From d636f2d465daaaa779dec118b3e6ef70e8fcd109 Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Mon, 30 Jan 2023 22:01:52 -0500
Subject: [PATCH] [Rule Tuning] T1069 and T1087 - admin wildcard (#2484)

Tuned both rules:relax the conditions by adding a wildcard to admin
---
 rules/windows/discovery_admin_recon.toml         | 16 ++++++++++++++--
 ...scovery_privileged_localgroup_membership.toml |  4 ++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml
index 8e8487309..1f9e52cd8 100644
--- a/rules/windows/discovery_admin_recon.toml
+++ b/rules/windows/discovery_admin_recon.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/01/18"
 
 [rule]
 author = ["Elastic"]
@@ -66,7 +66,7 @@ process where event.type == "start" and
     ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
         not process.parent.name : "net.exe")) and
    process.args : ("group", "user", "localgroup") and
-   process.args : ("admin", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") and
+   process.args : ("*admin*", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") and
    not process.args : "/add")
 
    or
@@ -83,6 +83,10 @@ id = "T1069"
 name = "Permission Groups Discovery"
 reference = "https://attack.mitre.org/techniques/T1069/"
 [[rule.threat.technique.subtechnique]]
+id = "T1069.001"
+name = "Local Groups"
+reference = "https://attack.mitre.org/techniques/T1069/001/"
+[[rule.threat.technique.subtechnique]]
 id = "T1069.002"
 name = "Domain Groups"
 reference = "https://attack.mitre.org/techniques/T1069/002/"
@@ -92,6 +96,14 @@ reference = "https://attack.mitre.org/techniques/T1069/002/"
 id = "T1087"
 name = "Account Discovery"
 reference = "https://attack.mitre.org/techniques/T1087/"
+[[rule.threat.technique.subtechnique]]
+id = "T1087.001"
+name = "Local Account"
+reference = "https://attack.mitre.org/techniques/T1087/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1087.002"
+name = "Domain Account"
+reference = "https://attack.mitre.org/techniques/T1087/002/"
 
 
 [rule.threat.tactic]
diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml
index eb6fa9914..6c19cb1b0 100644
--- a/rules/windows/discovery_privileged_localgroup_membership.toml
+++ b/rules/windows/discovery_privileged_localgroup_membership.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/10/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2023/01/03"
+updated_date = "2023/01/18"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -135,7 +135,7 @@ iam where event.action == "user-member-enumerated" and
                 "?:\\Windows\\System32\\SystemPropertiesComputerName.exe") and
 
   /* privileged local groups */
-  (group.name:("admin*","RemoteDesktopUsers") or
+  (group.name:("*admin*","RemoteDesktopUsers") or
    winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555"))
 '''