[Rule Tuning] Update file.name to dll.name for Library events (#893)

* [Rule Tuning] Update file.name to dll.name for Library events * replace == with : * updated_date * removed spacing inconsistencies * jibs likes spaces * NOT again jibs
2021-02-03 11:09:29 -05:00
parent fdf9384e4d
commit ffe8e5bfc5
10 changed files with 116 additions and 120 deletions
@@ -23,19 +23,20 @@ type = "eql"
 query = '''
 /* add winlogbeat-* when process.code_signature.* fields are populated */

-sequence by process.entity_id with maxspan=2m
+sequence by process.entity_id with maxspan = 2m
  [process where event.type in ("start", "process_started") and
     /* uncomment once in winlogbeat */
-     /* process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and */
-     not (process.name : "cscript.exe" or
-          process.name : "iexplore.exe" or
-          process.name : "MicrosoftEdge.exe" or
-          process.name : "msiexec.exe" or
-          process.name : "smartscreen.exe" or
-          process.name : "taskhostw.exe" or
-          process.name : "w3wp.exe" or
-          process.name : "wscript.exe")]
-  [library where event.type == "start" and file.name : "scrobj.dll"]
+     /* process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted : true and */
+     not process.name : (
+       "cscript.exe",
+       "iexplore.exe",
+       "MicrosoftEdge.exe",
+       "msiexec.exe",
+       "smartscreen.exe",
+       "taskhostw.exe",
+       "w3wp.exe",
+       "wscript.exe")]
+  [library where event.type == "start" and dll.name : "scrobj.dll"]
 '''


@@ -46,4 +47,3 @@ framework = "MITRE ATT&CK"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2021/01/20"

 [rule]
 author = ["Elastic"]
@@ -23,10 +23,10 @@ type = "eql"
 query = '''
 sequence by process.entity_id with maxspan=2m
 [process where event.type in ("start", "process_started") and
-   (process.name : "WMIC.exe" or process.pe.original_file_name == "wmic.exe") and
-   wildcard(process.args, "format*:*", "/format*:*", "*-format*:*") and
-   not wildcard(process.command_line, "* /format:table *")]
-[library where event.type == "start" and file.name in ("jscript.dll", "vbscript.dll")]
+   (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and
+   process.args : ("format*:*", "/format*:*", "*-format*:*") and
+   not process.command_line : "* /format:table *"]
+[library where event.type == "start" and dll.name : ("jscript.dll", "vbscript.dll")]
 '''


@@ -26,7 +26,7 @@ type = "eql"

 query = '''
 sequence by host.id, process.entity_id with maxspan = 5s
- [library where file.name: "taskschd.dll" and process.name: ("powershell.exe", "pwsh.exe")]
+ [library where dll.name : "taskschd.dll" and process.name : ("powershell.exe", "pwsh.exe")]
 [network where process.name : ("powershell.exe", "pwsh.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]
 '''

@@ -43,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1053/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -24,10 +24,10 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 type = "eql"

 query = '''
-library where process.name in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
-  event.action == "load" and
-  event.category == "library" and
-  file.name == "wmiutils.dll"
+library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
+  event.action : "load" and
+  event.category : "library" and
+  dll.name : "wmiutils.dll"
 '''


@@ -43,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1047/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -21,55 +21,56 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"

