From fccfafea6bab436dfbc333c220f7da9b42bf617f Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:12:42 -0300 Subject: [PATCH] [Rule Tuning] Improve Detection Compatibility with Non-English Logs (#4410) * [Rule Tuning] Improve Detection Compatibility with Non-English Logs * Update rules/windows/persistence_dontexpirepasswd_account.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update credential_access_disable_kerberos_preauth.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Mika Ayenson --- .../credential_access_adidns_wildcard.toml | 6 +++--- .../credential_access_adidns_wpad_record.toml | 5 ++--- ...ential_access_dcsync_newterm_subjectuser.toml | 6 +++--- ...dential_access_dcsync_replication_rights.toml | 6 +++--- .../credential_access_dcsync_user_backdoor.toml | 4 ++-- ...edential_access_disable_kerberos_preauth.toml | 9 +++++---- .../credential_access_dnsnode_creation.toml | 5 ++--- .../credential_access_ldap_attributes.toml | 4 ++-- ...ntial_access_lsass_memdump_handle_access.toml | 4 ++-- ...abledelegationprivilege_assigned_to_user.toml | 5 ++--- .../credential_access_shadow_credentials.toml | 8 ++++---- ...credential_access_spn_attribute_modified.toml | 5 ++--- ...spicious_winreg_access_via_sebackup_priv.toml | 4 ++-- ...nse_evasion_audit_policy_disabled_winlog.toml | 15 +++++++++++---- .../discovery_high_number_ad_properties.toml | 5 ++--- rules/windows/persistence_ad_adminsdholder.toml | 5 ++--- .../persistence_dontexpirepasswd_account.toml | 16 +++++++++++----- ...ersistence_msds_alloweddelegateto_krbtgt.toml | 5 ++--- ...ersistence_sdprop_exclusion_dsheuristics.toml | 5 ++--- .../privilege_escalation_credroaming_ldap.toml | 6 +++--- 20 files changed, 67 insertions(+), 61 deletions(-) diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index f38ecdfef..2bf5b07df 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -64,8 +64,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and - event.code == "5137" and startsWith(winlog.event_data.ObjectDN, "DC=*,") +any where host.os.type == "windows" and event.code == "5137" and + startsWith(winlog.event_data.ObjectDN, "DC=*,") ''' note = """## Triage and analysis diff --git a/rules/windows/credential_access_adidns_wpad_record.toml b/rules/windows/credential_access_adidns_wpad_record.toml index 633b81034..d0a6b7d80 100644 --- a/rules/windows/credential_access_adidns_wpad_record.toml +++ b/rules/windows/credential_access_adidns_wpad_record.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -61,8 +61,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and - event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*" +any where host.os.type == "windows" and event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*" ''' note = """## Triage and analysis diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 297d75438..54c0dd437 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -97,8 +97,8 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.action:("Directory Service Access" or "object-operation-performed") and event.code:"4662" and - winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or +event.code:"4662" and winlog.event_data.Properties:( + *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and not winlog.event_data.SubjectUserName:(*$ or MSOL_*) diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index d6cdd685f..ba0d89a7f 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,8 +98,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action : ("Directory Service Access", "object-operation-performed") and - event.code == "4662" and winlog.event_data.Properties : ( +any where event.code == "4662" and + winlog.event_data.Properties : ( /* Control Access Rights/Permissions Symbol */ diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index 5830645d1..bdd3afffb 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and +event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and winlog.event_data.AttributeValue : ( ( diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 544479e0c..8dd8527b6 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -15,7 +15,7 @@ cracking attacks such as AS-REP roasting. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Kerberos Pre-authentication Disabled for User" note = """## Triage and analysis @@ -83,10 +83,11 @@ tags = [ "Data Source: System", ] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.code:4738 and winlog.api:"wineventlog" and message:"'Don't Require Preauth' - Enabled" +any where host.os.type == "windows" and event.code == "4738" and + winlog.event_data.NewUACList == "USER_DONT_REQUIRE_PREAUTH" ''' diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 37610fcc5..8061bf849 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -64,8 +64,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and - event.code == "5137" and winlog.event_data.ObjectClass == "dnsNode" and +any where host.os.type == "windows" and event.code == "5137" and winlog.event_data.ObjectClass == "dnsNode" and not winlog.event_data.SubjectUserName : "*$" ''' note = """## Triage and analysis diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 48342b4a8..f5aa05988 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -56,7 +56,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and +any where event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 9a4d4cbaf..1072f03db 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -145,7 +145,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action == "File System" and event.code == "4656" and +any where event.code == "4656" and winlog.event_data.ObjectName : ( "?:\\Windows\\System32\\lsass.exe", diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 373f75f2a..66db4bfc4 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,8 +92,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:"Authorization Policy Change" and event.code:4704 and - winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege" +event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege" ''' diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 82d995885..ed983271e 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,9 +101,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and - winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828* and - not winlog.event_data.SubjectUserName: MSOL_* +event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and + winlog.event_data.AttributeValue :B\:828* and + not winlog.event_data.SubjectUserName: MSOL_* ''' diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index c9893d590..7ca5f4403 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -100,8 +100,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and - winlog.event_data.OperationType:"%%14674" and +event.code:5136 and winlog.event_data.OperationType:"%%14674" and winlog.event_data.ObjectClass:"user" and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" ''' diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 154aad2f3..adf1d67c5 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -104,7 +104,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= /* excluding accounts with existing privileged access */ not winlog.event_data.PrivilegeList : "SeDebugPrivilege"] - [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] + [any where event.code == "5145" and winlog.event_data.RelativeTargetName : "winreg"] ''' diff --git a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml index ee1c2864e..2906a9058 100644 --- a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml +++ b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/01/14" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -87,9 +87,16 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action : "changed-audit-config" and event.code : "4719" and host.os.type : "windows" and - winlog.event_data.AuditPolicyChangesDescription : "Success removed" and - winlog.event_data.SubCategory : ("Logon" or "Audit Policy Change" or "Process Creation" or "Audit Other System Events" or "Audit Security Group Management" or "Audit User Account Management") +event.code : "4719" and host.os.type : "windows" and + winlog.event_data.AuditPolicyChangesDescription : "Success removed" and + winlog.event_data.SubCategory : ( + "Logon" or + "Audit Policy Change" or + "Process Creation" or + "Audit Other System Events" or + "Audit Security Group Management" or + "Audit User Account Management" + ) ''' diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index 167cf8700..cc4f4b7e9 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -46,8 +46,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action in ("Directory Service Access", "object-operation-performed") and - event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and +any where event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000 ''' note = """## Triage and analysis diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 9cbede4e6..1c76f19a1 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -41,8 +41,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and - winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* +event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* ''' note = """## Triage and analysis diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index 7ec546f3a..2f4688477 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,7 +23,7 @@ false_positives = [ ] from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Account Configured with Never-Expiring Password" note = """## Triage and analysis @@ -75,11 +75,17 @@ tags = [ "Data Source: System", ] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.action:"modified-user-account" and winlog.api:"wineventlog" and event.code:"4738" and - message:"'Don't Expire Password' - Enabled" and not user.id:"S-1-5-18" +any where host.os.type == "windows" and +( + (event.code == "4738" and winlog.event_data.NewUACList == "USER_DONT_EXPIRE_PASSWORD") or + ( + event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName == "userAccountControl" and + winlog.event_data.AttributeValue in ("66048", "66080") + ) +) ''' diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 7aa73ce88..8d9f0243a 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -54,8 +54,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.action == "modified-user-account" and event.code == "4738" and - winlog.event_data.AllowedToDelegateTo : "*krbtgt*" +iam where event.code == "4738" and winlog.event_data.AllowedToDelegateTo : "*krbtgt*" ''' note = """## Triage and analysis diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index f184ec06c..d3d7f4429 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,8 +101,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action in ("Directory Service Changes", "directory-service-object-modified") and - event.code == "5136" and +any where event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName : "dSHeuristics" and length(winlog.event_data.AttributeValue) > 15 and winlog.event_data.AttributeValue regex~ "[0-9]{15}([1-9a-f]).*" diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index a3bfa6edc..6e2c1d046 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/22" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -57,8 +57,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and - winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and +event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and + winlog.event_data.OperationType:"%%14674" and not winlog.event_data.SubjectUserSid : "S-1-5-18" ''' note = """## Triage and analysis