Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name (#364)

2020-10-21 01:22:02 +02:00
parent d3226c72c9
commit fd2d36573d
14 changed files with 50 additions and 24 deletions
@@ -24,7 +24,9 @@ type = "query"

 query = '''
 event.category:process and event.type:(start or process_started) and
- (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\:http*
+  (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe or
+     winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and
+  process.args:/lockscreenurl\:http*
 '''


@@ -26,8 +26,9 @@ type = "query"

 query = '''
 event.category:process and event.type:(start or process_started) and
- (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and
-   process.args:(("-DownloadFile" or "-downloadfile") and "-url" and "-path")
+  (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe or
+    winlog.event_data.OriginalFileName:MpCmdRun.exe) and
+  process.args:(("-DownloadFile" or "-downloadfile") and "-url" and "-path")
 '''


@@ -25,7 +25,8 @@ type = "query"

 query = '''
 event.category:process AND event.type:(start OR process_started) AND
-  (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe) AND
+  (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe or
+     winlog.event_data.OriginalFileName:appcmd.exe) AND
  process.args:(/[lL][iI][sS][tT]/ AND /\/[tT][eE][xX][tT]\:[pP][aA][sS][sS][wW][oO][rR][dD]/)
 '''

@@ -29,7 +29,8 @@ type = "query"

 query = '''
 event.category:process and event.type:(start or process_started) and
-  (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe) and 
+  (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe or
+     winlog.event_data.OriginalFileName:aspnet_regiis.exe) and
  process.args:(connectionStrings and "-pdf")
 '''

@@ -24,12 +24,14 @@ type = "query"

 query = '''
 event.category:process and event.type:(start or process_started) and
- process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and
- not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or
-             process.executable:("C:\Windows\explorer.exe" or C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or 
-                C\:\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or 
-                 "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or 
-                  "C:\Windows\System32\inetsrv\w3wp.exe"))
+  (process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) or
+     winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE)) and
+  not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or
+             process.executable:("C:\Windows\explorer.exe" or
+                                  C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or
+                                  C\:\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or
+                                 "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or
+                                 "C:\Windows\System32\inetsrv\w3wp.exe"))
 '''


@@ -24,7 +24,8 @@ type = "query"

 query = '''
 event.category:process and event.type:(start or process_started) and
-  (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and
+  (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or
+     winlog.event_data.OriginalFileName:appcmd.exe) and
  process.args:/dontLog\:\"True\" and
  not process.parent.name:iissetup.exe
 '''
@@ -23,7 +23,8 @@ type = "query"

 query = '''
 event.category:process AND event.type:(start OR process_started) AND
-  process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ AND
+  (process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ OR
+     winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/) AND
  NOT process.name:/[aA][uU][tT][oO][iI][tT]\d{1,3}\.[eE][xX][eE]/
 '''

@@ -22,9 +22,12 @@ tags = ["Elastic", "Windows"]
 type = "eql"

 query = '''
+/* replace winlog.event_data.OriginalFileName with process.pe.original_file_name once field is available in winlogbeat */
+
 sequence with maxspan=1h
  [process where event.type in ("start", "process_started") and
-     (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and
+     (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe" or
+        winlog.event_data.OriginalFileName == "rundll32.exe") and

     /* zero arguments excluding the binary itself (and accounting for when the binary may not be logged in args) */
     ((process.args == "rundll32.exe" and process.args_count == 1) or
@@ -32,7 +35,8 @@ sequence with maxspan=1h

  ] by process.entity_id
  [process where event.type in ("start", "process_started") and
-     (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")
+     (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe" or
+        winlog.event_data.OriginalFileName == "rundll32.exe")
  ] by process.parent.entity_id
 '''

@@ -22,16 +22,20 @@ tags = ["Elastic", "Windows"]
 type = "eql"

 query = '''
+/* replace winlog.event_data.OriginalFileName with process.pe.original_file_name once field is available in winlogbeat */
+
 sequence by process.entity_id with maxspan=2h
  [process where event.type in ("start", "process_started") and
-     (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and
+     (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe" or
+        winlog.event_data.OriginalFileName == "rundll32.exe") and

     /* zero arguments excluding the binary itself (and accounting for when the binary may not be logged in args) */
     ((process.args == "rundll32.exe" and process.args_count == 1) or
      (process.args != "rundll32.exe" and process.args_count == 0))]

  [network where event.type == "connection" and
-     (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")]
+     (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe" or
+        winlog.event_data.OriginalFileName == "rundll32.exe")]
 '''


@@ -11,7 +11,7 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean
 executed in the target process.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License"
 name = "Windows Suspicious Script Object Execution"
@@ -22,9 +22,10 @@ tags = ["Elastic", "Windows"]
 type = "eql"

 query = '''
+/* add winlogbeat-* when process.code_signature.* fields are populated */
+
 sequence by process.entity_id with maxspan=2m
  [process where event.type in ("start", "process_started") and
-     /* process.code_signature.* fields need to be populated for 7.10 */
     process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and
     process.name not in ("cscript.exe",
                          "iexplore.exe",
@@ -24,11 +24,15 @@ type = "eql"
 query = '''
 /* lots of wildcards in the args
   need to verify args cleanup is accurate
+
+   replace winlog.event_data.OriginalFileName with process.pe.original_file_name once field is available in winlogbeat
 */

+
 sequence by process.entity_id with maxspan=2m
 [process where event.type in ("start", "process_started") and
-   (process.name == "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
+   (process.name == "wmic.exe" or process.pe.original_file_name == "wmic.exe" or
+      winlog.event_data.OriginalFileName == "wmic.exe") and
   wildcard(process.args, "format*:*", "/format*:*", "*-format*:*") and
   not process.args in ("/format:table", "/format:table") or wildcard(process.args, "format*:*")]
 [library where event.type == "start" and file.name in ("jscript.dll", "vbscript.dll")]
@@ -23,7 +23,8 @@ type = "query"

 query = '''
 event.category:process and event.type:(start or process_started) and
-  process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) and
+  (process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or
+     winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and
  process.parent.name:services.exe and
  not process.name:(psexesvc.exe or PSEXESVC.exe)
 '''
@@ -23,10 +23,12 @@ type = "eql"

 query = '''
 /* dependent on a wildcard for remote path */
+/* replace winlog.event_data.OriginalFileName with process.pe.original_file_name once field is available in winlogbeat */

 sequence by process.entity_id with maxspan=1m
  [process where event.type in ("start", "process_started") and
-     (process.name == "sc.exe" or process.pe.original_file_name == "sc.exe") and
+     (process.name == "sc.exe" or process.pe.original_file_name == "sc.exe" or
+        winlog.event_data.OriginalFileName == "sc.exe") and
     wildcard(process.args, "\\\\*") and wildcard(process.args, "binPath*", "binpath*") and
     process.args in ("create", "config", "failure", "start")]
  [network where event.type == "connection" and process.name == "sc.exe" and destination.address != "127.0.0.1"]
@@ -11,7 +11,7 @@ Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC
 elevated permissions.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License"
 name = "Bypass UAC via Sdclt"
@@ -22,9 +22,10 @@ tags = ["Elastic", "Windows"]
 type = "eql"

 query = '''
+/* add winlogbeat-* when process.code_signature.* fields are populated */
+
 sequence with maxspan=1m
  [process where event.type in ("start", "process_started") and process.name == "sdclt.exe" and
-     /* process.code_signature.* fields need to be populated for 7.10 */
     process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and
     process.args == "/kickoffelev"
  ] by process.entity_id