[Rule Tuning] Windows BBR Promotion (#3577)

* [Rule Tuning] Windows BBR Promotion

* Update non-ecs-schema.json

* Update persistence_netsh_helper_dll.toml

* Update persistence_werfault_reflectdebugger.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update defense_evasion_msdt_suspicious_diagcab.toml

* Update defense_evasion_suspicious_msiexec_execution.toml

* Update discovery_security_software_wmic.toml

* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"

This reverts commit 0e1f3ea.

* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"

This reverts commit 4e26a16.

* Revert "Update discovery_security_software_wmic.toml"

This reverts commit d638cec.

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

rules_building_block/defense_evasion_disable_nla.toml → rules/windows/defense_evasion_disable_nla.toml

@@ -4,8 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
-bypass_bbr_timing = true
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +15,7 @@ before allowing a full RDP session. Attackers can disable NLA to enable persiste
 Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network-Level Authentication (NLA) Disabled"
@@ -26,9 +25,8 @@ references = [
 risk_score = 21
 rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
 
 query = '''

rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml → rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml

@@ -4,8 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/25"
-bypass_bbr_timing = true
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
@@ -14,16 +13,15 @@ Identifies the execution of commonly abused Windows utilities via a delayed Ping
 observed during malware installation and is consistent with an attacker attempting to evade detection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Delayed Execution via Ping"
 risk_score = 21
 rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 type = "eql"
-building_block_type = "default"
 
 query = '''
 sequence by process.parent.entity_id with maxspan=1m

rules_building_block/execution_downloaded_shortcut_files.toml → rules/windows/execution_downloaded_shortcut_files.toml

@@ -4,27 +4,25 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/23"
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in
 phishing campaigns.
 """
-from = "now-119m"
-interval = "60m"
-index = ["logs-endpoint.events.*"]
+from = "now-9m"
+index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Downloaded Shortcut Files"
 risk_score = 21
 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
-building_block_type = "default"
 
 query = '''
 file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk" and file.Ext.windows.zone_identifier > 1

rules_building_block/execution_downloaded_url_file.toml → rules/windows/execution_downloaded_url_file.toml

@@ -4,17 +4,16 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/23"
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in
 phishing campaigns.
 """
-from = "now-119m"
-interval = "60m"
-index = ["logs-endpoint.events.*"]
+from = "now-9m"
+index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Downloaded URL Files"
@@ -23,7 +22,6 @@ rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb"
 severity = "low"
 tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
 
 query = '''

rules_building_block/execution_mofcomp.toml → rules/windows/execution_mofcomp.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/23"
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
@@ -13,24 +13,31 @@ Managed Object Format (MOF) files can be compiled locally or remotely through mo
 files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or
 establish persistence using WMI Event Subscription.
 """
-from = "now-119m"
-interval = "60m"
-index = ["logs-endpoint.events.*"]
+from = "now-9m"
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mofcomp Activity"
 risk_score = 21
 rule_id = "210d4430-b371-470e-b879-80b7182aa75e"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
-building_block_type = "default"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.name : "mofcomp.exe" and process.args : "*.mof" and
-  not user.id : "S-1-5-18"
+  not user.id : "S-1-5-18" and
+  not
+  (
+    process.parent.name : "ScenarioEngine.exe" and
+    process.args : (
+      "*\\MSSQL\\Binn\\*.mof",
+      "*\\Microsoft SQL Server\\???\\Shared\\*.mof",
+      "*\\OLAP\\bin\\*.mof"
+    )
+  )
 '''
 
 [[rule.threat]]

rules_building_block/persistence_browser_extension_install.toml → rules/windows/persistence_browser_extension_install.toml

@@ -4,35 +4,38 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/22"
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
 masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
 """
-from = "now-119m"
-interval = "60m"
-index = ["logs-endpoint.events.*"]
+from = "now-9m"
+index = ["logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Browser Extension Install"
 risk_score = 21
 rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
-building_block_type = "default"
 
 query = '''
-file where event.action : "creation" and 
+file where host.os.type == "windows" and event.action : "creation" and 
 (
   /* Firefox-Based Browsers */
   (
     file.name : "*.xpi" and
-    file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi"
+    file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
+    not 
+    (
+      process.name : "firefox.exe" and
+      file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
+    )
   ) or
   /* Chromium-Based Browsers */
   (

rules_building_block/persistence_msoffice_startup_registry.toml → rules/windows/persistence_msoffice_startup_registry.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
@@ -13,9 +13,8 @@ Identifies the modification of the Microsoft Office "Office Test" Registry key,
 specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain
 persistence on a compromised host.
 """
-from = "now-119m"
-interval = "60m"
-index = ["logs-endpoint.events.*"]
+from = "now-9m"
+index = ["logs-endpoint.events.registry-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Office Test Registry Persistence"
@@ -25,10 +24,9 @@ references = [
 risk_score = 21
 rule_id = "14dab405-5dd9-450c-8106-72951af2391f"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
 type = "eql"
-building_block_type = "default"
 
 query = '''
 registry where host.os.type == "windows" and event.action != "deletion" and

rules_building_block/persistence_netsh_helper_dll.toml → rules/windows/persistence_netsh_helper_dll.toml

@@ -4,8 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/29"
-bypass_bbr_timing = true
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
@@ -15,20 +14,19 @@ Attackers may abuse this mechanism to execute malicious payloads every time the
 by administrators or a scheduled task.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Netsh Helper DLL"
 risk_score = 21
 rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
 
 query = '''
-registry where event.type == "change" and
+registry where host.os.type == "windows" and event.type == "change" and
   registry.path : (
     "HKLM\\Software\\Microsoft\\netsh\\*",
     "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*"

rules_building_block/persistence_werfault_reflectdebugger.toml → rules/windows/persistence_werfault_reflectdebugger.toml

@@ -4,8 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/29"
-bypass_bbr_timing = true
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
@@ -14,20 +13,20 @@ Identifies the registration of a Werfault Debugger. Attackers may abuse this mec
 every time the utility is executed with the "-pr" parameter.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.registry-*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Werfault ReflectDebugger Persistence"
+references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"]
 risk_score = 21
 rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
 
 query = '''
-registry where event.type == "change" and
+registry where host.os.type == "windows" and event.type == "change" and
   registry.path : (
     "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger",
     "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger"

rules_building_block/privilege_escalation_unquoted_service_path.toml → rules/windows/privilege_escalation_unquoted_service_path.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/17"
+updated_date = "2024/04/05"
 
 [rule]
 author = ["Elastic"]
@@ -13,22 +13,20 @@ Adversaries may leverage unquoted service path vulnerabilities to escalate privi
 higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable
 from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
 """
-from = "now-119m"
-interval = "60m"
-index = ["logs-endpoint.events.*"]
+from = "now-9m"
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Exploitation of an Unquoted Service Path Vulnerability"
 risk_score = 21
 rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
 
 query = '''
-process where event.type == "start" and 
+process where host.os.type == "windows" and event.type == "start" and 
   (
     process.executable : "?:\\Program.exe" or 
     process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe"""