diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 7176b902d..39a2881b5 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2023/11/03" +updated_date = "2024/01/03" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -218,7 +218,7 @@ event.category:process and host.os.type:windows and "Invoke-CredentialInjection" or "Invoke-DllInjection" or "Invoke-EventVwrBypass" or "Invoke-ImpersonateUser" or "Invoke-Kerberoast" or "Invoke-MemoryFreeLibrary" or - "Invoke-MemoryLoadLibrary" or "Invoke-Method" or + "Invoke-MemoryLoadLibrary" or "Invoke-Mimikatz" or "Invoke-NinjaCopy" or "Invoke-PatchDll" or "Invoke-Portscan" or "Invoke-PrivescAudit" or "Invoke-ReflectivePEInjection" or @@ -302,7 +302,7 @@ event.category:process and host.os.type:windows and "Invoke-SDCLTBypass" or "Invoke-FodHelperBypass" or "Invoke-EventVwrBypass" or "Invoke-EnvBypass" or "Get-ServiceUnquoted" or "Get-ServiceFilePermission" or - "Get-ServicePermission" or "Get-ServicePermission" or + "Get-ServicePermission" or "Enable-DuplicateToken" or "Invoke-PsUaCme" or "Invoke-Tater" or "Invoke-WScriptBypassUAC" or "Invoke-AllChecks" or "Find-TrustedDocuments" or @@ -318,6 +318,9 @@ event.category:process and host.os.type:windows and not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" ) and + not file.path : ( + ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\DataCollection\\\\* + ) and not user.id : ("S-1-5-18" or "S-1-5-19") ''' diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index d838855cc..3c99efe29 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/20" +updated_date = "2024/01/03" [rule] author = ["Elastic"] @@ -76,10 +76,21 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:library and dll.name:("System.Management.Automation.dll" or "System.Management.Automation.ni.dll") and - not (process.code_signature.subject_name:("Microsoft Corporation" or "Microsoft Dynamic Code Publisher" or "Microsoft Windows") and process.code_signature.trusted:true and not process.name.caseless:("regsvr32.exe" or "rundll32.exe")) and - not (process.executable.caseless:(?\:\\\\Program?Files?\(x86\)\\\\*.exe or ?\:\\\\Program?Files\\\\*.exe) and process.code_signature.trusted:true) and - not (process.executable.caseless:?\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:"Lenovo" and - process.code_signature.trusted:true) and not process.executable.caseless : "C:\\Windows\\System32\\powershell.exe" + not ( + process.code_signature.subject_name:("Microsoft Corporation" or "Microsoft Dynamic Code Publisher" or "Microsoft Windows") and process.code_signature.trusted:true and not process.name.caseless:("regsvr32.exe" or "rundll32.exe") + ) and + not ( + process.executable.caseless:(?\:\\\\Program?Files?\(x86\)\\\\*.exe or ?\:\\\\Program?Files\\\\*.exe) and + process.code_signature.trusted:true + ) and + not ( + process.executable.caseless:?\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:"Lenovo" and + process.code_signature.trusted:true + ) and + not ( + process.executable.caseless:?\:\\\\ProgramData\\\\chocolatey\\\\choco.exe* and + process.code_signature.subject_name:"Chocolatey Software, Inc." and process.code_signature.trusted:true + ) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ''' [[rule.threat]] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 1dac9da4a..818ea118f 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/03" [rule] author = ["Elastic"] @@ -79,20 +79,31 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "deletion" and ( - /* Veeam Related Backup Files */ - (file.extension : ("VBK", "VIB", "VBM") and + /* Veeam Related Backup Files */ + ( + file.extension : ("VBK", "VIB", "VBM") and + not ( + process.executable : ("?:\\Windows\\*", "?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and + (process.code_signature.trusted == true and process.code_signature.subject_name : ("Veeam Software Group GmbH", "Veeam Software AG")) + ) + ) or + /* Veritas Backup Exec Related Backup File */ + ( + file.extension : "BKF" and + not process.executable : ( + "?:\\Program Files\\Veritas\\Backup Exec\\*", + "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*" + ) + ) + ) and not ( - process.executable : ("?:\\Windows\\*", "?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and - (process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH") - )) or - - /* Veritas Backup Exec Related Backup File */ - (file.extension : "BKF" and - not process.executable : ("?:\\Program Files\\Veritas\\Backup Exec\\*", - "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*") and - not file.path : ("?:\\ProgramData\\Trend Micro\\*", - "?:\\Program Files (x86)\\Trend Micro\\*", - "?:\\$RECYCLE.BIN\\*")) + process.name : ("MSExchangeMailboxAssistants.exe", "Microsoft.PowerBI.EnterpriseGateway.exe") and + (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + ) and + not file.path : ( + "?:\\ProgramData\\Trend Micro\\*", + "?:\\Program Files (x86)\\Trend Micro\\*", + "?:\\$RECYCLE.BIN\\*" ) ''' diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index a2dd1d97e..21197140c 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/03" [rule] author = ["Elastic"] @@ -85,7 +85,12 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe" + process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe" and + not ( + process.parent.name : "wscript.exe" and + process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\IntuneDriveMapping-VBSHelper.vbs" and + process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\DriveMapping.ps1" + ) ''' diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 74bd46eb7..78c98471f 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/03" [rule] author = ["Elastic", "Austin Songer"] @@ -49,8 +49,12 @@ process where host.os.type == "windows" and event.type == "start" and ("?:\\Windows\\System32\\werfault.exe", "?:\\Windows\\System32\\wermgr.exe", "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", + "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe", "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe", - "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe") + "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe", + "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe") '''