[Tuning] Diverse Windows Rules Tuning (#2383)

* [Rules Tuning] TPrep * more * Update credential_access_wireless_creds_dumping.toml * Update persistence_user_account_creation_event_logs.toml * Update discovery_files_dir_systeminfo_via_cmd.toml * fix errors * Update command_and_control_common_webservices.toml * fix errors * Update persistence_user_account_creation_event_logs.toml * Update rules/windows/credential_access_wireless_creds_dumping.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_files_dir_systeminfo_via_cmd.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * switched back to kql * Update persistence_user_account_creation_event_logs.toml * Update rules/windows/credential_access_wireless_creds_dumping.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added T1555 * Update persistence_user_account_creation_event_logs.toml * Update defense_evasion_persistence_account_tokenfilterpolicy.toml * Update defense_evasion_persistence_account_tokenfilterpolicy.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2022-11-01 16:48:25 +00:00
parent 24b5e8a8b0
commit e89bc230ab
8 changed files with 258 additions and 26 deletions
@@ -3,7 +3,7 @@ creation_date = "2020/11/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/11/01"

 [rule]
 author = ["Elastic"]
@@ -107,7 +107,9 @@ network where network.protocol == "dns" and
        "requestbin.net",
        "cdn.discordapp.com",
        "discordapp.com",
-        "discord.com"
+        "discord.com",
+        "script.google.com",
+        "script.googleusercontent.com"
    ) and
    /* Insert noisy false positives here */
    not process.executable :
@@ -164,4 +166,4 @@ reference = "https://attack.mitre.org/techniques/T1567/"
 [rule.threat.tactic]
 id = "TA0010"
 name = "Exfiltration"
-reference = "https://attack.mitre.org/tactics/TA0010/"
+reference = "https://attack.mitre.org/tactics/TA0010/"
@@ -0,0 +1,70 @@
+[metadata]
+creation_date = "2022/11/01"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/11/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Wireless Credential Dumping using Netsh Command"
+note = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+references = [
+    "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts",
+    "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/",
+]
+risk_score = 73
+rule_id = "2de87d72-ee0c-43e2-b975-5f0b029ac600"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Discovery", "Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and
+ (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and
+  process.args : "wlan" and process.args : "key*clear"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1082"
+name = "System Information Discovery"
+reference = "https://attack.mitre.org/techniques/T1082/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
@@ -0,0 +1,77 @@
+[metadata]
+creation_date = "2022/11/01"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/11/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by
+default) and is set to 1, then remote connections from all local members of Administrators are granted full
+high-integrity tokens during negotiation.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Local Account TokenFilter Policy Disabled"
+references = [
+    "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439",
+    "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167",
+    "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf",
+]
+risk_score = 47
+rule_id = "07b1ef73-1fde-4a49-a34a-5dd40011b076"
+severity = "medium"
+tags = [
+    "Elastic",
+    "Host",
+    "Windows",
+    "Threat Detection",
+    "Defense Evasion",
+    "Privilege Escalation",
+    "Elastic Endgame",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+registry where registry.path : (
+  "HKLM\\*\\LocalAccountTokenFilterPolicy",
+  "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy") and
+  registry.data.strings : ("1", "0x00000001")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1112"
+name = "Modify Registry"
+reference = "https://attack.mitre.org/techniques/T1112/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.003"
+name = "Local Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+
@@ -0,0 +1,71 @@
+[metadata]
+creation_date = "2022/11/01"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/11/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of discovery commands to enumerate system info or files and folders using the Windows Command Shell.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "System Information Discovery via Windows Command Shell"
+note = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+risk_score = 21
+rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba"
+severity = "low"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Execution"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and
+ process.name : "cmd.exe" and process.args : "/c" and process.args : ("set", "dir")
+'''
+
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1082"
+name = "System Information Discovery"
+reference = "https://attack.mitre.org/techniques/T1082/"
+
+[[rule.threat.technique]]
+id = "T1083"
+name = "File and Directory Discovery"
+reference = "https://attack.mitre.org/techniques/T1083/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1059.003"
+    name = "Windows Command Shell"
+    reference = "https://attack.mitre.org/techniques/T1059/003/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
@@ -3,7 +3,7 @@ creation_date = "2020/11/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/11/01"

