[Rule Tuning] Windows DR Tuning - 12 (#3364)

rules/windows/initial_access_suspicious_ms_office_child_process.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/16"
+updated_date = "2024/01/17"
 
 [rule]
 author = ["Elastic"]
@@ -84,14 +84,26 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe") and
-  process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe",
-                "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe",
-                "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe",
-                "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe",
-                "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe",
-                "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe",
-                "wmic.exe", "wscript.exe", "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe")
+  process.parent.name : (
+      "eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe",
+      "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe"
+  ) and
+  process.name : (
+      "Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe",
+      "certutil.exe", "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe",
+      "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe",
+      "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe",
+      "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe",
+      "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe",
+      "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe",
+      "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe"
+  ) and
+  not (
+    process.parent.name : "outlook.exe" and
+    process.name : "rundll32.exe" and
+    process.args : "shell32.dll,Control_RunDLL" and
+    process.args : "srchadmin.dll"
+  )
 '''
 
 

rules/windows/lateral_movement_direct_outbound_smb_connection.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/12/13"
+updated_date = "2024/01/03"
 
 [transform]
 [[transform.osquery]]
@@ -104,21 +104,14 @@ query = '''
 sequence by process.entity_id with maxspan=2m
   [process where host.os.type == "windows" and event.type == "start" and process.pid != 4 and 
    not user.id : ("S-1-5-19", "S-1-5-20") and 
-   not (process.code_signature.trusted == true and not process.code_signature.subject_name : ("Microsoft*", "Famatech Corp.", "Insecure.Com LLC")) and 
+   not (process.code_signature.trusted == true and not process.code_signature.subject_name : ("Famatech Corp.", "Insecure.Com LLC")) and 
    not (process.name : "powershell.exe" and process.args : "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_*.ps1") and 
    not (process.executable : "?:\\EnterpriseCare\\tools\\*\\bin\\java.exe" and process.args : "com.*.launcher.Invoker") and
    not (process.executable : "?:\\Docusnap*\\Tools\\*\\nmap.exe" and process.args : "smb-os-discovery.nse") and
    not process.executable :
               ("?:\\Program Files\\*.exe",
                "?:\\Program Files (x86)\\*.exe", 
-               "?:\\Windows\\ProPatches\\Installation\\InstallationSandbox*\\stdeploy.exe",
-               "?:\\Program Files (x86)\\Fortinet\\FSAE\\collectoragent.exe",
-               "?:\\Program Files (x86)\\Nmap\\nmap.exe",
-               "?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe",
-               "?:\\Program Files\\CloudMatters\\auvik\\AuvikService-release-*\\AuvikService.exe",
-               "?:\\Program Files\\uptime software\\uptime\\UptimeDataCollector.exe",
-               "?:\\Program Files\\CloudMatters\\auvik\\AuvikAgentService.exe",
-               "?:\\Program Files\\Rumble\\rumble-agent-*.exe")]
+               "?:\\Windows\\ProPatches\\Installation\\InstallationSandbox*\\stdeploy.exe")]
   [network where host.os.type == "windows" and destination.port == 445 and process.pid != 4 and
      not cidrmatch(destination.ip, "127.0.0.1", "::1")]
 until [process where host.os.type == "windows" and event.type == "end"]

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2023/10/09"
+updated_date = "2024/01/03"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -102,7 +102,22 @@ query = '''
 sequence with maxspan=1m
   [file where host.os.type == "windows" and event.type in ("creation", "change") and 
    process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path
-  [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable
+  [process where host.os.type == "windows" and event.type == "start" and
+    not (
+      /* Veeam related processes */
+      (
+        process.name : (
+          "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", "Veeam.VSS.Sharepoint2010.exe"
+        ) and process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH"
+      ) or
+      /* PDQ related processes */
+      (
+        process.name : (
+          "PDQInventoryScanner.exe", "PDQInventoryMonitor.exe", "PDQInventory-Scanner-?.exe", "PDQInventoryWakeCommand-?.exe"
+        ) and process.code_signature.trusted == true and process.code_signature.subject_name : "PDQ.com Corporation"
+      )
+    )
+  ] by host.id, process.executable
 '''
 
