security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Windows DR Tuning - 2 (#3209)

Browse Source 
* [Rule Tuning] Windows DR Tuning - 2

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

* Update credential_access_kerberoasting_unusual_process.toml

* Update command_and_control_teamviewer_remote_file_copy.toml
This commit is contained in:
Jonhnathan
2023-10-26 18:10:31 -03:00
committed by GitHub
parent a5240e4063
commit efa7c428ea
5 changed files with 94 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/command_and_control_ingress_transfer_bits.toml
+13 -8
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/10/22"
[rule]
author = ["Elastic"]
@@ -27,15 +27,20 @@ type = "eql"
query = '''
file where host.os.type == "windows" and event.action == "rename" and
process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and
(file.extension :("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or file.Ext.header_bytes : "4d5a*") and
process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and
(file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or
file.Ext.header_bytes : "4d5a*") and
/* noisy paths, for hunting purposes you can use the same query without the following exclusions */
not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and
/* noisy paths, for hunting purposes you can use the same query without the following exclusions */
not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and
/* lot of third party SW use BITS to download executables with a long file name */
not length(file.name) > 30
/* lot of third party SW use BITS to download executables with a long file name */
not length(file.name) > 30 and
not file.path : (
"?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp",
"?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe",
"?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe"
)
'''
rules/windows/command_and_control_remote_file_copy_powershell.toml
+16 -9
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/11/30"
integration = ["endpoint", "windows"]
integration = ["endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/10/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -36,7 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
author = ["Elastic"]
description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination."
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Remote File Download via PowerShell"
@@ -99,12 +99,19 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=30s
[network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and
not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and
not user.domain : "NT AUTHORITY"]
[file where host.os.type == "windows" and process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and
not file.name : "__PSScriptPolicy*.ps1"]
sequence by process.entity_id with maxspan=30s
[network where host.os.type == "windows" and
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and
not dns.question.name : (
"localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com",
"*.windowsupdate.com", "metadata.google.internal", "dist.nuget.org",
"artifacts.elastic.co", "*.digicert.com", "packages.chocolatey.org",
"outlook.office365.com"
) and not user.id : "S-1-5-18"]
[file where host.os.type == "windows" and event.type == "creation" and
process.name : "powershell.exe" and file.extension : ("exe", "dll", "ps1", "bat") and
not file.name : "__PSScriptPolicy*.ps1"]
'''
rules/windows/command_and_control_teamviewer_remote_file_copy.toml
+10 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/02"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/10/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -113,7 +113,15 @@ type = "eql"
query = '''
file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and
file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta")
file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") and
not
(
file.path : (
"?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*.js",
"?:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\update.exe",
"?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe"
) and process.code_signature.trusted == true
)
'''
rules/windows/credential_access_dcsync_replication_rights.toml
+5 -2
View File
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/13"
updated_date = "2023/10/22"
[rule]
author = ["Elastic"]
@@ -114,7 +114,10 @@ any where event.action == "Directory Service Access" and
/* The right to perform an operation controlled by an extended access right. */
and winlog.event_data.AccessMask : "0x100" and
not winlog.event_data.SubjectUserName : ("*$", "MSOL_*", "OpenDNS_Connector")
not winlog.event_data.SubjectUserName : (
"*$", "MSOL_*", "OpenDNS_Connector", "adconnect", "SyncADConnect",
"SyncADConnectCM", "aadsync", "svcAzureADSync", "-"
)
/* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */
'''
rules/windows/credential_access_kerberoasting_unusual_process.toml
+50 -39
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/11/02"
integration = ["endpoint", "windows"]
integration = ["endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/10/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -44,7 +44,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Kerberos Traffic from Unusual Process"
@@ -113,42 +113,53 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
network where host.os.type == "windows" and event.type == "start" and network.direction : ("outgoing", "egress") and
destination.port == 88 and source.port >= 49152 and process.pid != 4 and
not process.executable :
("?:\\Windows\\System32\\lsass.exe",
"System",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe",
"\\device\\harddiskvolume?\\windows\\system32\\lsass.exe",
"?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe",
"?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe",
"?:\\Program Files (x86)\\SuperScan\\scanner.exe",
"?:\\Program Files (x86)\\Nmap\\nmap.exe",
"?:\\Program Files\\Tenable\\Nessus\\nessusd.exe",
"\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe",
"?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe",
"?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe",
"?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
"?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe",
"\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe",
"?:\\Program Files (x86)\\Nmap OEM\\nmap.exe",
"?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe",
"?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe",
"?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe",
"?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe",
"?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe",
"?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe",
"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe",
"?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe",
"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"?:\\Program Files\\Mozilla Firefox\\firefox.exe",
"?:\\Program Files\\Internet Explorer\\iexplore.exe",
"?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"
) and
network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and
destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : "*" and
not
(
process.executable : (
"\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe",
"\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe",
"\\device\\harddiskvolume?\\windows\\system32\\lsass.exe",
"?:\\Program Files\\Amazon Corretto\\jdk1*\\bin\\java.exe",
"?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe",
"?:\\Program Files\\BlackBerry\\UEM\\Core\\tomcat-core\\bin\\tomcat9.exe",
"?:\\Program Files\\DBeaver\\dbeaver.exe",
"?:\\Program Files\\Docker\\Docker\\resources\\com.docker.backend.exe",
"?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe",
"?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe",
"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files\\Internet Explorer\\iexplore.exe",
"?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe",
"?:\\Program Files\\Mozilla Firefox\\firefox.exe",
"?:\\Program Files\\Oracle\\VirtualBox\\VirtualBoxVM.exe",
"?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe",
"?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe",
"?:\\Program Files\\Silverfort\\Silverfort AD Adapter\\SilverfortServer.exe",
"?:\\Program Files\\Tenable\\Nessus\\nessusd.exe",
"?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
"?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe",
"?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe",
"?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe",
"?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe",
"?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe",
"?:\\Program Files (x86)\\Nmap\\nmap.exe",
"?:\\Program Files (x86)\\Nmap OEM\\nmap.exe",
"?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe",
"?:\\Program Files (x86)\\SAP BusinessObjects\\tomcat\\bin\\tomcat9.exe",
"?:\\Program Files (x86)\\SuperScan\\scanner.exe",
"?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe",
"?:\\Windows\\System32\\lsass.exe",
"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\SysWOW64\\vmnat.exe",
"?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe",
"System"
) and process.code_signature.trusted == true
) and
destination.address != "127.0.0.1" and destination.address != "::1"
'''