From ffe8e5bfc580b591c513336ed5b4a25cd462392b Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Wed, 3 Feb 2021 11:09:29 -0500 Subject: [PATCH] [Rule Tuning] Update file.name to dll.name for Library events (#893) * [Rule Tuning] Update file.name to dll.name for Library events * replace == with : * updated_date * removed spacing inconsistencies * jibs likes spaces * NOT again jibs --- ...efense_evasion_suspicious_scrobj_load.toml | 24 ++--- ...defense_evasion_suspicious_wmi_script.toml | 10 +- ...tion_scheduled_task_powershell_source.toml | 3 +- ...n_suspicious_image_load_wmi_ms_office.toml | 9 +- ...ecution_suspicious_powershell_imgload.toml | 96 +++++++++---------- ...ccess_scripts_process_started_via_wmi.toml | 43 ++++----- ...ement_suspicious_rdp_client_imageload.toml | 24 ++--- ...stence_local_scheduled_task_scripting.toml | 5 +- ...s_image_load_scheduled_task_ms_office.toml | 9 +- ...rivilege_escalation_wpad_exploitation.toml | 13 ++- 10 files changed, 116 insertions(+), 120 deletions(-) diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index a12379bbc..bab116c9f 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -23,19 +23,20 @@ type = "eql" query = ''' /* add winlogbeat-* when process.code_signature.* fields are populated */ -sequence by process.entity_id with maxspan=2m +sequence by process.entity_id with maxspan = 2m [process where event.type in ("start", "process_started") and /* uncomment once in winlogbeat */ - /* process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and */ - not (process.name : "cscript.exe" or - process.name : "iexplore.exe" or - process.name : "MicrosoftEdge.exe" or - process.name : "msiexec.exe" or - process.name : "smartscreen.exe" or - process.name : "taskhostw.exe" or - process.name : "w3wp.exe" or - process.name : "wscript.exe")] - [library where event.type == "start" and file.name : "scrobj.dll"] + /* process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted : true and */ + not process.name : ( + "cscript.exe", + "iexplore.exe", + "MicrosoftEdge.exe", + "msiexec.exe", + "smartscreen.exe", + "taskhostw.exe", + "w3wp.exe", + "wscript.exe")] + [library where event.type == "start" and dll.name : "scrobj.dll"] ''' @@ -46,4 +47,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index f764a0cd8..e8da57355 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2021/01/20" [rule] author = ["Elastic"] @@ -23,10 +23,10 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=2m [process where event.type in ("start", "process_started") and - (process.name : "WMIC.exe" or process.pe.original_file_name == "wmic.exe") and - wildcard(process.args, "format*:*", "/format*:*", "*-format*:*") and - not wildcard(process.command_line, "* /format:table *")] -[library where event.type == "start" and file.name in ("jscript.dll", "vbscript.dll")] + (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and + process.args : ("format*:*", "/format*:*", "*-format*:*") and + not process.command_line : "* /format:table *"] +[library where event.type == "start" and dll.name : ("jscript.dll", "vbscript.dll")] ''' diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index f871c98fe..208162588 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -26,7 +26,7 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan = 5s - [library where file.name: "taskschd.dll" and process.name: ("powershell.exe", "pwsh.exe")] + [library where dll.name : "taskschd.dll" and process.name : ("powershell.exe", "pwsh.exe")] [network where process.name : ("powershell.exe", "pwsh.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] ''' @@ -43,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1053/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 312a0225f..74399a80b 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -24,10 +24,10 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' -library where process.name in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and - event.action == "load" and - event.category == "library" and - file.name == "wmiutils.dll" +library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + event.action : "load" and + event.category : "library" and + dll.name : "wmiutils.dll" ''' @@ -43,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index a2c021e51..5d75289a6 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -21,55 +21,56 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' -library where file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and +library where dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and /* add false positives relevant to your environment here */ not process.executable : ("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Program Files*\\*.exe") and - not process.name : ( - "Altaro.SubAgent.exe", - "AppV_Manage.exe", - "azureadconnect.exe", - "CcmExec.exe", - "configsyncrun.exe", - "choco.exe", - "ctxappvservice.exe", - "DVLS.Console.exe", - "edgetransport.exe", - "exsetup.exe", - "forefrontactivedirectoryconnector.exe", - "InstallUtil.exe", - "JenkinsOnDesktop.exe", - "Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe", - "mmc.exe", - "mscorsvw.exe", - "msexchangedelivery.exe", - "msexchangefrontendtransport.exe", - "msexchangehmworker.exe", - "msexchangesubmission.exe", - "msiexec.exe", - "MsiExec.exe", - "noderunner.exe", - "NServiceBus.Host.exe", - "NServiceBus.Host32.exe", - "NServiceBus.Hosting.Azure.HostProcess.exe", - "OuiGui.WPF.exe", - "powershell.exe", - "powershell_ise.exe", - "pwsh.exe", - "SCCMCliCtrWPF.exe", - "ScriptEditor.exe", - "ScriptRunner.exe", - "sdiagnhost.exe", - "servermanager.exe", - "setup100.exe", - "ServiceHub.VSDetouredHost.exe", - "SPCAF.Client.exe", - "SPCAF.SettingsEditor.exe", - "SQLPS.exe", - "telemetryservice.exe", - "UMWorkerProcess.exe", - "w3wp.exe", - "wsmprovhost.exe" - ) + not process.name : + ( + "Altaro.SubAgent.exe", + "AppV_Manage.exe", + "azureadconnect.exe", + "CcmExec.exe", + "configsyncrun.exe", + "choco.exe", + "ctxappvservice.exe", + "DVLS.Console.exe", + "edgetransport.exe", + "exsetup.exe", + "forefrontactivedirectoryconnector.exe", + "InstallUtil.exe", + "JenkinsOnDesktop.exe", + "Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe", + "mmc.exe", + "mscorsvw.exe", + "msexchangedelivery.exe", + "msexchangefrontendtransport.exe", + "msexchangehmworker.exe", + "msexchangesubmission.exe", + "msiexec.exe", + "MsiExec.exe", + "noderunner.exe", + "NServiceBus.Host.exe", + "NServiceBus.Host32.exe", + "NServiceBus.Hosting.Azure.HostProcess.exe", + "OuiGui.WPF.exe", + "powershell.exe", + "powershell_ise.exe", + "pwsh.exe", + "SCCMCliCtrWPF.exe", + "ScriptEditor.exe", + "ScriptRunner.exe", + "sdiagnhost.exe", + "servermanager.exe", + "setup100.exe", + "ServiceHub.VSDetouredHost.exe", + "SPCAF.Client.exe", + "SPCAF.SettingsEditor.exe", + "SQLPS.exe", + "telemetryservice.exe", + "UMWorkerProcess.exe", + "w3wp.exe", + "wsmprovhost.exe" + ) ''' @@ -90,4 +91,3 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 3221c1b5e..c610fd30e 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -21,30 +21,30 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' -sequence by host.id with maxspan=5s - [library where file.name : "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")] +sequence by host.id with maxspan = 5s + [library where dll.name : "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")] [process where event.type in ("start", "process_started") and process.parent.name : "wmiprvse.exe" and user.domain != "NT AUTHORITY" and - (process.pe.original_file_name in - ( - "cscript.exe", - "wscript.exe", - "PowerShell.EXE", - "Cmd.Exe", - "MSHTA.EXE", - "RUNDLL32.EXE", - "REGSVR32.EXE", - "MSBuild.exe", - "InstallUtil.exe", - "RegAsm.exe", - "RegSvcs.exe", - "msxsl.exe", - "CONTROL.EXE", - "EXPLORER.EXE", - "Microsoft.Workflow.Compiler.exe", - "msiexec.exe" - ) or + (process.pe.original_file_name : + ( + "cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "Cmd.Exe", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "MSBuild.exe", + "InstallUtil.exe", + "RegAsm.exe", + "RegSvcs.exe", + "msxsl.exe", + "CONTROL.EXE", + "EXPLORER.EXE", + "Microsoft.Workflow.Compiler.exe", + "msiexec.exe" + ) or process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") ) ] @@ -68,4 +68,3 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 159e99a2a..1666ee801 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -22,18 +22,21 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] type = "eql" query = ''' -library where file.name == "mstscax.dll" and +library where dll.name : "mstscax.dll" and /* depending on noise in your env add here extra paths */ - wildcard(process.executable, "C:\\Windows\\*", - "C:\\Users\\Public\\*", - "C:\\Users\\Default\\*", - "C:\\Intel\\*", - "C:\\PerfLogs\\*", - "C:\\ProgramData\\*", - "\\Device\\Mup\\*", - "\\\\*") and + process.executable : + ( + "C:\\Windows\\*", + "C:\\Users\\Public\\*", + "C:\\Users\\Default\\*", + "C:\\Intel\\*", + "C:\\PerfLogs\\*", + "C:\\ProgramData\\*", + "\\Device\\Mup\\*", + "\\\\*" + ) and /* add here FPs */ - not process.executable in ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe") + not process.executable : ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe") ''' @@ -49,4 +52,3 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index cd0a91b71..922b0ed48 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -16,7 +16,7 @@ language = "eql" license = "Elastic License" name = "Scheduled Task Created by a Windows Script" note = "Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action." -risk_score = 43 +risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] @@ -24,7 +24,7 @@ type = "eql" query = ''' sequence by host.id with maxspan = 30s - [library where file.name : "taskschd.dll" and process.name : ("cscript.exe", "wscript.exe", "powershell.exe")] + [library where dll.name : "taskschd.dll" and process.name : ("cscript.exe", "wscript.exe", "powershell.exe")] [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] ''' @@ -41,4 +41,3 @@ reference = "https://attack.mitre.org/techniques/T1053/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 48604cbad..176c83f11 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -26,10 +26,10 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' -library where process.name in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and - event.action == "load" and - event.category == "library" and - file.name == "taskschd.dll" +library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + event.action : "load" and + event.category : "library" and + dll.name : "taskschd.dll" ''' @@ -45,4 +45,3 @@ reference = "https://attack.mitre.org/techniques/T1053/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 756e3c892..d3bc6c4f5 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/12/17" +updated_date = "2021/01/20" [rule] author = ["Elastic"] @@ -27,13 +27,13 @@ query = ''' sequence with maxspan=5s [process where event.type in ("start", "process_started") and process.name : "svchost.exe" and - user.domain == "NT AUTHORITY" and user.name == "LOCAL SERVICE"] by process.entity_id - [network where network.protocol == "dns" and process.name : "svchost.exe" and + user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id + [network where network.protocol : "dns" and process.name : "svchost.exe" and dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id [network where process.name : "svchost.exe" - and network.direction == "outgoing" and destination.port == 80] by process.entity_id - [library where event.type == "start" and process.name : "svchost.exe" and - file.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id + and network.direction : "outgoing" and destination.port == 80] by process.entity_id + [library where event.type : "start" and process.name : "svchost.exe" and + dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id [process where event.type in ("start", "process_started") and process.parent.name : "svchost.exe"] by process.parent.entity_id ''' @@ -51,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -