[Rule Tuning] Windows BBR Rule Tuning - 1 (#3579)

* [Rule Tuning] Windows BBR Rule Tuning - 1 * Update non-ecs-schema.json * Update rules_building_block/command_and_control_certutil_network_connection.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules_building_block/collection_common_compressed_archived_file.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update defense_evasion_dll_hijack.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2024-04-08 10:38:41 -03:00
parent c5addae009
commit d0dfa479bb
11 changed files with 119 additions and 36 deletions
@@ -83,6 +83,10 @@
    "Target.process.name": "keyword",
    "process.Ext.api.name": "keyword"
  },
+  "logs-endpoint.events.file-*": {
+    "file.Ext.header_bytes": "keyword",
+    "file.Ext.windows.zone_identifier": "long"
+  },
  "logs-windows.*": {
    "powershell.file.script_block_text": "text"
  },
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/16"
+updated_date = "2024/04/05"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ exfiltration.
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.library-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Compression DLL Loaded by Unusual Process"
@@ -27,7 +27,7 @@ type = "eql"
 building_block_type = "default"

 query = '''
-library where 
+library where host.os.type == "windows" and event.action == "load" and
  dll.name : ("System.IO.Compression.FileSystem.ni.dll", "System.IO.Compression.ni.dll") and
  not 
  (
@@ -38,6 +38,7 @@ library where
        "?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe",
        "?:\\Windows\\System32\\sdiagnhost.exe",
        "?:\\Windows\\System32\\inetsrv\\w3wp.exe",
+        "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe",
        "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\*\\OpenHandleCollector.exe"
      ) and process.code_signature.trusted == true
    ) or
@@ -5,7 +5,7 @@ integration = "endpoint"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/04/05"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ Detects files being compressed or archived into common formats. This is a common
 evade detection or to staging data for exfiltration.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 1000
@@ -35,7 +35,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-file where event.type in ("creation", "change") and process.executable != null and not user.id : "S-1-5-18" and
+file where host.os.type == "windows" and event.type in ("creation", "change") and process.executable != null and not user.id : ("S-1-5-18", "S-1-5-17") and
 file.Ext.header_bytes : (
                          /* compression formats */
                          "1F9D*",             /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */
@@ -83,9 +83,16 @@ file where event.type in ("creation", "change") and process.executable != null a
     file.name : ("ossec-*.log.gz", "tmp-entry.gz", "tmp-entry", "last-entry.gz")
   ) or
   (
-     process.name : "excel.exe" and
+     process.name : ("excel.exe", "winword.exe", "powerpnt.exe") and
+     process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true
+   ) or
+   (
+     process.name : "OneDrive.exe" and
     process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true and
-     file.extension : ("tmp", "xlsx", "gz", "xlsb", "xar", "xslm")
+     (
+      file.extension : ("xlsx", "docx", "pptx", "xlsm") or
+      file.path : "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\logs\\*"
+     )
   ) or
   (
     process.name : "Dropbox.exe" and
@@ -96,6 +103,11 @@ file where event.type in ("creation", "change") and process.executable != null a
     process.name : "DellSupportAssistRemedationService.exe" and
     process.code_signature.subject_name : "Dell Inc" and process.code_signature.trusted == true and
     file.extension : "manifest"
+   ) or
+   (
+     process.name : "w3wp.exe" and
+     process.code_signature.subject_name : "Microsoft Windows" and process.code_signature.trusted == true and
+     file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*"
   )
 )
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/21"
+updated_date = "2024/04/05"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ modification of these files.
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Accessing Outlook Data Files"
@@ -28,7 +28,11 @@ building_block_type = "default"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and
-  not process.name : "outlook.exe"
+  not process.name : "outlook.exe" and
+  not (
+        process.name : "rundll32.exe" and
+        process.args : "*davclnt.dll,DavSetCookie*"
+  )
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/08"
+updated_date = "2024/04/05"
 bypass_bbr_timing = true

 [transform]
@@ -72,7 +72,7 @@ Identifies certutil.exe making a network connection. Adversaries could abuse cer
 malware, from a remote URL.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"]
+index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Connection via Certutil"
@@ -148,7 +148,8 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and
                                "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
                                "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
                                "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
-                                "FE80::/10", "FF00::/8")
+                                "FE80::/10", "FF00::/8") and
+  not dns.question.name in ("localhost", "*.digicert.com", "ctldl.windowsupdate.com")
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/10"
+updated_date = "2024/04/05"
 bypass_bbr_timing = true

