security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Connection to Commonly Abused Web Services (#1079)

Browse Source 
* [Rule Tuning] Connection to Commonly Abused Web Services

* adjusted 1 exclusion

* update date

* added 3 dns.names as suggested by Daniel

* added requestbin.net used for DNS tunneling by APT34
This commit is contained in:
Samirbous
2021-04-14 00:53:27 +02:00
committed by GitHub
parent 0fe09aaed5
commit dd4bc3e57e
1 changed files with 20 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/command_and_control_common_webservices.toml
+20 -13
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/04"
maturity = "production"
updated_date = "2021/03/09"
updated_date = "2021/04/07"
[rule]
author = ["Elastic"]
@@ -25,7 +25,7 @@ type = "eql"
query = '''
network where network.protocol == "dns" and
process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and
process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
/* Add new WebSvc domains here */
dns.question.name :
(
@@ -47,21 +47,28 @@ network where network.protocol == "dns" and
"*localtunnel.me",
"*pagekite.me",
"*localxpose.io",
"*notabug.org"
"*notabug.org",
"rawcdn.githack.*",
"paste.nrecom.net",
"zerobin.net",
"controlc.com",
"requestbin.net"
) and
/* Insert noisy false positives here */
not process.executable :
(
"C:\\Program Files\\*.exe",
"C:\\Program Files (x86)\\*.exe",
"C:\\Windows\\System32\\WWAHost.exe",
"C:\\Windows\\System32\\smartscreen.exe",
"C:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"C:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
"C:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
"C:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\WWAHost.exe",
"?:\\Windows\\System32\\smartscreen.exe",
"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
"?:\\Windows\\system32\\mobsync.exe",
"?:\\Windows\\SysWOW64\\mobsync.exe"
)
'''