diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index b103390f2..b5e6db72b 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2024/01/12" bypass_bbr_timing = true [rule] @@ -42,11 +42,27 @@ process where event.type == "start" and host.os.type == "windows" and "SQLWriter", "winmgmt" ) and user.domain : "NT SERVICE" and not ( - process.name : ( + ( + process.name : ( "sqlceip.exe", "sqlservr.exe", "sqlagent.exe", "msmdsrv.exe", "ReportingServicesService.exe", - "MsDtsSrvr.exe", "sqlbrowser.exe" - ) and (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + "MsDtsSrvr.exe", "sqlbrowser.exe", "DTExec.exe", + "SQLPS.exe", "fdhost.exe", "fdlauncher.exe", + "SqlDumper.exe", "sqlsqm.exe", "DatabaseMail.exe" + ) or + process.executable : ( + "?:\\Windows\\System32\\wermgr.exe", + "?:\\Windows\\System32\\conhost.exe", + "?:\\Windows\\System32\\WerFault.exe" + ) + ) and + ( + process.code_signature.subject_name : ("Microsoft Corporation", "Microsoft Windows") and + process.code_signature.trusted == true + ) + ) and + not ( + process.name : "cmd.exe" and process.parent.name : "sqlservr.exe" ) ''' diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 31c7f006a..1966a49a1 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2024/01/12" [rule] author = ["Elastic"] @@ -30,7 +30,8 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "WMIC.exe" and process.args : "*node:*" and - process.args : ("call", "set", "get") + process.args : ("call", "set", "get") and + not process.args : ("*/node:localhost*", "*/node:\"127.0.0.1\"*") ''' diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index ed796dd59..cba0bf98f 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/01/12" [rule] author = ["Elastic"] @@ -49,7 +49,13 @@ event.category: "process" and host.os.type:windows and "Install-TransportAgent" or "Enable-TransportAgent" ) - ) and not user.id : "S-1-5-18" + ) and + not user.id : "S-1-5-18" and + not powershell.file.script_block_text : ( + "'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase'," or + "'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig'," or + ("scriptCmd.GetSteppablePipeline" and "ForwardHelpTargetName Install-TransportAgent") + ) '''