From c2d15862702a032f569c74f0dbe136a493e76479 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 16 Apr 2024 09:28:17 -0300 Subject: [PATCH] [Rule Tuning] Windows BBR Promotion (#3577) * [Rule Tuning] Windows BBR Promotion * Update non-ecs-schema.json * Update persistence_netsh_helper_dll.toml * Update persistence_werfault_reflectdebugger.toml * Update privilege_escalation_unquoted_service_path.toml * Update defense_evasion_msdt_suspicious_diagcab.toml * Update defense_evasion_suspicious_msiexec_execution.toml * Update discovery_security_software_wmic.toml * Revert "Update defense_evasion_msdt_suspicious_diagcab.toml" This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0. * Revert "Update defense_evasion_suspicious_msiexec_execution.toml" This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f. * Revert "Update discovery_security_software_wmic.toml" This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a. --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- .../windows}/defense_evasion_disable_nla.toml | 8 +++---- ...tion_delayed_via_ping_lolbas_unsigned.toml | 8 +++---- .../execution_downloaded_shortcut_files.toml | 10 ++++----- .../execution_downloaded_url_file.toml | 8 +++---- .../windows}/execution_mofcomp.toml | 21 ++++++++++++------- ...persistence_browser_extension_install.toml | 19 ++++++++++------- ...persistence_msoffice_startup_registry.toml | 10 ++++----- .../persistence_netsh_helper_dll.toml | 10 ++++----- .../persistence_werfault_reflectdebugger.toml | 11 +++++----- ...lege_escalation_unquoted_service_path.toml | 12 +++++------ 10 files changed, 56 insertions(+), 61 deletions(-) rename {rules_building_block => rules/windows}/defense_evasion_disable_nla.toml (91%) rename {rules_building_block => rules/windows}/execution_delayed_via_ping_lolbas_unsigned.toml (96%) rename {rules_building_block => rules/windows}/execution_downloaded_shortcut_files.toml (89%) rename {rules_building_block => rules/windows}/execution_downloaded_url_file.toml (93%) rename {rules_building_block => rules/windows}/execution_mofcomp.toml (81%) rename {rules_building_block => rules/windows}/persistence_browser_extension_install.toml (77%) rename {rules_building_block => rules/windows}/persistence_msoffice_startup_registry.toml (91%) rename {rules_building_block => rules/windows}/persistence_netsh_helper_dll.toml (88%) rename {rules_building_block => rules/windows}/persistence_werfault_reflectdebugger.toml (85%) rename {rules_building_block => rules/windows}/privilege_escalation_unquoted_service_path.toml (85%) diff --git a/rules_building_block/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml similarity index 91% rename from rules_building_block/defense_evasion_disable_nla.toml rename to rules/windows/defense_evasion_disable_nla.toml index c70eaeb8a39..3097f5234db 100644 --- a/rules_building_block/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" -bypass_bbr_timing = true +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -16,7 +15,7 @@ before allowing a full RDP session. Attackers can disable NLA to enable persiste Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Network-Level Authentication (NLA) Disabled" @@ -26,9 +25,8 @@ references = [ risk_score = 21 rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml similarity index 96% rename from rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml rename to rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index f07cff9f88b..704e5d260af 100644 --- a/rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/25" -bypass_bbr_timing = true +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,16 +13,15 @@ Identifies the execution of commonly abused Windows utilities via a delayed Ping observed during malware installation and is consistent with an attacker attempting to evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Delayed Execution via Ping" risk_score = 21 rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" -building_block_type = "default" query = ''' sequence by process.parent.entity_id with maxspan=1m diff --git a/rules_building_block/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml similarity index 89% rename from rules_building_block/execution_downloaded_shortcut_files.toml rename to rules/windows/execution_downloaded_shortcut_files.toml index a3ea885103a..1f765f65ca0 100644 --- a/rules_building_block/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -12,19 +12,17 @@ description = """ Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. """ -from = "now-119m" -interval = "60m" -index = ["logs-endpoint.events.*"] +from = "now-9m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk" and file.Ext.windows.zone_identifier > 1 diff --git a/rules_building_block/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml similarity index 93% rename from rules_building_block/execution_downloaded_url_file.toml rename to rules/windows/execution_downloaded_url_file.toml index 71f3ee33eb7..a5a22b38ac1 100644 --- a/rules_building_block/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -12,9 +12,8 @@ description = """ Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. """ -from = "now-119m" -interval = "60m" -index = ["logs-endpoint.events.*"] +from = "now-9m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Downloaded URL Files" @@ -23,7 +22,6 @@ rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml similarity index 81% rename from rules_building_block/execution_mofcomp.toml rename to rules/windows/execution_mofcomp.toml index 7876fc1de59..d29168632ce 100644 --- a/rules_building_block/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -13,24 +13,31 @@ Managed Object Format (MOF) files can be compiled locally or remotely through mo files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription. """ -from = "now-119m" -interval = "60m" -index = ["logs-endpoint.events.*"] +from = "now-9m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Mofcomp Activity" risk_score = 21 rule_id = "210d4430-b371-470e-b879-80b7182aa75e" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "mofcomp.exe" and process.args : "*.mof" and - not user.id : "S-1-5-18" + not user.id : "S-1-5-18" and + not + ( + process.parent.name : "ScenarioEngine.exe" and + process.args : ( + "*\\MSSQL\\Binn\\*.mof", + "*\\Microsoft SQL Server\\???\\Shared\\*.mof", + "*\\OLAP\\bin\\*.mof" + ) + ) ''' [[rule.threat]] diff --git a/rules_building_block/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml similarity index 77% rename from rules_building_block/persistence_browser_extension_install.toml rename to rules/windows/persistence_browser_extension_install.toml index 3483762da0d..32a8066c708 100644 --- a/rules_building_block/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/22" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -12,27 +12,30 @@ description = """ Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system. """ -from = "now-119m" -interval = "60m" -index = ["logs-endpoint.events.*"] +from = "now-9m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Browser Extension Install" risk_score = 21 rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' -file where event.action : "creation" and +file where host.os.type == "windows" and event.action : "creation" and ( /* Firefox-Based Browsers */ ( file.name : "*.xpi" and - file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" + file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and + not + ( + process.name : "firefox.exe" and + file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi") + ) ) or /* Chromium-Based Browsers */ ( diff --git a/rules_building_block/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml similarity index 91% rename from rules_building_block/persistence_msoffice_startup_registry.toml rename to rules/windows/persistence_msoffice_startup_registry.toml index 74eb9aab82b..79bc509048d 100644 --- a/rules_building_block/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -13,9 +13,8 @@ Identifies the modification of the Microsoft Office "Office Test" Registry key, specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host. """ -from = "now-119m" -interval = "60m" -index = ["logs-endpoint.events.*"] +from = "now-9m" +index = ["logs-endpoint.events.registry-*"] language = "eql" license = "Elastic License v2" name = "Office Test Registry Persistence" @@ -25,10 +24,9 @@ references = [ risk_score = 21 rule_id = "14dab405-5dd9-450c-8106-72951af2391f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' registry where host.os.type == "windows" and event.action != "deletion" and diff --git a/rules_building_block/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml similarity index 88% rename from rules_building_block/persistence_netsh_helper_dll.toml rename to rules/windows/persistence_netsh_helper_dll.toml index 93a0f7c9f4e..ef39af45178 100644 --- a/rules_building_block/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" -bypass_bbr_timing = true +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -15,20 +14,19 @@ Attackers may abuse this mechanism to execute malicious payloads every time the by administrators or a scheduled task. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Netsh Helper DLL" risk_score = 21 rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' -registry where event.type == "change" and +registry where host.os.type == "windows" and event.type == "change" and registry.path : ( "HKLM\\Software\\Microsoft\\netsh\\*", "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*" diff --git a/rules_building_block/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml similarity index 85% rename from rules_building_block/persistence_werfault_reflectdebugger.toml rename to rules/windows/persistence_werfault_reflectdebugger.toml index 0249570d1f9..2ca1d429677 100644 --- a/rules_building_block/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" -bypass_bbr_timing = true +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,20 +13,20 @@ Identifies the registration of a Werfault Debugger. Attackers may abuse this mec every time the utility is executed with the "-pr" parameter. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Werfault ReflectDebugger Persistence" +references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"] risk_score = 21 rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' -registry where event.type == "change" and +registry where host.os.type == "windows" and event.type == "change" and registry.path : ( "HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger", "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" diff --git a/rules_building_block/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml similarity index 85% rename from rules_building_block/privilege_escalation_unquoted_service_path.toml rename to rules/windows/privilege_escalation_unquoted_service_path.toml index 5930474574f..1b27f6a8932 100644 --- a/rules_building_block/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/17" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -13,22 +13,20 @@ Adversaries may leverage unquoted service path vulnerabilities to escalate privi higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution. """ -from = "now-119m" -interval = "60m" -index = ["logs-endpoint.events.*"] +from = "now-9m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Potential Exploitation of an Unquoted Service Path Vulnerability" risk_score = 21 rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( process.executable : "?:\\Program.exe" or process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe"""