[Rule Tuning] Windows BBR Rule Tuning - 3 (#3581)
* [Rule Tuning] Windows BBR Rule Tuning - 3
* Update non-ecs-schema.json
* Update rules_building_block/execution_settingcontent_ms_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update persistence_startup_folder_lnk.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
(cherry picked from commit c5addae009)
This commit is contained in:
Jonhnathan
committed by
github-actions[bot]
github-actions[bot]
parent
9756346df0
commit
d21d94a8f8
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2024/04/05"
|
||||
bypass_bbr_timing = true
|
||||
|
||||
[rule]
|
||||
@@ -12,7 +12,7 @@ author = ["Elastic"]
|
||||
building_block_type = "default"
|
||||
description = "Discovery of remote system information using built-in commands, which may be used to move laterally."
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Remote System Discovery Commands"
|
||||
@@ -77,7 +77,18 @@ process where host.os.type == "windows" and event.type == "start" and
|
||||
((((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
|
||||
((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not
|
||||
process.parent.name : "net.exe")) and
|
||||
process.args : "group" and process.args : "/domain" and not process.args : "/add")))
|
||||
process.args : "group" and process.args : "/domain" and not process.args : "/add"))) and
|
||||
not
|
||||
(
|
||||
(
|
||||
process.name : "arp.exe" and
|
||||
process.parent.executable : (
|
||||
"?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe",
|
||||
"?:\\Program Files (x86)\\Citrix\\Workspace Environment Management Agent\\Citrix.Wem.Agent.Service.exe",
|
||||
"?:\\Program Files (x86)\\Lansweeper\\Service\\LansweeperService.exe"
|
||||
)
|
||||
)
|
||||
)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -1,10 +1,11 @@
|
||||
[metadata]
|
||||
bypass_bbr_timing = true
|
||||
creation_date = "2023/08/24"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/12"
|
||||
updated_date = "2024/04/05"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,9 +13,8 @@ description = """
|
||||
Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code
|
||||
execution while evading defenses.
|
||||
"""
|
||||
from = "now-119m"
|
||||
interval = "60m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.file-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Creation of SettingContent-ms Files"
|
||||
@@ -32,7 +32,10 @@ type = "eql"
|
||||
query = '''
|
||||
file where host.os.type == "windows" and event.type == "creation" and
|
||||
file.extension : "settingcontent-ms" and
|
||||
not file.path : "?:\\Users\\*\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_*\\LocalState\\Indexed\\Settings\\*"
|
||||
not file.path : (
|
||||
"?:\\*\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_*\\LocalState\\Indexed\\Settings\\*",
|
||||
"\\Device\\HarddiskVolume*\\Windows\\WinSxS\\amd64_microsoft-windows-s..*\\*.settingcontent-ms"
|
||||
)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/12"
|
||||
updated_date = "2024/04/05"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,7 +15,7 @@ an RDP connection to evade detection.
|
||||
"""
|
||||
from = "now-119m"
|
||||
interval = "60m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.network-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Outgoing RDP Connection by Unusual Process"
|
||||
@@ -37,7 +37,10 @@ network where host.os.type == "windows" and
|
||||
"?:\\Program Files (x86)\\mRemoteNG\\mRemoteNG.exe",
|
||||
"?:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe",
|
||||
"?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe",
|
||||
"?:\\Program Files (x86)\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.exe"
|
||||
"?:\\Program Files (x86)\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.exe",
|
||||
"?:\\Program Files\\SentinelOne\\Sentinel Agent*\\Ranger\\SentinelRanger.exe",
|
||||
"?:\\Program Files\\Devolutions\\Remote Desktop Manager\\RemoteDesktopManager.exe",
|
||||
"?:\\Program Files (x86)\\Devolutions\\Remote Desktop Manager\\RemoteDesktopManager.exe"
|
||||
) and process.code_signature.trusted == true
|
||||
)
|
||||
'''
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/12"
|
||||
updated_date = "2024/04/05"
|
||||
bypass_bbr_timing = true
|
||||
|
||||
[rule]
|
||||
@@ -14,7 +14,7 @@ Identifies unusual process executions using MSSQL Service accounts, which can in
|
||||
instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Unusual Process For MSSQL Service Accounts"
|
||||
@@ -48,7 +48,9 @@ process where event.type == "start" and host.os.type == "windows" and
|
||||
"msmdsrv.exe", "ReportingServicesService.exe",
|
||||
"MsDtsSrvr.exe", "sqlbrowser.exe", "DTExec.exe",
|
||||
"SQLPS.exe", "fdhost.exe", "fdlauncher.exe",
|
||||
"SqlDumper.exe", "sqlsqm.exe", "DatabaseMail.exe"
|
||||
"SqlDumper.exe", "sqlsqm.exe", "DatabaseMail.exe",
|
||||
"ISServerExec.exe", "Microsoft.ReportingServices.Portal.WebHost.exe",
|
||||
"bcp.exe", "SQLCMD.exe", "DatabaseMail.exe"
|
||||
) or
|
||||
process.executable : (
|
||||
"?:\\Windows\\System32\\wermgr.exe",
|
||||
@@ -62,7 +64,8 @@ process where event.type == "start" and host.os.type == "windows" and
|
||||
)
|
||||
) and
|
||||
not (
|
||||
process.name : "cmd.exe" and process.parent.name : "sqlservr.exe"
|
||||
(process.name : "cmd.exe" and process.parent.name : "sqlservr.exe") or
|
||||
(process.name : "cmd.exe" and process.parent.name : "forfiles.exe" and process.command_line : "/c echo *")
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/12"
|
||||
updated_date = "2024/04/05"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -14,7 +14,7 @@ attackers can abuse this built-in utility to achieve lateral movement.
