[Rule Tuning] Windows DR Tuning - 6 (#3246)

* [Rule Tuning] Windows DR Tuning - 6

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 6f4c323929)

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -34,13 +34,31 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.name : ("esensor.exe", "elastic-endpoint.exe") and
- process.parent.executable != null and
+  process.name : ("esensor.exe", "elastic-endpoint.exe") and
+  process.parent.executable != null and
   /* add FPs here */
- not process.parent.executable : ("C:\\Program Files\\Elastic\\*",
-                                  "C:\\Windows\\System32\\services.exe",
-                                  "C:\\Windows\\System32\\WerFault*.exe",
-                                  "C:\\Windows\\System32\\wermgr.exe")
+  not process.parent.executable : (
+        "?:\\Program Files\\Elastic\\*",
+        "?:\\Windows\\System32\\services.exe",
+        "?:\\Windows\\System32\\WerFault*.exe",
+        "?:\\Windows\\System32\\wermgr.exe",
+        "?:\\Windows\\explorer.exe"
+  ) and
+  not (
+    process.parent.executable : (
+        "?:\\Windows\\System32\\cmd.exe",
+        "?:\\Windows\\System32\\SecurityHealthHost.exe",
+        "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+    ) and
+    process.args : (
+        "test", "version",
+        "top", "run",
+        "*help", "status",
+        "upgrade", "/launch",
+        "/enable"
+    )
+  )
+  
 '''
 
 

rules/windows/defense_evasion_masquerading_trusted_directory.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -35,8 +35,16 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.executable : "C:\\*Program*Files*\\*.exe" and
- not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
+  process.executable : "C:\\*Program*Files*\\*.exe" and
+  not process.executable : (
+        "?:\\Program Files\\*.exe",
+        "?:\\Program Files (x86)\\*.exe",
+        "?:\\Users\\*.exe",
+        "?:\\ProgramData\\*.exe",
+        "?:\\Windows\\Downloaded Program Files\\*.exe",
+        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
+        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
+  )
 '''
 
 

rules/windows/defense_evasion_msbuild_beacon_sequence.toml

@@ -1,51 +0,0 @@
-[metadata]
-creation_date = "2020/09/02"
-integration = ["endpoint", "windows"]
-maturity = "development"
-updated_date = "2023/06/22"
-
-[rule]
-author = ["Elastic"]
-description = """
-Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often
-leveraged by adversaries to execute code and evade detection.
-"""
-from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
-language = "eql"
-license = "Elastic License v2"
-name = "MsBuild Network Connection Sequence"
-risk_score = 47
-rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9"
-severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
-type = "eql"
-
-query = '''
-/* duplicate of MsBuild Making Network Connections - 0e79980b-4250-4a50-a509-69294c14e84b */
-
-sequence by process.entity_id
-  [process where host.os.type == "windows" and event.type == "start" and process.name : "MSBuild.exe"]
-  [network where host.os.type == "windows" and process.name : "MSBuild.exe" and
-     not (destination.ip == "127.0.0.1" and source.ip == "127.0.0.1")]
-'''
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1127"
-name = "Trusted Developer Utilities Proxy Execution"
-reference = "https://attack.mitre.org/techniques/T1127/"
-[[rule.threat.technique.subtechnique]]
-id = "T1127.001"
-name = "MSBuild"
-reference = "https://attack.mitre.org/techniques/T1127/001/"
-
-
-
-[rule.threat.tactic]
-id = "TA0005"
-name = "Defense Evasion"
-reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/windows/defense_evasion_msbuild_making_network_connections.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/26"
 
 [transform]
 [[transform.osquery]]
@@ -107,7 +107,7 @@ query = '''
 sequence by process.entity_id
   [process where host.os.type == "windows" and process.name : "MSBuild.exe" and event.type == "start"]
   [network where host.os.type == "windows" and process.name : "MSBuild.exe" and
-     not cidrmatch(destination.ip, "127.0.0.1", "::1")]
+     not cidrmatch(destination.ip, "127.0.0.1", "::1", "localhost")]
 '''
 
 

rules/windows/defense_evasion_msxsl_beacon.toml

@@ -1,45 +0,0 @@
-[metadata]
-creation_date = "2020/09/02"
-integration = ["endpoint", "windows"]
-maturity = "development"
-updated_date = "2023/06/22"
-
-[rule]
-author = ["Elastic"]
-description = """
-Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often
-leveraged by adversaries to execute malicious scripts and evade detection.
-"""
-from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
-language = "eql"
-license = "Elastic License v2"
-name = "MsXsl Making Network Connections"
-risk_score = 47
-rule_id = "870d1753-1078-403e-92d4-735f142edcca"
-severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
-type = "eql"
-
-query = '''
-/* duplicate of Network Connection via MsXsl - b86afe07-0d98-4738-b15d-8d7465f95ff5 */
-
-sequence by process.entity_id
-  [process where host.os.type == "windows" and event.type == "start" and process.name : "msxsl.exe"]
-  [network where host.os.type == "windows" and process.name : "msxsl.exe" and network.direction : ("outgoing", "egress")]
-'''
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1220"
-name = "XSL Script Processing"
-reference = "https://attack.mitre.org/techniques/T1220/"
-
-
-[rule.threat.tactic]
-id = "TA0005"
-name = "Defense Evasion"
-reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/windows/defense_evasion_network_connection_from_windows_binary.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2023/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -140,15 +140,21 @@ sequence by process.entity_id with maxspan=5m
       process.name : "iexpress.exe" or
       process.name : "installutil.exe" or
       process.name : "Microsoft.Workflow.Compiler.exe" or
-      process.name : "MSBuild.exe" or
+      (
+        process.name : "msbuild.exe" and
+          destination.ip != "127.0.0.1"
+      ) or
       process.name : "msdt.exe" or
       process.name : "mshta.exe" or
       (
-         process.name : "msiexec.exe" and not
-         dns.question.name : (
-            "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com",
-            "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local"
-         )
+        process.name : "msiexec.exe" and not
+        dns.question.name : (
+           "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com",
+           "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local"
+        ) and
+        /* Localhost, DigiCert and Comodo CA IP addresses */
+        not cidrmatch(destination.ip, "127.0.0.1", "192.229.211.108/32", "192.229.221.95/32",
+                      "152.195.38.76/32", "104.18.14.101/32")
       ) or
       process.name : "msxsl.exe" or
       process.name : "odbcconf.exe" or

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2023/10/26"
 
 [transform]
 [[transform.osquery]]
@@ -110,7 +110,15 @@ sequence by host.id with maxspan=5s
               "?:\\Program Files (x86)\\*.exe",
               "?:\\Windows\\System32\\svchost.exe",
               "?:\\Windows\\System32\\drvinst.exe") and
-    not file.path : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe")
+    not file.path : (
+          "?:\\Program Files\\*.exe",
+          "?:\\Program Files (x86)\\*.exe",
+          "?:\\Windows\\Temp\\*\\DismHost.exe",
+          "?:\\$WINDOWS.~BT\\Work\\*\\DismHost.exe",
+          "?:\\$WinREAgent\\Scratch\\*\\DismHost.exe",
+          "?:\\Windows\\tenable_mw_scan_*.exe",
+          "?:\\Users\\*\\AppData\\Local\\Temp\\LogiUI\\Pak\\uninstall.exe"
+    )
    ] by file.path
 '''