From d121e74a3e7aa50aa368a3a4bc2de337abb2f81d Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 23 Jan 2024 16:48:31 -0300 Subject: [PATCH] [Rule Tuning] Windows DR Tuning - 15 (#3377) * [Rule Tuning] Windows DR Tuning - 15 * Update privilege_escalation_windows_service_via_unusual_client.toml * Update privilege_escalation_windows_service_via_unusual_client.toml * Update defense_evasion_msbuild_making_network_connections.toml (cherry picked from commit 92804343bc1f1faa22784e67a4acc8bd5a7a4557) --- ...on_msbuild_making_network_connections.toml | 3 +- ...tion_printspooler_suspicious_spl_file.toml | 12 +-- .../privilege_escalation_uac_sdclt.toml | 78 ------------------- ...tion_unusual_parentchild_relationship.toml | 8 +- ...ion_unusual_printspooler_childprocess.toml | 8 +- ...n_unusual_svchost_childproc_childless.toml | 42 +++++----- ...rivilege_escalation_via_ppid_spoofing.toml | 12 ++- ...on_windows_service_via_unusual_client.toml | 8 +- 8 files changed, 59 insertions(+), 112 deletions(-) delete mode 100644 rules/windows/privilege_escalation_uac_sdclt.toml diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index ac56fd922..41bdeb52b 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -107,7 +107,8 @@ query = ''' sequence by process.entity_id [process where host.os.type == "windows" and process.name : "MSBuild.exe" and event.type == "start"] [network where host.os.type == "windows" and process.name : "MSBuild.exe" and - not cidrmatch(destination.ip, "127.0.0.1", "::1", "localhost")] + not cidrmatch(destination.ip, "127.0.0.1", "::1") and + not dns.question.name : "localhost"] ''' diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 3a885ecf6..947c9d815 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/10/23" +updated_date = "2024/01/09" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -98,7 +98,7 @@ The Print Spooler service has some known vulnerabilities that attackers can abus """ references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"] -risk_score = 73 +risk_score = 47 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa" setup=""" @@ -108,7 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ -severity = "high" +severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -122,7 +122,8 @@ file where host.os.type == "windows" and event.type != "deletion" and "PrintIsolationHost.exe", "splwow64.exe", "msiexec.exe", - "poqexec.exe") and + "poqexec.exe", + "System") and not user.id : "S-1-5-18" and not process.executable : ("?:\\Windows\\System32\\mmc.exe", @@ -135,7 +136,8 @@ file where host.os.type == "windows" and event.type != "deletion" and "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\PROGRA~1\\*.exe", - "?:\\PROGRA~2\\*.exe") + "?:\\PROGRA~2\\*.exe", + "?:\\Windows\\System32\\rundll32.exe") ''' diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml deleted file mode 100644 index afae84230..000000000 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ /dev/null @@ -1,78 +0,0 @@ -[metadata] -creation_date = "2020/09/02" -integration = ["endpoint", "windows"] -maturity = "development" -updated_date = "2023/10/13" - -[rule] -author = ["Elastic"] -description = """ -Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with -elevated permissions. -""" -from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] -language = "eql" -license = "Elastic License v2" -name = "Bypass UAC via Sdclt" -risk_score = 73 -rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900" -severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] -type = "eql" - -query = ''' -/* add winlogbeat-* when process.code_signature.* fields are populated */ -/* still needs testing, applicable binary was not available on test machine */ - -sequence with maxspan=1m - [process where host.os.type == "windows" and event.type == "start" and process.name : "sdclt.exe" and - /* uncomment once in winlogbeat */ - /* process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and */ - process.args : "/kickoffelev" - ] by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sdclt.exe" and - not (process.executable : "C:\\Windows\\System32\\sdclt.exe" or - process.executable : "C:\\Windows\\System32\\control.exe" or - process.executable : "C:\\Windows\\SysWOW64\\sdclt.exe" or - process.executable : "C:\\Windows\\SysWOW64\\control.exe") - ] by process.parent.entity_id -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.014" -name = "MMC" -reference = "https://attack.mitre.org/techniques/T1218/014/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index f0a4e899c..993fc9d42 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/01/16" +updated_date = "2024/01/17" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -131,14 +131,14 @@ process.parent.name != null and (process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or (process.name:"services.exe" and not process.parent.name:"wininit.exe") or - (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe")) or + (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe", "svchost.exe")) or (process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or - (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe", "ngentask.exe")) or (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or /* suspicious child processes */ - (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe")) or + (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe", "conhost.exe")) or (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index d6db30bd5..b8c6601f2 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/16" +updated_date = "2024/01/17" [rule] author = ["Elastic"] @@ -50,7 +50,11 @@ process where host.os.type == "windows" and event.type == "start" and not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and - not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") + not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and + not process.executable : ( + "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", + "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe" + ) ''' diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 7097416d9..ce04dc355 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/09" [rule] author = ["Elastic"] @@ -35,25 +35,31 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "svchost.exe" and + process.parent.name : "svchost.exe" and - /* based on svchost service arguments -s svcname where the service is known to be childless */ + /* based on svchost service arguments -s svcname where the service is known to be childless */ + process.parent.args : ( + "WdiSystemHost", "LicenseManager", "StorSvc", "CDPSvc", "cdbhsvc", "BthAvctpSvc", "SstpSvc", "WdiServiceHost", + "imgsvc", "TrkWks", "WpnService", "IKEEXT", "PolicyAgent", "CryptSvc", "netprofm", "ProfSvc", "StateRepository", + "camsvc", "LanmanWorkstation", "NlaSvc", "EventLog", "hidserv", "DisplayEnhancementService", "ShellHWDetection", + "AppHostSvc", "fhsvc", "CscService", "PushToInstall" + ) and - process.parent.args : ("WdiSystemHost","LicenseManager", - "StorSvc","CDPSvc","cdbhsvc","BthAvctpSvc","SstpSvc","WdiServiceHost", - "imgsvc","TrkWks","WpnService","IKEEXT","PolicyAgent","CryptSvc", - "netprofm","ProfSvc","StateRepository","camsvc","LanmanWorkstation", - "NlaSvc","EventLog","hidserv","DisplayEnhancementService","ShellHWDetection", - "AppHostSvc","fhsvc","CscService","PushToInstall") and - - /* unknown FPs can be added here */ - - not process.name : ("WerFault.exe","WerFaultSecure.exe","wermgr.exe") and - not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and - not (process.name : "rundll32.exe" and - process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and process.parent.args : "WdiServiceHost") and - not (process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\Kodak\\kds_i4x50\\lib\\lexexe.exe") and - process.parent.args : "imgsvc") + /* unknown FPs can be added here */ + not process.name : ("WerFault.exe", "WerFaultSecure.exe", "wermgr.exe") and + not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and + not ( + process.name : "rundll32.exe" and + process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and + process.parent.args : "WdiServiceHost" + ) and + not ( + process.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\Kodak\\kds_?????\\lib\\lexexe.exe" + ) and process.parent.args : "imgsvc" + ) ''' diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index b894b3e11..bd4791b02 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/22" +updated_date = "2024/01/09" [rule] author = ["Elastic"] @@ -81,7 +81,15 @@ process where host.os.type == "windows" and event.action == "start" and "?:\\Program Files (x86)\\EMC Captiva\\Captiva Cloud Runtime\\Emc.Captiva.WebCaptureRunner.exe", "?:\\Program Files\\Freedom Scientific\\*.exe", "?:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*\\remoting_host.exe", - "?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe") + "?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe") and + not ( + process.code_signature.trusted == true and process.code_signature.subject_name == "Netwrix Corporation" and + process.name : "adcrcpy.exe" and process.parent.executable : ( + "?:\\Program Files (x86)\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.EventCollector.exe", + "?:\\Program Files (x86)\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.Analyzer.exe", + "?:\\Netwrix Auditor\\Active Directory Auditing\\Netwrix.ADA.EventCollector.exe" + ) + ) ''' diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 724ce976f..38111e87c 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/09" [rule] author = ["Elastic"] @@ -48,7 +48,11 @@ type = "query" query = ''' event.action:"service-installed" and - (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") + (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") and + not winlog.event_data.ServiceFileName : ( + "C:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" or + "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\17706-CsInstallerService.exe" + ) '''