\Windows\\system32\\inetsrv\\appcmd.exe" and process.parent.args : "LIST") and + not process.parent.executable : ( + "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", + "C:\\Program Files\\Cohesity\\cohesity_windows_agent_service.exe" + ) + ) or process.parent.name : ("wsmprovhost.exe", "w3wp.exe", "wmiprvse.exe", "rundll32.exe", "regsvr32.exe") - ) ''' diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 74e51e0b7..ea57c3c8b 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/21" [rule] author = ["Elastic"] @@ -39,7 +39,8 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and - not process.name : ( + not ( + process.name : ( "APMServiceControl*.exe", "ExportToPDFCmd*.Exe", "SolarWinds.Credentials.Orion.WebApi*.exe", @@ -49,7 +50,12 @@ process where host.os.type == "windows" and event.type == "start" and "WerFault.exe", "WerMgr.exe", "SolarWinds.BusinessLayerHost.exe", - "SolarWinds.BusinessLayerHostx64.exe") and + "SolarWinds.BusinessLayerHostx64.exe", + "SolarWinds.Topology.Calculator.exe", + "SolarWinds.Topology.Calculatorx64.exe", + "SolarWinds.APM.RealTimeProcessPoller.exe") and + process.code_signature.trusted == true + ) and not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe") ''' diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index faf59b442..25f60d909 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/12/22" [transform] [[transform.osquery]] @@ -118,7 +118,10 @@ sequence by process.entity_id "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", - "FE80::/10", "FF00::/8")] + "FE80::/10", "FF00::/8") and + not dns.question.name : ( + "wpad", "localhost", "ocsp.comodoca.com", "ocsp.digicert.com", "ocsp.sectigo.com", "crl.comodoca.com" + )] ''' diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 59baab035..db7953356 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/12/22" [transform] [[transform.osquery]] @@ -119,7 +119,8 @@ sequence by process.entity_id "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", - "FE80::/10", "FF00::/8")] + "FE80::/10", "FF00::/8") and + not dns.question.name : "localhost"] '''