 [rule]
 author = ["Elastic"]
@@ -80,25 +80,31 @@ type = "eql"

 query = '''
 registry where
- (registry.path : "HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and
- not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*")
- or
- /* in general COM Registry changes on Users Hive is less noisy and worth alerting */
- (registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\",
-                   "HKEY_USERS\\*Classes\\*\\LocalServer32\\",
-                   "HKEY_USERS\\*Classes\\*\\DelegateExecute\\",
-                   "HKEY_USERS\\*Classes\\*\\TreatAs\\",
-                   "HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and
- not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and
-      registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and
 /* not necessary but good for filtering privileged installations */
- user.domain != "NT AUTHORITY"
- ) and
+ user.domain != "NT AUTHORITY" and
+
+(
+ (registry.path : "HK*\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and
+  not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or
+
+ /* in general COM Registry changes on Users Hive is less noisy and worth alerting */
+ (registry.path : ("HKEY_USERS\\*\\InprocServer32\\*",
+                   "HKEY_USERS\\*\\LocalServer32\\*",
+                   "HKEY_USERS\\*\\DelegateExecute\\*",
+                   "HKEY_USERS\\*\\TreatAs\\*",
+                   "HKEY_USERS\\*\\ScriptletURL\\*") and
+ not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and
+      registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\*")) or
+
+ (registry.path : "HKLM\\*\\InProcServer32\\*" and registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*"))
+
+) and
+
 /* removes false-positives generated by OneDrive and Teams */
 not process.name : ("OneDrive.exe","OneDriveSetup.exe","FileSyncConfig.exe","Teams.exe") and
+
 /* Teams DLL loaded by regsvr */
- not (process.name: "regsvr32.exe" and
- registry.data.strings : "*Microsoft.Teams.*.dll")
+ not (process.name: "regsvr32.exe" and registry.data.strings : "*Microsoft.Teams.*.dll")
 '''


@@ -3,7 +3,7 @@ creation_date = "2021/01/09"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/11/01"

 [rule]
 author = ["Elastic", "Skoetting"]
@@ -16,7 +16,7 @@ from = "now-9m"
 index = ["winlogbeat-*", "logs-system.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "User Added to Privileged Group in Active Directory"
+name = "User Added to Privileged Group"
 note = """## Triage and analysis

 ### Investigating User Added to Privileged Group in Active Directory
@@ -40,6 +40,7 @@ investigating further, verify that this activity is not benign.
 ### Related rules

 - Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e
+- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694

 ### Response and remediation

@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "development"
-updated_date = "2022/08/24"
+updated_date = "2022/11/01"

 [rule]
 author = ["Skoetting"]
 description = """
-Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or
-domain.
+Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access
+to a system or domain.
 """
 false_positives = [
    """
@@ -19,7 +19,7 @@ false_positives = [
 index = ["winlogbeat-*", "logs-system.*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Creation of a local user account"
+name = "Windows User Account Creation"
 risk_score = 21
 rule_id = "38e17753-f581-4644-84da-0d60a8318694"
 severity = "low"
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.module:security and event.code:4720
+event.module : ("system" or "security") and (event.code : "4720" or event.action : "added-user-account")
 '''


@@ -44,6 +44,11 @@ reference = "https://attack.mitre.org/techniques/T1136/"
  name = "Local Account"
  reference = "https://attack.mitre.org/techniques/T1136/001/"

+  [[rule.threat.technique.subtechnique]]
+  id = "T1136.002"
+  name = "Domain Account"
+  reference = "https://attack.mitre.org/techniques/T1136/002/"
+

 [rule.threat.tactic]
 id = "TA0003"