From fd2d36573dc68770d2cac4e4a0154b188916cde7 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Wed, 21 Oct 2020 01:22:02 +0200 Subject: [PATCH] Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name (#364) --- ...control_remote_file_copy_desktopimgdownldr.toml | 4 +++- ...mand_and_control_remote_file_copy_mpcmdrun.toml | 5 +++-- ...credential_access_iis_apppoolsa_pwd_appcmd.toml | 3 ++- ...ntial_access_iis_connectionstrings_dumping.toml | 3 ++- ...sion_execution_suspicious_explorer_winword.toml | 14 ++++++++------ .../defense_evasion_iis_httplogging_disabled.toml | 3 ++- ...efense_evasion_masquerading_renamed_autoit.toml | 3 ++- .../defense_evasion_rundll32_no_arguments.toml | 8 ++++++-- .../windows/defense_evasion_rundll32_sequence.toml | 8 ++++++-- .../defense_evasion_suspicious_scrobj_load.toml | 5 +++-- .../defense_evasion_suspicious_wmi_script.toml | 6 +++++- rules/windows/execution_suspicious_psexesvc.toml | 3 ++- rules/windows/lateral_movement_cmd_service.toml | 4 +++- rules/windows/privilege_escalation_uac_sdclt.toml | 5 +++-- 14 files changed, 50 insertions(+), 24 deletions(-) diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 971050d16..08a12960b 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -24,7 +24,9 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and process.args:/lockscreenurl\:http* + (process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe or + winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and + process.args:/lockscreenurl\:http* ''' diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 8209f9167..20fb08a8e 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -26,8 +26,9 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and - process.args:(("-DownloadFile" or "-downloadfile") and "-url" and "-path") + (process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe or + winlog.event_data.OriginalFileName:MpCmdRun.exe) and + process.args:(("-DownloadFile" or "-downloadfile") and "-url" and "-path") ''' diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index d134e5045..e61dca4a1 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -25,7 +25,8 @@ type = "query" query = ''' event.category:process AND event.type:(start OR process_started) AND - (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe) AND + (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe or + winlog.event_data.OriginalFileName:appcmd.exe) AND process.args:(/[lL][iI][sS][tT]/ AND /\/[tT][eE][xX][tT]\:[pP][aA][sS][sS][wW][oO][rR][dD]/) ''' diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index bba38ad96..5f319bb2c 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -29,7 +29,8 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe) and + (process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe or + winlog.event_data.OriginalFileName:aspnet_regiis.exe) and process.args:(connectionStrings and "-pdf") ''' diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 9d0ee7510..51453db17 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -24,12 +24,14 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and - not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or - process.executable:("C:\Windows\explorer.exe" or C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or - C\:\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or - "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or - "C:\Windows\System32\inetsrv\w3wp.exe")) + (process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) or + winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE)) and + not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or + process.executable:("C:\Windows\explorer.exe" or + C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or + C\:\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or + "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or + "C:\Windows\System32\inetsrv\w3wp.exe")) ''' diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index d452ec673..65a6f3556 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -24,7 +24,8 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and + (process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or + winlog.event_data.OriginalFileName:appcmd.exe) and process.args:/dontLog\:\"True\" and not process.parent.name:iissetup.exe ''' diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index f80a940aa..dd1492f35 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -23,7 +23,8 @@ type = "query" query = ''' event.category:process AND event.type:(start OR process_started) AND - process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ AND + (process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ OR + winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/) AND NOT process.name:/[aA][uU][tT][oO][iI][tT]\d{1,3}\.