 query = '''
-library where file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and
+library where dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and
 /* add false positives relevant to your environment here */
 not process.executable : ("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Program Files*\\*.exe") and
-  not process.name : (
-  "Altaro.SubAgent.exe",
-  "AppV_Manage.exe",
-  "azureadconnect.exe",
-  "CcmExec.exe",
-  "configsyncrun.exe",
-  "choco.exe",
-  "ctxappvservice.exe",
-  "DVLS.Console.exe",
-  "edgetransport.exe",
-  "exsetup.exe",
-  "forefrontactivedirectoryconnector.exe",
-  "InstallUtil.exe",
-  "JenkinsOnDesktop.exe",
-  "Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe",
-  "mmc.exe",
-  "mscorsvw.exe",
-  "msexchangedelivery.exe",
-  "msexchangefrontendtransport.exe",
-  "msexchangehmworker.exe",
-  "msexchangesubmission.exe",
-  "msiexec.exe",
-  "MsiExec.exe",
-  "noderunner.exe",
-  "NServiceBus.Host.exe",
-  "NServiceBus.Host32.exe",
-  "NServiceBus.Hosting.Azure.HostProcess.exe",
-  "OuiGui.WPF.exe",
-  "powershell.exe",
-  "powershell_ise.exe",
-  "pwsh.exe",
-  "SCCMCliCtrWPF.exe",
-  "ScriptEditor.exe",
-  "ScriptRunner.exe",
-  "sdiagnhost.exe",
-  "servermanager.exe",
-  "setup100.exe",
-  "ServiceHub.VSDetouredHost.exe",
-  "SPCAF.Client.exe",
-  "SPCAF.SettingsEditor.exe",
-  "SQLPS.exe",
-  "telemetryservice.exe",
-  "UMWorkerProcess.exe",
-  "w3wp.exe",
-  "wsmprovhost.exe"
- )
+  not process.name :
+  (
+    "Altaro.SubAgent.exe",
+    "AppV_Manage.exe",
+    "azureadconnect.exe",
+    "CcmExec.exe",
+    "configsyncrun.exe",
+    "choco.exe",
+    "ctxappvservice.exe",
+    "DVLS.Console.exe",
+    "edgetransport.exe",
+    "exsetup.exe",
+    "forefrontactivedirectoryconnector.exe",
+    "InstallUtil.exe",
+    "JenkinsOnDesktop.exe",
+    "Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe",
+    "mmc.exe",
+    "mscorsvw.exe",
+    "msexchangedelivery.exe",
+    "msexchangefrontendtransport.exe",
+    "msexchangehmworker.exe",
+    "msexchangesubmission.exe",
+    "msiexec.exe",
+    "MsiExec.exe",
+    "noderunner.exe",
+    "NServiceBus.Host.exe",
+    "NServiceBus.Host32.exe",
+    "NServiceBus.Hosting.Azure.HostProcess.exe",
+    "OuiGui.WPF.exe",
+    "powershell.exe",
+    "powershell_ise.exe",
+    "pwsh.exe",
+    "SCCMCliCtrWPF.exe",
+    "ScriptEditor.exe",
+    "ScriptRunner.exe",
+    "sdiagnhost.exe",
+    "servermanager.exe",
+    "setup100.exe",
+    "ServiceHub.VSDetouredHost.exe",
+    "SPCAF.Client.exe",
+    "SPCAF.SettingsEditor.exe",
+    "SQLPS.exe",
+    "telemetryservice.exe",
+    "UMWorkerProcess.exe",
+    "w3wp.exe",
+    "wsmprovhost.exe"
+  )
 '''


@@ -90,4 +91,3 @@ reference = "https://attack.mitre.org/techniques/T1059/001/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -21,30 +21,30 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 type = "eql"

 query = '''
-sequence by host.id with maxspan=5s
-    [library where file.name : "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
+sequence by host.id with maxspan = 5s
+    [library where dll.name : "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
    [process where event.type in ("start", "process_started") and
     process.parent.name : "wmiprvse.exe" and
     user.domain != "NT AUTHORITY" and
-     (process.pe.original_file_name in
-                                (
-                                  "cscript.exe",
-                                  "wscript.exe",
-                                  "PowerShell.EXE",
-                                  "Cmd.Exe",
-                                  "MSHTA.EXE",
-                                  "RUNDLL32.EXE",
-                                  "REGSVR32.EXE",
-                                  "MSBuild.exe",
-                                  "InstallUtil.exe",
-                                  "RegAsm.exe",
-                                  "RegSvcs.exe",
-                                  "msxsl.exe",
-                                  "CONTROL.EXE",
-                                  "EXPLORER.EXE",
-                                  "Microsoft.Workflow.Compiler.exe",
-                                  "msiexec.exe"
-                                  ) or
+     (process.pe.original_file_name :
+        (
+          "cscript.exe",
+          "wscript.exe",
+          "PowerShell.EXE",
+          "Cmd.Exe",
+          "MSHTA.EXE",
+          "RUNDLL32.EXE",
+          "REGSVR32.EXE",
+          "MSBuild.exe",
+          "InstallUtil.exe",
+          "RegAsm.exe",
+          "RegSvcs.exe",
+          "msxsl.exe",
+          "CONTROL.EXE",
+          "EXPLORER.EXE",
+          "Microsoft.Workflow.Compiler.exe",
+          "msiexec.exe"
+        ) or
      process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
     )
    ]
@@ -68,4 +68,3 @@ reference = "https://attack.mitre.org/techniques/T1566/001/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-
@@ -22,18 +22,21 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
 type = "eql"

