[Rule Tuning] Windows BBR Tuning - 6 (#3386)

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2024/01/12"
 bypass_bbr_timing = true
 
 [rule]
@@ -42,11 +42,27 @@ process where event.type == "start" and host.os.type == "windows" and
     "SQLWriter", "winmgmt"
   ) and user.domain : "NT SERVICE" and
   not (
-    process.name : (
+    (
+      process.name : (
         "sqlceip.exe", "sqlservr.exe", "sqlagent.exe",
         "msmdsrv.exe", "ReportingServicesService.exe",
-        "MsDtsSrvr.exe", "sqlbrowser.exe"
-    ) and (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
+        "MsDtsSrvr.exe", "sqlbrowser.exe", "DTExec.exe",
+        "SQLPS.exe", "fdhost.exe", "fdlauncher.exe",
+        "SqlDumper.exe", "sqlsqm.exe", "DatabaseMail.exe"
+      ) or
+      process.executable : (
+        "?:\\Windows\\System32\\wermgr.exe",
+        "?:\\Windows\\System32\\conhost.exe",
+        "?:\\Windows\\System32\\WerFault.exe"
+      )
+    ) and
+    (
+      process.code_signature.subject_name : ("Microsoft Corporation", "Microsoft Windows") and
+      process.code_signature.trusted == true
+    )
+  ) and
+  not (
+    process.name : "cmd.exe" and process.parent.name : "sqlservr.exe"
   )
 '''
 

rules_building_block/lateral_movement_wmic_remote.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2024/01/12"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,8 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.name : "WMIC.exe" and
   process.args : "*node:*" and
-  process.args : ("call", "set", "get")
+  process.args : ("call", "set", "get") and
+  not process.args : ("*/node:localhost*", "*/node:\"127.0.0.1\"*")
 '''
 
 

rules_building_block/persistence_transport_agent_exchange.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/19"
+updated_date = "2024/01/12"
 
 [rule]
 author = ["Elastic"]
@@ -49,7 +49,13 @@ event.category: "process" and host.os.type:windows and
     "Install-TransportAgent" or
     "Enable-TransportAgent"
     )
-  ) and not user.id : "S-1-5-18"
+  ) and
+  not user.id : "S-1-5-18" and
+  not powershell.file.script_block_text : (
+    "'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase'," or
+    "'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig'," or
+    ("scriptCmd.GetSteppablePipeline" and "ForwardHelpTargetName Install-TransportAgent")
+  )
 '''