From 1745c03fa662a9bd3474cea65ec22836969dbf17 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 5 Nov 2024 14:22:14 -0300 Subject: [PATCH] [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 4 (#4225) (cherry picked from commit 63956a6f51908502c8a8c3d6756e63adb44a2285) --- ...xecution_windows_powershell_susp_args.toml | 10 +++--- ...e_shadow_copy_deletion_via_powershell.toml | 6 ++-- ...itial_access_execution_from_inetcache.toml | 17 ++++++--- ...access_suspicious_ms_exchange_process.toml | 36 ++++++++++++------- ...ss_suspicious_ms_office_child_process.toml | 6 ++-- ...s_suspicious_ms_outlook_child_process.toml | 16 +++------ ..._movement_execution_from_tsclient_mup.toml | 6 ++-- ...ovement_remote_file_copy_hidden_share.toml | 6 ++-- ...movement_unusual_dns_service_children.toml | 6 ++-- ...ll_exch_mailbox_activesync_add_device.toml | 6 ++-- 10 files changed, 70 insertions(+), 45 deletions(-) diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 0b09b6c4baa..190e0bee76c 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/09/06" -integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -19,7 +19,8 @@ index = [ "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", - "logs-m365_defender.event-*" + "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*" ] language = "eql" license = "Elastic License v2" @@ -35,7 +36,8 @@ tags = [ "Data Source: System", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint" + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index d5e9109fd39..2a67ef13d5b 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/07/19" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -103,6 +104,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 6ae987f4f03..78d9de0f304 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/02/14" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -44,15 +45,21 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and - (process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or - process.executable : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*") + process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and + ( + process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or + process.executable : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*", + "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" + ) + ) ''' diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 9d1dbad60db..cfc6a035f4e 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/03/04" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -28,6 +28,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -52,6 +53,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" @@ -59,16 +61,26 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and - not process.executable : - ("?:\\Windows\\System32\\werfault.exe", - "?:\\Windows\\System32\\wermgr.exe", - "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", - "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe", - "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe", - "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe", - "D:\\Exchange\\Bin\\UMWorkerProcess.exe", - "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe", - "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe") + not process.executable : ( + "?:\\Windows\\System32\\werfault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", + "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe", + "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe", + "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\werfault.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\wermgr.exe", + "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", + "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe", + "\\Device\\HarddiskVolume?\\Exchange 2016\\Bin\\UMWorkerProcess.exe", + "\\Device\\HarddiskVolume?\\ExchangeServer\\Bin\\UMWorkerProcess.exe", + "\\Device\\HarddiskVolume?\\Exchange\\Bin\\UMWorkerProcess.exe", + "\\Device\\HarddiskVolume?\\Exchange Server\\Bin\\UMWorkerProcess.exe", + "\\Device\\HarddiskVolume?\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe" + ) ''' diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 31a0597a3b4..f15c52647ab 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,6 +23,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -92,6 +93,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 09e45aa0f77..c0010f76559 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" @@ -66,16 +66,8 @@ This rule looks for suspicious processes spawned by MS Outlook, which can be the """ risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", "Data Source: Crowdstrike"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 91a2c66bda8..d5fa197c1de 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/11" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/17" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -44,6 +45,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index cae96af1bb8..232552123a3 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/04" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -41,6 +42,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index e23bf9b53f1..6143e0db23f 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/07/16" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/17" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -29,6 +29,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -91,6 +92,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index b0ea3fd54f3..35c401eed9e 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/12/15" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,6 +23,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -46,6 +47,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql"