diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 772caf9ee..4fbf67ecc 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -12,7 +12,7 @@ author = ["Elastic"] building_block_type = "default" description = "Discovery of remote system information using built-in commands, which may be used to move laterally." from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Remote System Discovery Commands" @@ -77,7 +77,18 @@ process where host.os.type == "windows" and event.type == "start" and ((((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe")) and - process.args : "group" and process.args : "/domain" and not process.args : "/add"))) + process.args : "group" and process.args : "/domain" and not process.args : "/add"))) and + not + ( + ( + process.name : "arp.exe" and + process.parent.executable : ( + "?:\\ProgramData\\CentraStage\\AEMAgent\\AEMAgent.exe", + "?:\\Program Files (x86)\\Citrix\\Workspace Environment Management Agent\\Citrix.Wem.Agent.Service.exe", + "?:\\Program Files (x86)\\Lansweeper\\Service\\LansweeperService.exe" + ) + ) + ) ''' [[rule.threat]] diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index af5335d60..f4834c928 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -1,10 +1,11 @@ [metadata] +bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/12" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -12,9 +13,8 @@ description = """ Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses. """ -from = "now-119m" -interval = "60m" -index = ["logs-endpoint.events.*"] +from = "now-9m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Creation of SettingContent-ms Files" @@ -32,7 +32,10 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "creation" and file.extension : "settingcontent-ms" and - not file.path : "?:\\Users\\*\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_*\\LocalState\\Indexed\\Settings\\*" + not file.path : ( + "?:\\*\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_*\\LocalState\\Indexed\\Settings\\*", + "\\Device\\HarddiskVolume*\\Windows\\WinSxS\\amd64_microsoft-windows-s..*\\*.settingcontent-ms" + ) ''' [[rule.threat]] diff --git a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml index 46b164709..6110207d5 100644 --- a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml +++ b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/12" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ an RDP connection to evade detection. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Potential Outgoing RDP Connection by Unusual Process" @@ -37,7 +37,10 @@ network where host.os.type == "windows" and "?:\\Program Files (x86)\\mRemoteNG\\mRemoteNG.exe", "?:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe", "?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe", - "?:\\Program Files (x86)\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.exe" + "?:\\Program Files (x86)\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.exe", + "?:\\Program Files\\SentinelOne\\Sentinel Agent*\\Ranger\\SentinelRanger.exe", + "?:\\Program Files\\Devolutions\\Remote Desktop Manager\\RemoteDesktopManager.exe", + "?:\\Program Files (x86)\\Devolutions\\Remote Desktop Manager\\RemoteDesktopManager.exe" ) and process.code_signature.trusted == true ) ''' diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index b5e6db72b..1739922bb 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/12" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -14,7 +14,7 @@ Identifies unusual process executions using MSSQL Service accounts, which can in instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process For MSSQL Service Accounts" @@ -48,7 +48,9 @@ process where event.type == "start" and host.os.type == "windows" and "msmdsrv.exe", "ReportingServicesService.exe", "MsDtsSrvr.exe", "sqlbrowser.exe", "DTExec.exe", "SQLPS.exe", "fdhost.exe", "fdlauncher.exe", - "SqlDumper.exe", "sqlsqm.exe", "DatabaseMail.exe" + "SqlDumper.exe", "sqlsqm.exe", "DatabaseMail.exe", + "ISServerExec.exe", "Microsoft.ReportingServices.Portal.WebHost.exe", + "bcp.exe", "SQLCMD.exe", "DatabaseMail.exe" ) or process.executable : ( "?:\\Windows\\System32\\wermgr.exe", @@ -62,7 +64,8 @@ process where event.type == "start" and host.os.type == "windows" and ) ) and not ( - process.name : "cmd.exe" and process.parent.name : "sqlservr.exe" + (process.name : "cmd.exe" and process.parent.name : "sqlservr.exe") or + (process.name : "cmd.exe" and process.parent.name : "forfiles.exe" and process.command_line : "/c echo *") ) ''' diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 1966a49a1..9238c44be 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/12" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ attackers can abuse this built-in utility to achieve lateral movement. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "WMIC Remote Command" @@ -31,7 +31,7 @@ process where host.os.type == "windows" and event.type == "start" and process.name : "WMIC.exe" and process.args : "*node:*" and process.args : ("call", "set", "get") and - not process.args : ("*/node:localhost*", "*/node:\"127.0.0.1\"*") + not process.args : ("*/node:localhost*", "*/node:\"127.0.0.1\"*", "/node:127.0.0.1") ''' diff --git a/rules_building_block/persistence_startup_folder_lnk.toml b/rules_building_block/persistence_startup_folder_lnk.toml index 32a493ab8..c8967f887 100644 --- a/rules_building_block/persistence_startup_folder_lnk.toml +++ b/rules_building_block/persistence_startup_folder_lnk.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -14,14 +14,14 @@ Identifies shortcut files written to or modified in the startup folder. Adversar persistence. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Shortcut File Written or Modified on Startup Folder" risk_score = 21 rule_id = "ee53d67a-5f0c-423c-a53c-8084ae562b5c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -33,8 +33,10 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*" ) and not ( - (process.name : "ONENOTE.EXE" and process.code_signature.status: "trusted" and file.name : "Send to OneNote.lnk") or - (process.name: "OktaVerifySetup.exe" and process.code_signature.status: "trusted" and file.name : "Okta Verify.lnk") + (process.name : "ONENOTE.EXE" and process.code_signature.status: "trusted" and file.name : "*OneNote.lnk") or + (process.name : "OktaVerifySetup.exe" and process.code_signature.status: "trusted" and file.name : "Okta Verify.lnk") or + (process.name : "OneLaunch.exe" and process.code_signature.status: "trusted" and file.name : "OneLaunch*.lnk") or + (process.name : "APPServerClient.exe" and process.code_signature.status: "trusted" and file.name : "Parallels Client.lnk") ) ''' diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index 6108cbfff..993b637e4 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -58,6 +58,33 @@ event.category: "process" and host.os.type:windows and ) ''' +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."file.path"] +"case_insensitive" = true +"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" + +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."file.path"] +"case_insensitive" = true +"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" + +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."file.path"] +"case_insensitive" = true +"value" = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" + +[[rule.filters]] +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."file.path"] +"case_insensitive" = true +"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.threat]] framework = "MITRE ATT&CK"