From f6ba12a700cfb1e98428d94e7d26662fb4e0118e Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 17 Jan 2024 13:19:12 -0300 Subject: [PATCH] [Rule Tuning] Windows DR Tuning - 12 (#3364) --- ...ss_suspicious_ms_office_child_process.toml | 30 +++++++---- ...vement_direct_outbound_smb_connection.toml | 13 ++--- ...nt_execution_via_file_shares_sequence.toml | 19 ++++++- ...ovement_remote_file_copy_hidden_share.toml | 9 ++-- .../lateral_movement_remote_services.toml | 53 ++++++++++--------- 5 files changed, 74 insertions(+), 50 deletions(-) diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 826433d90..03c31133d 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/16" +updated_date = "2024/01/17" [rule] author = ["Elastic"] @@ -84,14 +84,26 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe") and - process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe", - "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", - "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe", - "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", - "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", - "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", - "wmic.exe", "wscript.exe", "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe") + process.parent.name : ( + "eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", + "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe" + ) and + process.name : ( + "Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", + "certutil.exe", "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", + "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", + "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", + "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe", + "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", + "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", + "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe" + ) and + not ( + process.parent.name : "outlook.exe" and + process.name : "rundll32.exe" and + process.args : "shell32.dll,Control_RunDLL" and + process.args : "srchadmin.dll" + ) ''' diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 3e9263f4f..4778154d7 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/13" +updated_date = "2024/01/03" [transform] [[transform.osquery]] @@ -104,21 +104,14 @@ query = ''' sequence by process.entity_id with maxspan=2m [process where host.os.type == "windows" and event.type == "start" and process.pid != 4 and not user.id : ("S-1-5-19", "S-1-5-20") and - not (process.code_signature.trusted == true and not process.code_signature.subject_name : ("Microsoft*", "Famatech Corp.", "Insecure.Com LLC")) and + not (process.code_signature.trusted == true and not process.code_signature.subject_name : ("Famatech Corp.", "Insecure.Com LLC")) and not (process.name : "powershell.exe" and process.args : "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_*.ps1") and not (process.executable : "?:\\EnterpriseCare\\tools\\*\\bin\\java.exe" and process.args : "com.*.launcher.Invoker") and not (process.executable : "?:\\Docusnap*\\Tools\\*\\nmap.exe" and process.args : "smb-os-discovery.nse") and not process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", - "?:\\Windows\\ProPatches\\Installation\\InstallationSandbox*\\stdeploy.exe", - "?:\\Program Files (x86)\\Fortinet\\FSAE\\collectoragent.exe", - "?:\\Program Files (x86)\\Nmap\\nmap.exe", - "?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe", - "?:\\Program Files\\CloudMatters\\auvik\\AuvikService-release-*\\AuvikService.exe", - "?:\\Program Files\\uptime software\\uptime\\UptimeDataCollector.exe", - "?:\\Program Files\\CloudMatters\\auvik\\AuvikAgentService.exe", - "?:\\Program Files\\Rumble\\rumble-agent-*.exe")] + "?:\\Windows\\ProPatches\\Installation\\InstallationSandbox*\\stdeploy.exe")] [network where host.os.type == "windows" and destination.port == 445 and process.pid != 4 and not cidrmatch(destination.ip, "127.0.0.1", "::1")] until [process where host.os.type == "windows" and event.type == "end"] diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index fb71e2ec9..adef76f3e 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2023/10/09" +updated_date = "2024/01/03" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -102,7 +102,22 @@ query = ''' sequence with maxspan=1m [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path - [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable + [process where host.os.type == "windows" and event.type == "start" and + not ( + /* Veeam related processes */ + ( + process.name : ( + "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", "Veeam.VSS.Sharepoint2010.exe" + ) and process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH" + ) or + /* PDQ related processes */ + ( + process.name : ( + "PDQInventoryScanner.exe", "PDQInventoryMonitor.exe", "PDQInventory-Scanner-?.exe", "PDQInventoryWakeCommand-?.exe" + ) and process.code_signature.trusted == true and process.code_signature.subject_name : "PDQ.com Corporation" + ) + ) + ] by host.id, process.executable ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 8bbbc5939..4457e665b 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/04" [rule] author = ["Elastic"] @@ -34,8 +34,11 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.name : ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe") and - process.args : ("copy*", "move*", "cp", "mv") and process.args : "*$*" + ( + process.name : ("cmd.exe", "powershell.exe", "xcopy.exe") and + process.args : ("copy*", "move*", "cp", "mv") or + process.name : "robocopy.exe" + ) and process.args : "*\\\\*\\*$*" ''' diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index ef8fb7f7d..d2508e3d7 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2024/01/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -114,35 +114,36 @@ sequence with maxspan=1s ] by host.id, process.entity_id [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "services.exe" and - not (process.executable : "?:\\Windows\\System32\\svchost.exe" and process.args : "tiledatamodelsvc") and not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "/V") and - not process.executable : - ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe", - "?:\\Windows\\System32\\VSSVC.exe", - "?:\\Windows\\servicing\\TrustedInstaller.exe", - "?:\\Windows\\System32\\svchost.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\Program Files\\*.exe", - "?:\\Windows\\PSEXESVC.EXE", - "?:\\Windows\\System32\\sppsvc.exe", - "?:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "?:\\WINDOWS\\RemoteAuditService.exe", - "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", - "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe", - "?:\\Windows\\CAInvokerService.exe", - "?:\\Windows\\System32\\upfc.exe", - "?:\\Windows\\AdminArsenal\\PDQ*.exe", - "?:\\Windows\\System32\\vds.exe", - "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe", - "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe", - "?:\\Windows\\System32\\certsrv.exe", - "?:\\Windows\\eset-remote-install-service.exe", - "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe", + not process.executable : ( "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe", "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe", + "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Windows\\ADCR_Agent\\adcrsvc.exe", + "?:\\Windows\\AdminArsenal\\PDQ*.exe", + "?:\\Windows\\CAInvokerService.exe", + "?:\\Windows\\ccmsetup\\ccmsetup.exe", + "?:\\Windows\\eset-remote-install-service.exe", + "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe", + "?:\\Windows\\PSEXESVC.EXE", + "?:\\Windows\\RemoteAuditService.exe", + "?:\\Windows\\servicing\\TrustedInstaller.exe", + "?:\\Windows\\System32\\certsrv.exe", + "?:\\Windows\\System32\\sppsvc.exe", + "?:\\Windows\\System32\\srmhost.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\taskhostex.exe", + "?:\\Windows\\System32\\upfc.exe", + "?:\\Windows\\System32\\vds.exe", + "?:\\Windows\\System32\\VSSVC.exe", + "?:\\Windows\\System32\\wbem\\WmiApSrv.exe", "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe", - "?:\\Windows\\System32\\taskhostex.exe") - ] by host.id, process.parent.entity_id + "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe", + "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe", + "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" + )] by host.id, process.parent.entity_id '''