From ef0f96c874e7d47a4f37b270012636f2b69bafe8 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 7 Nov 2024 12:27:47 -0300 Subject: [PATCH] [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 7 (#4232) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --- .../credential_access_wbadmin_ntds.toml | 6 ++-- ...dential_access_wireless_creds_dumping.toml | 6 ++-- ...den_file_attribute_with_via_attribexe.toml | 6 ++-- ...sion_clearing_windows_console_history.toml | 27 +++++++++--------- ...e_evasion_clearing_windows_event_logs.toml | 11 ++++++-- ...ing_policy_modification_builtin_tools.toml | 6 ++-- ...ion_defender_exclusion_via_powershell.toml | 6 ++-- ...delete_volume_usn_journal_with_fsutil.toml | 6 ++-- ...disabling_windows_defender_powershell.toml | 6 ++-- ...efense_evasion_disabling_windows_logs.toml | 28 ++++++++++++------- 10 files changed, 67 insertions(+), 41 deletions(-) diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index d4c0eb61c..efc782635 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/06/05" -integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -43,6 +44,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index 9adbf4ae1..89299931f 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/11/01" -integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -45,6 +45,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -110,6 +111,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 2a9d80ef0..1cd033b80 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -45,6 +45,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -118,6 +119,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 956dbc8b4..49d01e44d 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/11/22" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -64,14 +65,6 @@ references = [ ] risk_score = 47 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -86,16 +79,22 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name == "PowerShell.EXE") and - (process.args : "*Clear-History*" or - (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or - (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")) + ( + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or + ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ) and + ( + process.args : "*Clear-History*" or + (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or + (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*") + ) ''' diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index ce861a6e7..a6d317f51 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -74,6 +75,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" @@ -86,7 +88,10 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("/e:false", "cl", "clear-log") ) or ( - process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + ( + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or + ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ) and process.args : "Clear-EventLog" ) ) diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 44fc189c4..6cc87ec49 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/01/31" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -41,6 +41,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -108,6 +109,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 449e185c1..9023dbe12 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/07/20" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -94,6 +95,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 338b618a6..5d1ac8904 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -73,6 +74,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index b9550cf06..59cfe065b 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/07/07" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,6 +20,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -82,6 +83,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index fda24d04a..3fd2ea74e 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/05/06" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -76,6 +77,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" @@ -83,14 +85,20 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((process.name:"logman.exe" or ?process.pe.original_file_name == "Logman.exe") and - process.args : "EventLog-*" and process.args : ("stop", "delete")) or - - ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or ?process.pe.original_file_name in - ("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and - process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled") or - - ((process.name:"auditpol.exe" or ?process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable") + ( + (process.name:"logman.exe" or ?process.pe.original_file_name == "Logman.exe") and + process.args : "EventLog-*" and process.args : ("stop", "delete") + ) or + ( + ( + process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or + ?process.pe.original_file_name in ("pwsh.exe", "powershell.exe", "powershell_ise.exe") + ) and + process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled" + ) or + ( + (process.name:"auditpol.exe" or ?process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable" + ) ) '''