|
||||
"""
|
||||
from = "now-119m"
|
||||
interval = "60m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "WMIC Remote Command"
|
||||
@@ -31,7 +31,7 @@ process where host.os.type == "windows" and event.type == "start" and
|
||||
process.name : "WMIC.exe" and
|
||||
process.args : "*node:*" and
|
||||
process.args : ("call", "set", "get") and
|
||||
not process.args : ("*/node:localhost*", "*/node:\"127.0.0.1\"*")
|
||||
not process.args : ("*/node:localhost*", "*/node:\"127.0.0.1\"*", "/node:127.0.0.1")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/08/29"
|
||||
updated_date = "2024/04/05"
|
||||
bypass_bbr_timing = true
|
||||
|
||||
[rule]
|
||||
@@ -14,14 +14,14 @@ Identifies shortcut files written to or modified in the startup folder. Adversar
|
||||
persistence.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.file-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Shortcut File Written or Modified on Startup Folder"
|
||||
risk_score = 21
|
||||
rule_id = "ee53d67a-5f0c-423c-a53c-8084ae562b5c"
|
||||
severity = "low"
|
||||
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"]
|
||||
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"]
|
||||
timestamp_override = "event.ingested"
|
||||
building_block_type = "default"
|
||||
type = "eql"
|
||||
@@ -33,8 +33,10 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten
|
||||
"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*"
|
||||
) and
|
||||
not (
|
||||
(process.name : "ONENOTE.EXE" and process.code_signature.status: "trusted" and file.name : "Send to OneNote.lnk") or
|
||||
(process.name: "OktaVerifySetup.exe" and process.code_signature.status: "trusted" and file.name : "Okta Verify.lnk")
|
||||
(process.name : "ONENOTE.EXE" and process.code_signature.status: "trusted" and file.name : "*OneNote.lnk") or
|
||||
(process.name : "OktaVerifySetup.exe" and process.code_signature.status: "trusted" and file.name : "Okta Verify.lnk") or
|
||||
(process.name : "OneLaunch.exe" and process.code_signature.status: "trusted" and file.name : "OneLaunch*.lnk") or
|
||||
(process.name : "APPServerClient.exe" and process.code_signature.status: "trusted" and file.name : "Parallels Client.lnk")
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["windows"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/03/08"
|
||||
updated_date = "2024/04/05"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -58,6 +58,33 @@ event.category: "process" and host.os.type:windows and
|
||||
)
|
||||
'''
|
||||
|
||||
[[rule.filters]]
|
||||
[rule.filters.meta]
|
||||
negate = true
|
||||
[rule.filters.query.wildcard."file.path"]
|
||||
"case_insensitive" = true
|
||||
"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*"
|
||||
|
||||
[[rule.filters]]
|
||||
[rule.filters.meta]
|
||||
negate = true
|
||||
[rule.filters.query.wildcard."file.path"]
|
||||
"case_insensitive" = true
|
||||
"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"
|
||||
|
||||
[[rule.filters]]
|
||||
[rule.filters.meta]
|
||||
negate = true
|
||||
[rule.filters.query.wildcard."file.path"]
|
||||
"case_insensitive" = true
|
||||
"value" = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"
|
||||
|
||||
[[rule.filters]]
|
||||
[rule.filters.meta]
|
||||
negate = true
|
||||
[rule.filters.query.wildcard."file.path"]
|
||||
"case_insensitive" = true
|
||||
"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
Reference in New Issue
Block a user