 

rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/04"
 
 [rule]
 author = ["Elastic"]
@@ -34,8 +34,11 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.name : ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe") and
-  process.args : ("copy*", "move*", "cp", "mv") and process.args : "*$*"
+  (
+    process.name : ("cmd.exe", "powershell.exe", "xcopy.exe") and
+    process.args : ("copy*", "move*", "cp", "mv") or
+    process.name : "robocopy.exe"
+  ) and process.args : "*\\\\*\\*$*"
 '''
 
 

rules/windows/lateral_movement_remote_services.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/16"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2023/06/22"
+updated_date = "2024/01/04"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -114,35 +114,36 @@ sequence with maxspan=1s
    ] by host.id, process.entity_id
    [process where host.os.type == "windows" and 
        event.type == "start" and process.parent.name : "services.exe" and
-       not (process.executable : "?:\\Windows\\System32\\svchost.exe" and process.args : "tiledatamodelsvc") and
        not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "/V") and
-       not process.executable :
-               ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",
-                "?:\\Windows\\System32\\VSSVC.exe",
-                "?:\\Windows\\servicing\\TrustedInstaller.exe",
-                "?:\\Windows\\System32\\svchost.exe",
-                "?:\\Program Files (x86)\\*.exe",
-                "?:\\Program Files\\*.exe",
-                "?:\\Windows\\PSEXESVC.EXE",
-                "?:\\Windows\\System32\\sppsvc.exe",
-                "?:\\Windows\\System32\\wbem\\WmiApSrv.exe",
-                "?:\\WINDOWS\\RemoteAuditService.exe",
-                "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
-                "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
-                "?:\\Windows\\CAInvokerService.exe",
-                "?:\\Windows\\System32\\upfc.exe",
-                "?:\\Windows\\AdminArsenal\\PDQ*.exe",
-                "?:\\Windows\\System32\\vds.exe",
-                "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe",
-                "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe",
-                "?:\\Windows\\System32\\certsrv.exe",
-                "?:\\Windows\\eset-remote-install-service.exe",
-                "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
+       not process.executable : (
                 "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe",
                 "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
+                "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
+                "?:\\Program Files (x86)\\*.exe",
+                "?:\\Program Files\\*.exe",
+                "?:\\Windows\\ADCR_Agent\\adcrsvc.exe",
+                "?:\\Windows\\AdminArsenal\\PDQ*.exe",
+                "?:\\Windows\\CAInvokerService.exe",
+                "?:\\Windows\\ccmsetup\\ccmsetup.exe",
+                "?:\\Windows\\eset-remote-install-service.exe",
+                "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe",
+                "?:\\Windows\\PSEXESVC.EXE",
+                "?:\\Windows\\RemoteAuditService.exe",
+                "?:\\Windows\\servicing\\TrustedInstaller.exe",
+                "?:\\Windows\\System32\\certsrv.exe",
+                "?:\\Windows\\System32\\sppsvc.exe",
+                "?:\\Windows\\System32\\srmhost.exe",
+                "?:\\Windows\\System32\\svchost.exe",
+                "?:\\Windows\\System32\\taskhostex.exe",
+                "?:\\Windows\\System32\\upfc.exe",
+                "?:\\Windows\\System32\\vds.exe",
+                "?:\\Windows\\System32\\VSSVC.exe",
+                "?:\\Windows\\System32\\wbem\\WmiApSrv.exe",
                 "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe",
-                "?:\\Windows\\System32\\taskhostex.exe")
-   ] by host.id, process.parent.entity_id
+                "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe",
+                "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
+                "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe"
+       )] by host.id, process.parent.entity_id
 '''