[eE][xX][eE]/ ''' diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 652067d5e..33d573d73 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -22,9 +22,12 @@ tags = ["Elastic", "Windows"] type = "eql" query = ''' +/* replace winlog.event_data.OriginalFileName with process.pe.original_file_name once field is available in winlogbeat */ + sequence with maxspan=1h [process where event.type in ("start", "process_started") and - (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and + (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe" or + winlog.event_data.OriginalFileName == "rundll32.exe") and /* zero arguments excluding the binary itself (and accounting for when the binary may not be logged in args) */ ((process.args == "rundll32.exe" and process.args_count == 1) or @@ -32,7 +35,8 @@ sequence with maxspan=1h ] by process.entity_id [process where event.type in ("start", "process_started") and - (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") + (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe" or + winlog.event_data.OriginalFileName == "rundll32.exe") ] by process.parent.entity_id ''' diff --git a/rules/windows/defense_evasion_rundll32_sequence.toml b/rules/windows/defense_evasion_rundll32_sequence.toml index d63c75880..73b3e6ab7 100644 --- a/rules/windows/defense_evasion_rundll32_sequence.toml +++ b/rules/windows/defense_evasion_rundll32_sequence.toml @@ -22,16 +22,20 @@ tags = ["Elastic", "Windows"] type = "eql" query = ''' +/* replace winlog.event_data.OriginalFileName with process.pe.original_file_name once field is available in winlogbeat */ + sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and - (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and + (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe" or + winlog.event_data.OriginalFileName == "rundll32.exe") and /* zero arguments excluding the binary itself (and accounting for when the binary may not be logged in args) */ ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and - (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe" or + winlog.event_data.OriginalFileName == "rundll32.exe")] ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index ddcb5767e..98f8299bc 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -11,7 +11,7 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean executed in the target process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License" name = "Windows Suspicious Script Object Execution" @@ -22,9 +22,10 @@ tags = ["Elastic", "Windows"] type = "eql" query = ''' +/* add winlogbeat-* when process.code_signature.* fields are populated */ + sequence by process.entity_id with maxspan=2m [process where event.type in ("start", "process_started") and - /* process.code_signature.* fields need to be populated for 7.10 */ process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and process.name not in ("cscript.exe", "iexplore.exe", diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 0ac511e2e..135342e14 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -24,11 +24,15 @@ type = "eql" query = ''' /* lots of wildcards in the args need to verify args cleanup is accurate + + replace winlog.event_data.OriginalFileName with process.pe.original_file_name once field is available in winlogbeat */ + sequence by process.entity_id with maxspan=2m [process where event.type in ("start", "process_started") and - (process.name == "wmic.exe" or process.pe.original_file_name == "wmic.exe") and + (process.name == "wmic.exe" or process.pe.original_file_name == "wmic.exe" or + winlog.event_data.OriginalFileName == "wmic.exe") and wildcard(process.args, "format*:*", "/format*:*", "*-format*:*") and not process.args in ("/format:table", "/format:table") or wildcard(process.args, "format*:*")] [library where event.type == "start" and file.name in ("jscript.dll", "vbscript.dll")] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 4fd15d2e3..c49f8e27b 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -23,7 +23,8 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) and + (process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or + winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and process.parent.name:services.exe and not process.name:(psexesvc.exe or PSEXESVC.exe) ''' diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 9d6efb782..0cd198cf3 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -23,10 +23,12 @@ type = "eql" query = ''' /* dependent on a wildcard for remote path */ +/* replace winlog.event_data.OriginalFileName with process.pe.original_file_name once field is available in winlogbeat */ sequence by process.entity_id with maxspan=1m [process where event.type in ("start", "process_started") and - (process.name == "sc.exe" or process.pe.original_file_name == "sc.exe") and + (process.name == "sc.exe" or process.pe.original_file_name == "sc.exe" or + winlog.event_data.OriginalFileName == "sc.exe") and wildcard(process.args, "\\\\*") and wildcard(process.args, "binPath*", "binpath*") and process.args in ("create", "config", "failure", "start")] [network where event.type == "connection" and process.name == "sc.exe" and destination.address != "127.0.0.1"] diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index f9ccd940d..9d017d244 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -11,7 +11,7 @@ Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC elevated permissions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License" name = "Bypass UAC via Sdclt" @@ -22,9 +22,10 @@ tags = ["Elastic", "Windows"] type = "eql" query = ''' +/* add winlogbeat-* when process.code_signature.* fields are populated */ + sequence with maxspan=1m [process where event.type in ("start", "process_started") and process.name == "sdclt.exe" and - /* process.code_signature.* fields need to be populated for 7.10 */ process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and process.args == "/kickoffelev" ] by process.entity_id