[Rule Tuning] Windows BBR Tuning - 2 (#3381)

* [Rule Tuning] Windows BBR Tuning - 2

* Update defense_evasion_masquerading_windows_system32_exe.toml

---------

Co-authored-by: Ruben Groenewoud <[email protected]>

(cherry picked from commit ae00f30)

rules_building_block/defense_evasion_masquerading_business_apps_installer.toml → rules/windows/defense_evasion_masquerading_business_apps_installer.toml

@@ -4,8 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
-bypass_bbr_timing = true
+updated_date = "2024/01/11"
 
 [rule]
 author = ["Elastic"]
@@ -25,9 +24,8 @@ references = [
 risk_score = 21
 rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c"
 severity = "low"
-tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution", "Rule Type: BBR"]
+tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
 
 query = '''

rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2024/01/11"
 bypass_bbr_timing = true
 
 [rule]
@@ -37,11 +37,13 @@ process where host.os.type == "windows" and event.type == "start" and
             "?:\\Program Files\\*",
             "?:\\Program Files (x86)\\*",
             "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-            "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe",
+            "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
+            "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin*\\Zoom.exe",
             "?:\\Windows\\System32\\rundll32.exe",
             "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
             "?:\\Windows\\System32\\notepad.exe",
-            "?:\\Windows\\System32\\WerFault.exe"
+            "?:\\Windows\\System32\\WerFault.exe",
+            "?:\\Windows\\SysWOW64\\WerFault.exe"
           ) and process.code_signature.trusted == true  
         ) or
         (
@@ -84,7 +86,11 @@ process where host.os.type == "windows" and event.type == "start" and
           process.executable : (
             "?:\\Program Files\\*",
             "?:\\Program Files (x86)\\*",
-            "?:\\Windows\\System32\\WerFault.exe"
+            "?:\\Windows\\System32\\WerFault.exe",
+            "?:\\Windows\\SysWOW64\\WerFault.exe",
+            "?:\\Windows\\BrowserCore\\BrowserCore.exe",
+            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
+            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe"
           ) and process.code_signature.trusted == true  
         ) or
         (
@@ -106,9 +112,11 @@ process where host.os.type == "windows" and event.type == "start" and
           process.executable : (
             "?:\\Program Files\\*",
             "?:\\Program Files (x86)\\*",
+            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
             "?:\\Windows\\System32\\reg.exe",
             "?:\\Windows\\SysWOW64\\reg.exe",
-            "?:\\Windows\\System32\\WerFault.exe"
+            "?:\\Windows\\System32\\WerFault.exe",
+            "?:\\Windows\\SysWOW64\\WerFault.exe"
           ) and process.code_signature.trusted == true  
         ) or
         (
@@ -117,9 +125,16 @@ process where host.os.type == "windows" and event.type == "start" and
           ) and process.code_signature.trusted == true
         ) or
         (
-          process.name : "cmd.exe" and process.command_line : (
-            "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"chcp\"",
-            "C:\\WINDOWS\\system32\\cmd.exe /q /d /s /c \"C:\\Program^ Files\\NVIDIA^ Corporation\\NVSMI\\nvidia-smi.exe\""
+          process.name : "cmd.exe" and 
+          (
+            process.command_line : (
+              "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"chcp\"",
+              "C:\\WINDOWS\\system32\\cmd.exe /q /d /s /c \"C:\\Program^ Files\\NVIDIA^ Corporation\\NVSMI\\nvidia-smi.exe\""
+            ) or
+            process.args : (
+              "C:\\WINDOWS/System32/nvidia-smi.exe",
+              "C:\\WINDOWS\\System32\\nvidia-smi.exe"
+            )
           )
         )
       )
@@ -158,6 +173,8 @@ process where host.os.type == "windows" and event.type == "start" and
             "?:\\Program Files\\*",
             "?:\\Program Files (x86)\\*",
             "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
+            "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
+            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
             "?:\\Windows\\System32\\WerFault.exe"
           ) and process.code_signature.trusted == true  
         ) or
@@ -177,16 +194,25 @@ process where host.os.type == "windows" and event.type == "start" and
             "?:\\Program Files\\*",
             "?:\\Program Files (x86)\\*",
             "?:\\Windows\\System32\\WerFault.exe",
+            "?:\\Windows\\SysWOW64\\WerFault.exe",
+            "?:\\Windows\\system32\\wermgr.exe",
             "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
             "?:\\Users\\*\\AppData\\Local\\Temp\\NewOutlookInstall\\NewOutlookInstaller.exe",
             "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
+            "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
+            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
             "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe",
             "?:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.EXE",
             "?:\\Windows\\System32\\spool\\drivers\\x64\\*",
             "?:\\Windows\\System32\\prevhost.exe",
             "?:\\Windows\\System32\\dwwin.exe",
+            "?:\\Windows\\System32\\mspaint.exe",
+            "?:\\Windows\\SysWOW64\\mspaint.exe",
             "?:\\Windows\\System32\\notepad.exe",
-            "?:\\Windows\\explorer.exe"
+            "?:\\Windows\\SysWOW64\\notepad.exe",
+            "?:\\Windows\\System32\\smartscreen.exe",
+            "?:\\Windows\\explorer.exe",
+            "?:\\Windows\\splwow64.exe"
           ) and process.code_signature.trusted == true  
         )
       )
@@ -199,7 +225,8 @@ process where host.os.type == "windows" and event.type == "start" and
           process.executable : (
             "?:\\Program Files\\*",
             "?:\\Program Files (x86)\\*",
-            "?:\\Windows\\System32\\WerFault.exe"
+            "?:\\Windows\\System32\\WerFault.exe",
+            "?:\\Windows\\splwow64.exe"
           ) and process.code_signature.trusted == true  
         ) or
         (

rules_building_block/defense_evasion_download_susp_extension.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/27"
+updated_date = "2024/01/11"
 