 [rule]
@@ -14,7 +14,7 @@ Identifies the creation or modification of a medium size memory dump file which
 credentials from a process memory.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via Memory Dump File Creation"
@@ -50,7 +50,8 @@ file where host.os.type == "windows" and event.type == "creation" and
        "?:\\Program Files\\*.exe",
        "?:\\Program Files (x86)\\*.exe",
        "?:\\Windows\\SystemApps\\*.exe",
-        "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\zCrashReport64.exe"
+        "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\zCrashReport64.exe",
+        "?:\\Windows\\CCM\\ccmdump.exe"
      ) and process.code_signature.trusted == true
    ) or
    (
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/21"
+updated_date = "2024/04/05"
 bypass_bbr_timing = true

 [rule]
@@ -14,7 +14,7 @@ Identifies the creation of a memory dump file with an unusual extension, which c
 memory dump as another file type to bypass security defenses.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Memory Dump File with Unusual Extension"
@@ -36,6 +36,10 @@ file where host.os.type == "windows" and event.type == "creation" and
  (
    process.executable : "?:\\Program Files\\Endgame\\esensor.exe" and
    process.code_signature.trusted == true and length(file.extension) == 0
+  ) and
+  not
+  (
+    process.name : "System" and file.extension : "tmpscan"
  )
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/11"
+updated_date = "2024/04/05"
 bypass_bbr_timing = true

