[Rule Tuning] Windows DR Tuning - 15 (#3377)

* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml

(cherry picked from commit 92804343bc)

rules/windows/defense_evasion_msbuild_making_network_connections.toml

@@ -107,7 +107,8 @@ query = '''
 sequence by process.entity_id
   [process where host.os.type == "windows" and process.name : "MSBuild.exe" and event.type == "start"]
   [network where host.os.type == "windows" and process.name : "MSBuild.exe" and
-     not cidrmatch(destination.ip, "127.0.0.1", "::1", "localhost")]
+     not cidrmatch(destination.ip, "127.0.0.1", "::1") and
+     not dns.question.name : "localhost"]
 '''
 
 

rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2023/10/23"
+updated_date = "2024/01/09"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -98,7 +98,7 @@ The Print Spooler service has some known vulnerabilities that attackers can abus
 
 """
 references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"]
-risk_score = 73
+risk_score = 47
 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa"
 setup="""
 
@@ -108,7 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest
 `event.ingested` to @timestamp.
 For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 """
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -122,7 +122,8 @@ file where host.os.type == "windows" and event.type != "deletion" and
                       "PrintIsolationHost.exe",
                       "splwow64.exe",
                       "msiexec.exe",
-                      "poqexec.exe") and
+                      "poqexec.exe",
+                      "System") and
   not user.id : "S-1-5-18" and
   not process.executable :
             ("?:\\Windows\\System32\\mmc.exe",
@@ -135,7 +136,8 @@ file where host.os.type == "windows" and event.type != "deletion" and
              "?:\\Program Files\\*.exe",
              "?:\\Program Files (x86)\\*.exe",
              "?:\\PROGRA~1\\*.exe",
-             "?:\\PROGRA~2\\*.exe")
+             "?:\\PROGRA~2\\*.exe",
+             "?:\\Windows\\System32\\rundll32.exe")
 '''
 
 

rules/windows/privilege_escalation_uac_sdclt.toml

@@ -1,78 +0,0 @@
-[metadata]
-creation_date = "2020/09/02"
-integration = ["endpoint", "windows"]
-maturity = "development"
-updated_date = "2023/10/13"
-
-[rule]
-author = ["Elastic"]
-description = """
-Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with
-elevated permissions.
-"""
-from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
-language = "eql"
-license = "Elastic License v2"
-name = "Bypass UAC via Sdclt"
-risk_score = 73
-rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900"
-severity = "high"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
-type = "eql"
-
-query = '''
-/* add winlogbeat-* when process.code_signature.* fields are populated */
-/* still needs testing, applicable binary was not available on test machine */
-
-sequence with maxspan=1m
-  [process where host.os.type == "windows" and event.type == "start" and process.name : "sdclt.exe" and
-     /* uncomment once in winlogbeat */
-     /* process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and */
-     process.args : "/kickoffelev"
-  ] by process.entity_id
-  [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sdclt.exe" and
-     not (process.executable : "C:\\Windows\\System32\\sdclt.exe" or
-          process.executable : "C:\\Windows\\System32\\control.exe" or
-          process.executable : "C:\\Windows\\SysWOW64\\sdclt.exe" or
-          process.executable : "C:\\Windows\\SysWOW64\\control.exe")
-  ] by process.parent.entity_id
-'''
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1548"
-name = "Abuse Elevation Control Mechanism"
-reference = "https://attack.mitre.org/techniques/T1548/"
-[[rule.threat.technique.subtechnique]]
-id = "T1548.002"
-name = "Bypass User Account Control"
-reference = "https://attack.mitre.org/techniques/T1548/002/"
-
-
-
-[rule.threat.tactic]
-id = "TA0004"
-name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1218"
-name = "System Binary Proxy Execution"
-reference = "https://attack.mitre.org/techniques/T1218/"
-
-[[rule.threat.technique.subtechnique]]
-id = "T1218.014"
-name = "MMC"
-reference = "https://attack.mitre.org/techniques/T1218/014/"
-
-
-[rule.threat.tactic]
-id = "TA0005"
-name = "Defense Evasion"
-reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/windows/privilege_escalation_unusual_parentchild_relationship.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2024/01/16"
+updated_date = "2024/01/17"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -131,14 +131,14 @@ process.parent.name != null and
    (process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or
    (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or
    (process.name:"services.exe" and not process.parent.name:"wininit.exe") or
-   (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe")) or
+   (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe", "svchost.exe")) or
    (process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or
-   (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
+   (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe", "ngentask.exe")) or
    (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or
    (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or
    (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or
    /* suspicious child processes */
-   (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe")) or
+   (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe", "conhost.exe")) or
    (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or
    (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or
    (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/16"
+updated_date = "2024/01/17"
 
