diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 30457f6d720..d245bb01ec6 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/10" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the creation or change of a Windows executable file over network shar other files between systems in a compromised environment. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Lateral Tool Transfer via SMB Share" @@ -71,7 +71,8 @@ sequence by host.id with maxspan=30s network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] by process.entity_id /* add more executable extensions here if they are not noisy in your environment */ - [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id + [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and + (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll"))] by process.entity_id ''' diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index d5b91b1fdc5..d610946c8ca 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/03" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/09" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies the execution of a file that was created by the virtual system proces via network file shares. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Remote Execution via File Shares" @@ -100,7 +100,8 @@ type = "eql" query = ''' sequence with maxspan=1m - [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and file.extension : "exe"] by host.id, file.path + [file where host.os.type == "windows" and event.type in ("creation", "change") and + process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable ''' diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 51261d09fdc..4be4ea1b6d4 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -34,13 +34,16 @@ sequence by host.id with maxspan = 2s /* Excluding Common FPs Nessus and SCCM */ - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and - not process.args : ("C:\\windows\\temp\\nessus_*.txt", - "*C:\\windows\\TEMP\\nessus_*.TMP*", - "*C:\\Windows\\CCM\\SystemTemp\\*", - "C:\\Windows\\CCM\\ccmrepair.exe", - "C:\\Windows\\CCMCache\\*", - "C:\\CCM\\Cache\\*") + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and + not process.Ext.token.integrity_level_name : "system" and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + not process.executable : + ("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe", + "?:\\Windows\\CCM\\Ccm32BitLauncher.exe", + "?:\\Windows\\System32\\wbem\\mofcomp.exe", + "?:\\Windows\\Microsoft.NET\\Framework*\\csc.exe", + "?:\\Windows\\System32\\powercfg.exe") and + not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "REBOOT=ReallySuppress") and + not (process.executable : "?:\\Windows\\System32\\inetsrv\\appcmd.exe" and process.args : "uninstall") ] '''