[Rule Tuning] Windows DR Tuning - 11 (#3359)

* [Rule Tuning] Windows DR Tuning - 10 * Update execution_posh_hacktool_functions.toml * Update impact_backup_file_deletion.toml
2024-01-15 10:55:50 -03:00
parent 24d5528ab0
commit caf38fd1b1
5 changed files with 60 additions and 26 deletions
@@ -2,7 +2,7 @@
 creation_date = "2023/01/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2023/11/03"
+updated_date = "2024/01/03"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -218,7 +218,7 @@ event.category:process and host.os.type:windows and
    "Invoke-CredentialInjection" or "Invoke-DllInjection" or
    "Invoke-EventVwrBypass" or "Invoke-ImpersonateUser" or
    "Invoke-Kerberoast" or "Invoke-MemoryFreeLibrary" or
-    "Invoke-MemoryLoadLibrary" or "Invoke-Method" or
+    "Invoke-MemoryLoadLibrary" or
    "Invoke-Mimikatz" or "Invoke-NinjaCopy" or
    "Invoke-PatchDll" or "Invoke-Portscan" or
    "Invoke-PrivescAudit" or "Invoke-ReflectivePEInjection" or
@@ -302,7 +302,7 @@ event.category:process and host.os.type:windows and
    "Invoke-SDCLTBypass" or "Invoke-FodHelperBypass" or
    "Invoke-EventVwrBypass" or "Invoke-EnvBypass" or
    "Get-ServiceUnquoted" or "Get-ServiceFilePermission" or
-    "Get-ServicePermission" or "Get-ServicePermission" or
+    "Get-ServicePermission" or
    "Enable-DuplicateToken" or "Invoke-PsUaCme" or
    "Invoke-Tater" or "Invoke-WScriptBypassUAC" or
    "Invoke-AllChecks" or "Find-TrustedDocuments" or
@@ -318,6 +318,9 @@ event.category:process and host.os.type:windows and
  not powershell.file.script_block_text : (
    "sentinelbreakpoints" and "Set-PSBreakpoint"
  ) and
+  not file.path : (
+    ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\DataCollection\\\\*
+  ) and
  not user.id : ("S-1-5-18" or "S-1-5-19")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/09/20"
+updated_date = "2024/01/03"

 [rule]
 author = ["Elastic"]
@@ -76,10 +76,21 @@ type = "new_terms"
 query = '''
 host.os.type:windows and event.category:library and 
  dll.name:("System.Management.Automation.dll" or "System.Management.Automation.ni.dll") and 
-  not (process.code_signature.subject_name:("Microsoft Corporation" or "Microsoft Dynamic Code Publisher" or "Microsoft Windows") and process.code_signature.trusted:true and not process.name.caseless:("regsvr32.exe" or "rundll32.exe")) and 
-  not (process.executable.caseless:(?\:\\\\Program?Files?\(x86\)\\\\*.exe or ?\:\\\\Program?Files\\\\*.exe) and process.code_signature.trusted:true) and 
-  not (process.executable.caseless:?\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:"Lenovo" and 
-  process.code_signature.trusted:true) and not process.executable.caseless : "C:\\Windows\\System32\\powershell.exe"
+  not (
+    process.code_signature.subject_name:("Microsoft Corporation" or "Microsoft Dynamic Code Publisher" or "Microsoft Windows") and process.code_signature.trusted:true and not process.name.caseless:("regsvr32.exe" or "rundll32.exe")
+  ) and 
+  not (
+    process.executable.caseless:(?\:\\\\Program?Files?\(x86\)\\\\*.exe or ?\:\\\\Program?Files\\\\*.exe) and
+    process.code_signature.trusted:true
+  ) and 
+  not (
+    process.executable.caseless:?\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:"Lenovo" and 
+    process.code_signature.trusted:true
+  ) and 
+  not (
+    process.executable.caseless:?\:\\\\ProgramData\\\\chocolatey\\\\choco.exe* and
+    process.code_signature.subject_name:"Chocolatey Software, Inc." and process.code_signature.trusted:true
+  ) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/03"

 [rule]
 author = ["Elastic"]
@@ -79,20 +79,31 @@ type = "eql"
 query = '''
 file where host.os.type == "windows" and event.type == "deletion" and
  (
-  /* Veeam Related Backup Files */
-  (file.extension : ("VBK", "VIB", "VBM") and
+    /* Veeam Related Backup Files */
+    (
+      file.extension : ("VBK", "VIB", "VBM") and
+      not (
+        process.executable : ("?:\\Windows\\*", "?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
+        (process.code_signature.trusted == true and process.code_signature.subject_name : ("Veeam Software Group GmbH", "Veeam Software AG"))
+      )
+    ) or
+    /* Veritas Backup Exec Related Backup File */
+    (
+      file.extension : "BKF" and
+        not process.executable : (
+          "?:\\Program Files\\Veritas\\Backup Exec\\*",
+          "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*"
+        )
+    )
+  ) and
  not (
-    process.executable : ("?:\\Windows\\*", "?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
-    (process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH")
-  )) or
-
-  /* Veritas Backup Exec Related Backup File */
-  (file.extension : "BKF" and
-  not process.executable : ("?:\\Program Files\\Veritas\\Backup Exec\\*",
-                            "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*") and
-  not file.path : ("?:\\ProgramData\\Trend Micro\\*",
-                   "?:\\Program Files (x86)\\Trend Micro\\*",
-                   "?:\\$RECYCLE.BIN\\*"))
+    process.name : ("MSExchangeMailboxAssistants.exe", "Microsoft.PowerBI.EnterpriseGateway.exe") and
+      (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
+  ) and
+  not file.path : (
+    "?:\\ProgramData\\Trend Micro\\*",
+    "?:\\Program Files (x86)\\Trend Micro\\*",
+    "?:\\$RECYCLE.BIN\\*"
  )
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/03"

 [rule]
 author = ["Elastic"]
@@ -85,7 +85,12 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe"
+  process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe" and
+  not (
+    process.parent.name : "wscript.exe" and
+    process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\IntuneDriveMapping-VBSHelper.vbs" and
+    process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\DriveMapping.ps1"
+  )
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/03"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -49,8 +49,12 @@ process where host.os.type == "windows" and event.type == "start" and
              ("?:\\Windows\\System32\\werfault.exe",
               "?:\\Windows\\System32\\wermgr.exe",
               "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
+               "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
               "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
-               "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe")
+               "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
+               "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
+               "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+               "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe")
 '''