 query = '''
-library where file.name == "mstscax.dll" and
+library where dll.name : "mstscax.dll" and
   /* depending on noise in your env add here extra paths  */
-   wildcard(process.executable, "C:\\Windows\\*",
-                                "C:\\Users\\Public\\*",
-                                "C:\\Users\\Default\\*",
-                                "C:\\Intel\\*",
-                                "C:\\PerfLogs\\*",
-                                "C:\\ProgramData\\*",
-                                "\\Device\\Mup\\*",
-                                "\\\\*") and
+  process.executable :
+    (
+    "C:\\Windows\\*",
+    "C:\\Users\\Public\\*",
+    "C:\\Users\\Default\\*",
+    "C:\\Intel\\*",
+    "C:\\PerfLogs\\*",
+    "C:\\ProgramData\\*",
+    "\\Device\\Mup\\*",
+    "\\\\*"
+    ) and
    /* add here FPs */
-   not process.executable in ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")
+  not process.executable : ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")
 '''


@@ -49,4 +52,3 @@ reference = "https://attack.mitre.org/techniques/T1021/"
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
-
@@ -16,7 +16,7 @@ language = "eql"
 license = "Elastic License"
 name = "Scheduled Task Created by a Windows Script"
 note = "Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action."
-risk_score = 43
+risk_score = 47
 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
@@ -24,7 +24,7 @@ type = "eql"

 query = '''
 sequence by host.id with maxspan = 30s
-  [library where file.name : "taskschd.dll" and process.name : ("cscript.exe", "wscript.exe", "powershell.exe")]
+  [library where dll.name : "taskschd.dll" and process.name : ("cscript.exe", "wscript.exe", "powershell.exe")]
  [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]
 '''

@@ -41,4 +41,3 @@ reference = "https://attack.mitre.org/techniques/T1053/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -26,10 +26,10 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 type = "eql"

 query = '''
-library where process.name in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
-  event.action == "load" and
-  event.category == "library" and
-  file.name == "taskschd.dll"
+library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
+  event.action : "load" and
+  event.category : "library" and
+  dll.name : "taskschd.dll"
 '''


@@ -45,4 +45,3 @@ reference = "https://attack.mitre.org/techniques/T1053/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "development"
-updated_date = "2020/12/17"
+updated_date = "2021/01/20"

 [rule]
 author = ["Elastic"]
@@ -27,13 +27,13 @@ query = '''

 sequence with maxspan=5s
  [process where event.type in ("start", "process_started") and process.name : "svchost.exe" and
-     user.domain == "NT AUTHORITY" and user.name == "LOCAL SERVICE"] by process.entity_id
-  [network where network.protocol == "dns" and process.name : "svchost.exe" and
+     user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id
+  [network where network.protocol : "dns" and process.name : "svchost.exe" and
     dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id
  [network where process.name : "svchost.exe"
-     and network.direction == "outgoing" and destination.port == 80] by process.entity_id
-  [library where event.type == "start" and process.name : "svchost.exe" and
-     file.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id
+     and network.direction : "outgoing" and destination.port == 80] by process.entity_id
+  [library where event.type : "start" and process.name : "svchost.exe" and
+     dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id
  [process where event.type in ("start", "process_started") and
     process.parent.name : "svchost.exe"] by process.parent.entity_id
 '''
@@ -51,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1068/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
-