 [rule]
@@ -14,7 +14,7 @@ Identifies suspicious child processes of communications apps, which can indicate
 communication app or the exploitation of a vulnerability on the application causing it to execute code.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Communication App Child Process"
@@ -43,7 +43,8 @@ process where host.os.type == "windows" and event.type == "start" and
            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
            "?:\\Windows\\System32\\notepad.exe",
            "?:\\Windows\\System32\\WerFault.exe",
-            "?:\\Windows\\SysWOW64\\WerFault.exe"
+            "?:\\Windows\\SysWOW64\\WerFault.exe",
+            "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
          ) and process.code_signature.trusted == true  
        ) or
        (
@@ -66,7 +67,10 @@ process where host.os.type == "windows" and event.type == "start" and
          process.executable : (
            "?:\\Program Files\\*",
            "?:\\Program Files (x86)\\*",
-            "?:\\Windows\\System32\\WerFault.exe"
+            "?:\\Windows\\System32\\WerFault.exe",
+            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
+            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
+            "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
          ) and process.code_signature.trusted == true  
        ) or
        (
@@ -133,7 +137,8 @@ process where host.os.type == "windows" and event.type == "start" and
            ) or
            process.args : (
              "C:\\WINDOWS/System32/nvidia-smi.exe",
-              "C:\\WINDOWS\\System32\\nvidia-smi.exe"
+              "C:\\WINDOWS\\System32\\nvidia-smi.exe",
+              "C:\\Windows\\System32\\DriverStore\\FileRepository/*/nvidia-smi.exe*"
            )
          )
        )
@@ -214,6 +219,10 @@ process where host.os.type == "windows" and event.type == "start" and
            "?:\\Windows\\explorer.exe",
            "?:\\Windows\\splwow64.exe"
          ) and process.code_signature.trusted == true  
+        ) or
+        (
+          process.name : "rundll32.exe" and
+          process.args : "*hpmsn???.dll,MonitorPrintJobStatus*"
        )
      )
    ) or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above."
 min_stack_version = "8.4.0"
-updated_date = "2023/10/13"
+updated_date = "2024/04/05"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ legitimate, trusted, and potentially elevated system or software process.
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.library-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unsigned DLL Loaded by a Trusted Process"
@@ -35,7 +35,44 @@ library where host.os.type == "windows" and
    process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
    /* DLL loaded from the process.executable current directory */
    endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
-    and not user.id : "S-1-5-18"
+    and not user.id : "S-1-5-18" and
+    not dll.hash.sha256 : (
+        "19588e6a318894abe8094374bee233e666f319de909c69f12a6047b14473e299",
+        "6e8bee250c8cc1b65150522f33794759f5c65f58fff17c5cbf6422ad68b421d2",
+        "55de11531dc0e566cb91f26e48d1301a161a4b8b24abed42304d711412368760",
+        "56a5148d00c2d9e58415be2d64eca922a58063fe26d9af1c87084aa383c9058e",
+        "83ee0ff920144edb2c2f4ea10130f55443493290886985a63233fa2431e450f9",
+        "0d0d8f2eaff6b5f75e63d9721d5a0480b30e70792fe0d3a24d76fd3e61b05982",
+        "8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb",
+        "ea02a19dd824cb7d611b8821d1b9e6a076714a195d027d1ff918128a64ac5220",
+        "02a6d001e6dd944738e09b720e49dcb1272cb782b870e5ae319d4600bc192225",
+        "e7714a1d6ac3f4c4ae22564b9ca301e486f5f42691859c0a687246c47b5cf5c9",
+        "17f0f709fb7f6190c03b19b6198fd863b6f0d79f46ccfebac6064be747a4cb3e",
+        "cb7ab3788d10940df874acd97b1821bbb5ee4a91f3eec11982bb5bf7a3c96443",
+        "c944ee510721a1d30d42227cc3061dfdcbc144c952381afcfe4f6e82c5435ffc",
+        "967189adfbc889fde89aafc867f7a1f02731f8592cf6fd5a4ace1929213e2e13",
+        "4a824526749790603eb66777f79787128dd282162a3904a4c1135de43b14d029",
+        "620a7e658af05cc848091b8a639854b9b15700a9061b4a3d078523653133a4af",
+        "cb220267fb0116b298bab6a09a764420d630c52026f7d750f8ffca4818389327",
+        "0da1f856d92d6b95f10ed8c3f629cd15468c906de9352fb4ae629139d1412eed",
+        "e1646c7778c24407a17881908037a49ecfcb5a980d155212d544302653a3ef62",
+        "e102c9c5b22ceb60dc516ab4124bea8ec8e808b08eec48ea7ac674d13fca82ef",
+        "c7544e1f9927afdf6e8cd7063020b572e60fe8f00af39227eb831d331df38225",
+        "3668c6749db59a6cbc5293d0a4f904f76d6fb5048704449dd53894916f408a57",
+        "7705851ba047a8154402aca92621b60be0e0e9d9b52b19bf8be540305bd53dba",
+        "b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60",
+        "394d2d862f2ddce71f28d9b933b21a7d6c621c80ef28652574f758f77f01f716",
+        "e958d03db79e9f1d2770c70a5bc24904aa3e2d27a8d5637684cf8166b38908f2",
+        "284701380f33a30b25e8eb9822e7f47179238e91d08bd3fb5a117145de7e0d8d",
+        "497471497886f18ca16f7facab7d76dc9bfadd69deb9c6e4ea9bdc0869a15628",
+        "739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e",
+        "8f4c72e3c7de1ab5d894ec7813f65c5298ecafc183f31924b44a427433ffca42",
+        "1ac4753056179b358132c55ca3086d550849ae30259ba94f334826c2fbf6c57e",
+        "53e8fecd7d4b1b74064eba9bfa6a361d52929f440954931b4ba65615148bf0ea",
+        "e9088afd8871dbad5eda47a9d8abf3b08dd2e17c423ba8a05f9b6ad6751f9b7c",
+        "ab27eb05130db2f92499234b69ff97ee6429c7824efcb7324ae3e404e2b405bf",
+        "553451008520a5f0110d84192cba40208fb001c27454f946e85e6fb2e6553292"
+    )
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/11"
+updated_date = "2024/04/05"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ references = [
 ]
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "File with Suspicious Extension Downloaded"
@@ -37,10 +37,17 @@ file where host.os.type == "windows" and event.type == "creation" and
  ) and file.Ext.windows.zone_identifier > 1 and
  not
  (
-    file.extension : "msix" and 
-    file.path : (
-      "?:\\Users\\*\\AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source*",
-      "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\WinGet\\State\\defaultState\\Microsoft.PreIndexed.Package\\Microsoft.Winget.Source*"
+    (
+      file.extension : "msix" and 
+      file.path : (
+        "?:\\Users\\*\\AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source*",
+        "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\WinGet\\State\\defaultState\\Microsoft.PreIndexed.Package\\Microsoft.Winget.Source*"
+      )
+    ) or
+    (
+      process.name : "Teams.exe" and process.code_signature.trusted == true and
+      file.extension : "msix" and 
+      file.path : "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Teams\\tmp\\*"
    )
  )
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/12"
+updated_date = "2024/04/05"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ require permission modification of files/folders to change, modify or delete the
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "File and Directory Permissions Modification"
@@ -33,7 +33,10 @@ process where event.type == "start" and host.os.type == "windows" and
  ((process.name: "cacls.exe" or process.pe.original_file_name == "CACLS.EXE") and process.args: ("/g", "*:f")) or
  ((process.name: "takeown.exe" or process.pe.original_file_name == "takeown.exe") and process.args: ("/F")) or
  ((process.name: "attrib.exe" or process.pe.original_file_name== "ATTRIB.EXE") and process.args: "-r")
-) and not user.id : "S-1-5-18"
+) and not user.id : "S-1-5-18" and
+not (
+  process.args : ("C:\\ProgramData\\Lenovo\\*", "C:\\ProgramData\\Adobe\\*", "C:\\ProgramData\\ASUS\\ASUS*")
+)
 '''