From d0dfa479bbdd161c74061f4ed5076d8845fecd7a Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 8 Apr 2024 10:38:41 -0300 Subject: [PATCH] [Rule Tuning] Windows BBR Rule Tuning - 1 (#3579) * [Rule Tuning] Windows BBR Rule Tuning - 1 * Update non-ecs-schema.json * Update rules_building_block/command_and_control_certutil_network_connection.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules_building_block/collection_common_compressed_archived_file.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update defense_evasion_dll_hijack.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- detection_rules/etc/non-ecs-schema.json | 4 ++ ...collection_archive_data_zip_imageload.toml | 7 +-- ...ction_common_compressed_archived_file.toml | 22 +++++++--- .../collection_outlook_email_archive.toml | 10 +++-- ...d_control_certutil_network_connection.toml | 7 +-- .../credential_access_mdmp_file_creation.toml | 7 +-- ...al_access_mdmp_file_unusual_extension.toml | 8 +++- ...ication_apps_suspicious_child_process.toml | 19 +++++--- .../defense_evasion_dll_hijack.toml | 43 +++++++++++++++++-- ...fense_evasion_download_susp_extension.toml | 19 +++++--- ..._evasion_file_permission_modification.toml | 9 ++-- 11 files changed, 119 insertions(+), 36 deletions(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index f060727e6..31676d2e5 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -83,6 +83,10 @@ "Target.process.name": "keyword", "process.Ext.api.name": "keyword" }, + "logs-endpoint.events.file-*": { + "file.Ext.header_bytes": "keyword", + "file.Ext.windows.zone_identifier": "long" + }, "logs-windows.*": { "powershell.file.script_block_text": "text" }, diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index 8026bd146..a8f4f0650 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/16" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ exfiltration. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Compression DLL Loaded by Unusual Process" @@ -27,7 +27,7 @@ type = "eql" building_block_type = "default" query = ''' -library where +library where host.os.type == "windows" and event.action == "load" and dll.name : ("System.IO.Compression.FileSystem.ni.dll", "System.IO.Compression.ni.dll") and not ( @@ -38,6 +38,7 @@ library where "?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe", "?:\\Windows\\System32\\sdiagnhost.exe", "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe", "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\*\\OpenHandleCollector.exe" ) and process.code_signature.trusted == true ) or diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 5aa76ab58..7799e6863 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -5,7 +5,7 @@ integration = "endpoint" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ Detects files being compressed or archived into common formats. This is a common evade detection or to staging data for exfiltration. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" max_signals = 1000 @@ -35,7 +35,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type in ("creation", "change") and process.executable != null and not user.id : "S-1-5-18" and +file where host.os.type == "windows" and event.type in ("creation", "change") and process.executable != null and not user.id : ("S-1-5-18", "S-1-5-17") and file.Ext.header_bytes : ( /* compression formats */ "1F9D*", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */ @@ -83,9 +83,16 @@ file where event.type in ("creation", "change") and process.executable != null a file.name : ("ossec-*.log.gz", "tmp-entry.gz", "tmp-entry", "last-entry.gz") ) or ( - process.name : "excel.exe" and + process.name : ("excel.exe", "winword.exe", "powerpnt.exe") and + process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true + ) or + ( + process.name : "OneDrive.exe" and process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true and - file.extension : ("tmp", "xlsx", "gz", "xlsb", "xar", "xslm") + ( + file.extension : ("xlsx", "docx", "pptx", "xlsm") or + file.path : "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\logs\\*" + ) ) or ( process.name : "Dropbox.exe" and @@ -96,6 +103,11 @@ file where event.type in ("creation", "change") and process.executable != null a process.name : "DellSupportAssistRemedationService.exe" and process.code_signature.subject_name : "Dell Inc" and process.code_signature.trusted == true and file.extension : "manifest" + ) or + ( + process.name : "w3wp.exe" and + process.code_signature.subject_name : "Microsoft Windows" and process.code_signature.trusted == true and + file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*" ) ) ''' diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 2ec7a8d5b..6b5b04cb0 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/21" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ modification of these files. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Accessing Outlook Data Files" @@ -28,7 +28,11 @@ building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and - not process.name : "outlook.exe" + not process.name : "outlook.exe" and + not ( + process.name : "rundll32.exe" and + process.args : "*davclnt.dll,DavSetCookie*" + ) ''' [[rule.threat]] diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index 7973bc3ae..15bce7b66 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/05" bypass_bbr_timing = true [transform] @@ -72,7 +72,7 @@ Identifies certutil.exe making a network connection. Adversaries could abuse cer malware, from a remote URL. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Certutil" @@ -148,7 +148,8 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", - "FE80::/10", "FF00::/8") + "FE80::/10", "FF00::/8") and + not dns.question.name in ("localhost", "*.digicert.com", "ctldl.windowsupdate.com") ''' diff --git a/rules_building_block/credential_access_mdmp_file_creation.toml b/rules_building_block/credential_access_mdmp_file_creation.toml index 6e4b5fd93..c9da48cd0 100644 --- a/rules_building_block/credential_access_mdmp_file_creation.toml +++ b/rules_building_block/credential_access_mdmp_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/10" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -14,7 +14,7 @@ Identifies the creation or modification of a medium size memory dump file which credentials from a process memory. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Memory Dump File Creation" @@ -50,7 +50,8 @@ file where host.os.type == "windows" and event.type == "creation" and "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\SystemApps\\*.exe", - "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\zCrashReport64.exe" + "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\zCrashReport64.exe", + "?:\\Windows\\CCM\\ccmdump.exe" ) and process.code_signature.trusted == true ) or ( diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml index e142da657..2a9735df4 100644 --- a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml +++ b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/21" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -14,7 +14,7 @@ Identifies the creation of a memory dump file with an unusual extension, which c memory dump as another file type to bypass security defenses. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Memory Dump File with Unusual Extension" @@ -36,6 +36,10 @@ file where host.os.type == "windows" and event.type == "creation" and ( process.executable : "?:\\Program Files\\Endgame\\esensor.exe" and process.code_signature.trusted == true and length(file.extension) == 0 + ) and + not + ( + process.name : "System" and file.extension : "tmpscan" ) ''' diff --git a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml index facf22a3b..303f5a25a 100644 --- a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/11" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -14,7 +14,7 @@ Identifies suspicious child processes of communications apps, which can indicate communication app or the exploitation of a vulnerability on the application causing it to execute code. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Communication App Child Process" @@ -43,7 +43,8 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", "?:\\Windows\\System32\\notepad.exe", "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe" + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe" ) and process.code_signature.trusted == true ) or ( @@ -66,7 +67,10 @@ process where host.os.type == "windows" and event.type == "start" and process.executable : ( "?:\\Program Files\\*", "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\WerFault.exe" + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe" ) and process.code_signature.trusted == true ) or ( @@ -133,7 +137,8 @@ process where host.os.type == "windows" and event.type == "start" and ) or process.args : ( "C:\\WINDOWS/System32/nvidia-smi.exe", - "C:\\WINDOWS\\System32\\nvidia-smi.exe" + "C:\\WINDOWS\\System32\\nvidia-smi.exe", + "C:\\Windows\\System32\\DriverStore\\FileRepository/*/nvidia-smi.exe*" ) ) ) @@ -214,6 +219,10 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Windows\\explorer.exe", "?:\\Windows\\splwow64.exe" ) and process.code_signature.trusted == true + ) or + ( + process.name : "rundll32.exe" and + process.args : "*hpmsn???.dll,MonitorPrintJobStatus*" ) ) ) or diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 5958bbf6b..35f81a544 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." min_stack_version = "8.4.0" -updated_date = "2023/10/13" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ legitimate, trusted, and potentially elevated system or software process. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL Loaded by a Trusted Process" @@ -35,7 +35,44 @@ library where host.os.type == "windows" and process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and /* DLL loaded from the process.executable current directory */ endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1))) - and not user.id : "S-1-5-18" + and not user.id : "S-1-5-18" and + not dll.hash.sha256 : ( + "19588e6a318894abe8094374bee233e666f319de909c69f12a6047b14473e299", + "6e8bee250c8cc1b65150522f33794759f5c65f58fff17c5cbf6422ad68b421d2", + "55de11531dc0e566cb91f26e48d1301a161a4b8b24abed42304d711412368760", + "56a5148d00c2d9e58415be2d64eca922a58063fe26d9af1c87084aa383c9058e", + "83ee0ff920144edb2c2f4ea10130f55443493290886985a63233fa2431e450f9", + "0d0d8f2eaff6b5f75e63d9721d5a0480b30e70792fe0d3a24d76fd3e61b05982", + "8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb", + "ea02a19dd824cb7d611b8821d1b9e6a076714a195d027d1ff918128a64ac5220", + "02a6d001e6dd944738e09b720e49dcb1272cb782b870e5ae319d4600bc192225", + "e7714a1d6ac3f4c4ae22564b9ca301e486f5f42691859c0a687246c47b5cf5c9", + "17f0f709fb7f6190c03b19b6198fd863b6f0d79f46ccfebac6064be747a4cb3e", + "cb7ab3788d10940df874acd97b1821bbb5ee4a91f3eec11982bb5bf7a3c96443", + "c944ee510721a1d30d42227cc3061dfdcbc144c952381afcfe4f6e82c5435ffc", + "967189adfbc889fde89aafc867f7a1f02731f8592cf6fd5a4ace1929213e2e13", + "4a824526749790603eb66777f79787128dd282162a3904a4c1135de43b14d029", + "620a7e658af05cc848091b8a639854b9b15700a9061b4a3d078523653133a4af", + "cb220267fb0116b298bab6a09a764420d630c52026f7d750f8ffca4818389327", + "0da1f856d92d6b95f10ed8c3f629cd15468c906de9352fb4ae629139d1412eed", + "e1646c7778c24407a17881908037a49ecfcb5a980d155212d544302653a3ef62", + "e102c9c5b22ceb60dc516ab4124bea8ec8e808b08eec48ea7ac674d13fca82ef", + "c7544e1f9927afdf6e8cd7063020b572e60fe8f00af39227eb831d331df38225", + "3668c6749db59a6cbc5293d0a4f904f76d6fb5048704449dd53894916f408a57", + "7705851ba047a8154402aca92621b60be0e0e9d9b52b19bf8be540305bd53dba", + "b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60", + "394d2d862f2ddce71f28d9b933b21a7d6c621c80ef28652574f758f77f01f716", + "e958d03db79e9f1d2770c70a5bc24904aa3e2d27a8d5637684cf8166b38908f2", + "284701380f33a30b25e8eb9822e7f47179238e91d08bd3fb5a117145de7e0d8d", + "497471497886f18ca16f7facab7d76dc9bfadd69deb9c6e4ea9bdc0869a15628", + "739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e", + "8f4c72e3c7de1ab5d894ec7813f65c5298ecafc183f31924b44a427433ffca42", + "1ac4753056179b358132c55ca3086d550849ae30259ba94f334826c2fbf6c57e", + "53e8fecd7d4b1b74064eba9bfa6a361d52929f440954931b4ba65615148bf0ea", + "e9088afd8871dbad5eda47a9d8abf3b08dd2e17c423ba8a05f9b6ad6751f9b7c", + "ab27eb05130db2f92499234b69ff97ee6429c7824efcb7324ae3e404e2b405bf", + "553451008520a5f0110d84192cba40208fb001c27454f946e85e6fb2e6553292" + ) ''' diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 490c2ae01..1a64a5acf 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/11" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ references = [ ] from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "File with Suspicious Extension Downloaded" @@ -37,10 +37,17 @@ file where host.os.type == "windows" and event.type == "creation" and ) and file.Ext.windows.zone_identifier > 1 and not ( - file.extension : "msix" and - file.path : ( - "?:\\Users\\*\\AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source*", - "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\WinGet\\State\\defaultState\\Microsoft.PreIndexed.Package\\Microsoft.Winget.Source*" + ( + file.extension : "msix" and + file.path : ( + "?:\\Users\\*\\AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source*", + "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\WinGet\\State\\defaultState\\Microsoft.PreIndexed.Package\\Microsoft.Winget.Source*" + ) + ) or + ( + process.name : "Teams.exe" and process.code_signature.trusted == true and + file.extension : "msix" and + file.path : "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Teams\\tmp\\*" ) ) ''' diff --git a/rules_building_block/defense_evasion_file_permission_modification.toml b/rules_building_block/defense_evasion_file_permission_modification.toml index 97a935470..11a0e1a76 100644 --- a/rules_building_block/defense_evasion_file_permission_modification.toml +++ b/rules_building_block/defense_evasion_file_permission_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/12" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ require permission modification of files/folders to change, modify or delete the """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "File and Directory Permissions Modification" @@ -33,7 +33,10 @@ process where event.type == "start" and host.os.type == "windows" and ((process.name: "cacls.exe" or process.pe.original_file_name == "CACLS.EXE") and process.args: ("/g", "*:f")) or ((process.name: "takeown.exe" or process.pe.original_file_name == "takeown.exe") and process.args: ("/F")) or ((process.name: "attrib.exe" or process.pe.original_file_name== "ATTRIB.EXE") and process.args: "-r") -) and not user.id : "S-1-5-18" +) and not user.id : "S-1-5-18" and +not ( + process.args : ("C:\\ProgramData\\Lenovo\\*", "C:\\ProgramData\\Adobe\\*", "C:\\ProgramData\\ASUS\\ASUS*") +) '''