 [rule]
 author = ["Elastic"]
@@ -50,7 +50,11 @@ process where host.os.type == "windows" and event.type == "start" and
  not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and
  not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and
  not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and
- not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*")
+ not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and
+ not process.executable : (
+    "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
+    "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe"
+ )
 '''
 
 

rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/09"
 
 [rule]
 author = ["Elastic"]
@@ -35,25 +35,31 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-     process.parent.name : "svchost.exe" and
+  process.parent.name : "svchost.exe" and
 
-     /* based on svchost service arguments -s svcname where the service is known to be childless */
+  /* based on svchost service arguments -s svcname where the service is known to be childless */
+  process.parent.args : (
+    "WdiSystemHost", "LicenseManager", "StorSvc", "CDPSvc", "cdbhsvc", "BthAvctpSvc", "SstpSvc", "WdiServiceHost",
+    "imgsvc", "TrkWks", "WpnService", "IKEEXT", "PolicyAgent", "CryptSvc", "netprofm", "ProfSvc", "StateRepository",
+    "camsvc", "LanmanWorkstation", "NlaSvc", "EventLog", "hidserv", "DisplayEnhancementService", "ShellHWDetection",
+    "AppHostSvc", "fhsvc", "CscService", "PushToInstall"
+  ) and
 
-    process.parent.args : ("WdiSystemHost","LicenseManager",
-      "StorSvc","CDPSvc","cdbhsvc","BthAvctpSvc","SstpSvc","WdiServiceHost",
-      "imgsvc","TrkWks","WpnService","IKEEXT","PolicyAgent","CryptSvc",
-      "netprofm","ProfSvc","StateRepository","camsvc","LanmanWorkstation",
-      "NlaSvc","EventLog","hidserv","DisplayEnhancementService","ShellHWDetection",
-      "AppHostSvc","fhsvc","CscService","PushToInstall") and
-
-      /* unknown FPs can be added here */
-
-     not process.name : ("WerFault.exe","WerFaultSecure.exe","wermgr.exe") and
-     not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and
-     not (process.name : "rundll32.exe" and
-          process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and process.parent.args : "WdiServiceHost") and
-     not (process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\Kodak\\kds_i4x50\\lib\\lexexe.exe") and
-          process.parent.args : "imgsvc")
+  /* unknown FPs can be added here */
+  not process.name : ("WerFault.exe", "WerFaultSecure.exe", "wermgr.exe") and
+  not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and
+  not (
+    process.name : "rundll32.exe" and
+    process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and
+    process.parent.args : "WdiServiceHost"
+  ) and
+  not (
+    process.executable : (
+      "?:\\Program Files\\*",
+      "?:\\Program Files (x86)\\*",
+      "?:\\Windows\\System32\\Kodak\\kds_?????\\lib\\lexexe.exe"
+    ) and process.parent.args : "imgsvc"
+  )
 '''
 
 

rules/windows/privilege_escalation_via_ppid_spoofing.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/22"
+updated_date = "2024/01/09"
 
 [rule]
 author = ["Elastic"]
@@ -81,7 +81,15 @@ process where host.os.type == "windows" and event.action == "start" and
                     "?:\\Program Files (x86)\\EMC Captiva\\Captiva Cloud Runtime\\Emc.Captiva.WebCaptureRunner.exe",
                     "?:\\Program Files\\Freedom Scientific\\*.exe",
                     "?:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*\\remoting_host.exe",
-                    "?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe")
+                    "?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe") and
+ not (
+    process.code_signature.trusted == true and process.code_signature.subject_name == "Netwrix Corporation" and
+    process.name : "adcrcpy.exe" and process.parent.executable : (
+      "?:\\Program Files (x86)\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.EventCollector.exe",
+      "?:\\Program Files (x86)\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.Analyzer.exe",
+      "?:\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.EventCollector.exe"
+    )
+ )
 '''
 
 

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/09"
 
 [rule]
 author = ["Elastic"]
@@ -48,7 +48,11 @@ type = "query"
 
 query = '''
 event.action:"service-installed" and
-  (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0")
+  (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") and
+  not winlog.event_data.ServiceFileName : (
+    "C:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" or
+    "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\17706-CsInstallerService.exe"
+  )
 '''