 [rule]
 author = ["Elastic"]
@@ -37,7 +37,11 @@ file where host.os.type == "windows" and event.type == "creation" and
   ) and file.Ext.windows.zone_identifier > 1 and
   not
   (
-    file.extension : "msix" and file.path : "?:\\Users\\*\\AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source*"
+    file.extension : "msix" and 
+    file.path : (
+      "?:\\Users\\*\\AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source*",
+      "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\WinGet\\State\\defaultState\\Microsoft.PreIndexed.Package\\Microsoft.Winget.Source*"
+    )
   )
 '''
 

rules_building_block/defense_evasion_masquerading_browsers.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2024/01/11"
 bypass_bbr_timing = true
 
 [rule]
@@ -45,6 +45,12 @@ process where host.os.type == "windows" and event.type == "start" and
           "?:\\Program Files\\HP\\Sure Click\\*\\servers\\chrome.exe"
         ) and
         process.code_signature.subject_name : ("Bromium, Inc.") and process.code_signature.trusted == true
+      ) and not
+      (
+        process.executable : (
+          "?:\\Program Files\\dynatrace\\synthetic\\Chrome-bin\\chrome.exe"
+        ) and
+        process.code_signature.subject_name : ("Dynatrace LLC") and process.code_signature.trusted == true
       ) and
      not (
        process.executable : (
@@ -73,7 +79,7 @@ process where host.os.type == "windows" and event.type == "start" and
      and not
       (
         process.name : "msedgewebview2.exe" and
-        process.code_signature.subject_name : ("Bromium, Inc.") and process.code_signature.trusted == true
+        process.code_signature.subject_name : ("Bromium, Inc.", "Amazon.com Services LLC") and process.code_signature.trusted == true
       )
     ) or
 
@@ -113,7 +119,7 @@ process where host.os.type == "windows" and event.type == "start" and
     (process.name : (
       "opera.exe", "opera_*.exe", "browser_assistant.exe"
      ) and not
-      (process.code_signature.subject_name : "Opera Norway AS" and process.code_signature.trusted == true)
+      (process.code_signature.subject_name : ("Opera Norway AS", "Opera Software AS") and process.code_signature.trusted == true)
     ) or
 
     /* Whale Related Processes */
@@ -136,7 +142,9 @@ process where host.os.type == "windows" and event.type == "start" and
         "Microsoft Corporation",
         "NAVER Corp.",
         "AVG Technologies USA, LLC",
-        "Avast Software s.r.o."
+        "Avast Software s.r.o.",
+        "PIRIFORM SOFTWARE LIMITED",
+        "NortonLifeLock Inc."
        ) and process.code_signature.trusted == true
       )
     )

rules_building_block/defense_evasion_masquerading_windows_dll.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above."
 min_stack_version = "8.4.0"
-updated_date = "2023/10/13"
+updated_date = "2024/01/11"
 bypass_bbr_timing = true
 
 [rule]
@@ -69,16 +69,19 @@ library where event.action == "load" and dll.Ext.relative_file_creation_time <=
       ) or
       (
         dll.name : "libcrypto.dll" and dll.code_signature.subject_name in (
-          "NoMachine S.a.r.l.", "Bitdefender SRL", "Oculus VR, LLC"
+          "NoMachine S.a.r.l.", "Oculus VR, LLC"
         ) and dll.code_signature.trusted == true
       ) or
       (
         dll.name : "ucrtbase.dll" and dll.code_signature.subject_name in (
           "Proofpoint, Inc.", "Rapid7 LLC", "Eclipse.org Foundation, Inc.", "Amazon.com Services LLC", "Windows Phone"
         ) and dll.code_signature.trusted == true
       ) or
+      (
+        dll.name : ("libcrypto.dll", "wmi.dll", "geolocation.dll", "kerberos.dll") and
+        dll.code_signature.subject_name == "Bitdefender SRL" and dll.code_signature.trusted == true
+      ) or
       (dll.name : "ICMP.dll" and dll.code_signature.subject_name == "Paessler AG" and dll.code_signature.trusted == true) or
-      (dll.name : "kerberos.dll" and dll.code_signature.subject_name == "Bitdefender SRL" and dll.code_signature.trusted == true) or
       (dll.name : "dbghelp.dll" and dll.code_signature.trusted == true) or
       (dll.name : "DirectML.dll" and dll.code_signature.subject_name == "Adobe Inc." and dll.code_signature.trusted == true) or
       (