diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index f71f36778..3af1b9268 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/22" [rule] author = ["Elastic"] @@ -27,15 +27,20 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.action == "rename" and - -process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and - (file.extension :("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or file.Ext.header_bytes : "4d5a*") and + process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and + (file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or + file.Ext.header_bytes : "4d5a*") and - /* noisy paths, for hunting purposes you can use the same query without the following exclusions */ - not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and + /* noisy paths, for hunting purposes you can use the same query without the following exclusions */ + not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and - /* lot of third party SW use BITS to download executables with a long file name */ - not length(file.name) > 30 + /* lot of third party SW use BITS to download executables with a long file name */ + not length(file.name) > 30 and + not file.path : ( + "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp", + "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe", + "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe" + ) ''' diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 6301f3c8a..19b82fd07 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/30" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -36,7 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via PowerShell" @@ -99,12 +99,19 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic type = "eql" query = ''' -sequence by host.id, process.entity_id with maxspan=30s - [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and - not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and - not user.domain : "NT AUTHORITY"] - [file where host.os.type == "windows" and process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and - not file.name : "__PSScriptPolicy*.ps1"] +sequence by process.entity_id with maxspan=30s + +[network where host.os.type == "windows" and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and + not dns.question.name : ( + "localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", + "*.windowsupdate.com", "metadata.google.internal", "dist.nuget.org", + "artifacts.elastic.co", "*.digicert.com", "packages.chocolatey.org", + "outlook.office365.com" + ) and not user.id : "S-1-5-18"] +[file where host.os.type == "windows" and event.type == "creation" and + process.name : "powershell.exe" and file.extension : ("exe", "dll", "ps1", "bat") and + not file.name : "__PSScriptPolicy*.ps1"] ''' diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 19b665790..2909cf10a 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -113,7 +113,15 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and - file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") + file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") and + not + ( + file.path : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*.js", + "?:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\update.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe" + ) and process.code_signature.trusted == true + ) ''' diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index e2766b03a..4dd1adef6 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/22" [rule] author = ["Elastic"] @@ -114,7 +114,10 @@ any where event.action == "Directory Service Access" and /* The right to perform an operation controlled by an extended access right. */ and winlog.event_data.AccessMask : "0x100" and - not winlog.event_data.SubjectUserName : ("*$", "MSOL_*", "OpenDNS_Connector") + not winlog.event_data.SubjectUserName : ( + "*$", "MSOL_*", "OpenDNS_Connector", "adconnect", "SyncADConnect", + "SyncADConnectCM", "aadsync", "svcAzureADSync", "-" + ) /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */ ''' diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 8ab21f984..0dbf2b623 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/02" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -44,7 +44,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Kerberos Traffic from Unusual Process" @@ -113,42 +113,53 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where host.os.type == "windows" and event.type == "start" and network.direction : ("outgoing", "egress") and - destination.port == 88 and source.port >= 49152 and process.pid != 4 and - not process.executable : - ("?:\\Windows\\System32\\lsass.exe", - "System", - "?:\\Windows\\System32\\svchost.exe", - "?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe", - "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe", - "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe", - "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe", - "?:\\Program Files (x86)\\SuperScan\\scanner.exe", - "?:\\Program Files (x86)\\Nmap\\nmap.exe", - "?:\\Program Files\\Tenable\\Nessus\\nessusd.exe", - "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe", - "?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe", - "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe", - "?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe", - "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe", - "\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe", - "?:\\Program Files (x86)\\Nmap OEM\\nmap.exe", - "?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe", - "?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe", - "?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe", - "?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe", - "?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe", - "?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe", - "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", - "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", - "?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", - "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", - "?:\\Program Files\\Mozilla Firefox\\firefox.exe", - "?:\\Program Files\\Internet Explorer\\iexplore.exe", - "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" - ) and +network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and + destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : "*" and + not + ( + process.executable : ( + "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe", + "\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe", + "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe", + "?:\\Program Files\\Amazon Corretto\\jdk1*\\bin\\java.exe", + "?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe", + "?:\\Program Files\\BlackBerry\\UEM\\Core\\tomcat-core\\bin\\tomcat9.exe", + "?:\\Program Files\\DBeaver\\dbeaver.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.backend.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Internet Explorer\\iexplore.exe", + "?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files\\Oracle\\VirtualBox\\VirtualBoxVM.exe", + "?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe", + "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe", + "?:\\Program Files\\Silverfort\\Silverfort AD Adapter\\SilverfortServer.exe", + "?:\\Program Files\\Tenable\\Nessus\\nessusd.exe", + "?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe", + "?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe", + "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe", + "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe", + "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", + "?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe", + "?:\\Program Files (x86)\\Nmap\\nmap.exe", + "?:\\Program Files (x86)\\Nmap OEM\\nmap.exe", + "?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe", + "?:\\Program Files (x86)\\SAP BusinessObjects\\tomcat\\bin\\tomcat9.exe", + "?:\\Program Files (x86)\\SuperScan\\scanner.exe", + "?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe", + "?:\\Windows\\System32\\lsass.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\SysWOW64\\vmnat.exe", + "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", + "System" + ) and process.code_signature.trusted == true + ) and destination.address != "127.0.0.1" and destination.address != "::1" '''