[Rule Tuning] Windows DR Tuning - 13 (#3369)

(cherry picked from commit 71cec2a)
elastic · Jan 17, 2024 · 457f933 · 457f933
1 parent 60fa648
commit 457f933
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 26 deletions.
diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/04"
 
 [rule]
 author = ["Elastic"]
@@ -38,8 +38,7 @@ any where host.os.type == "windows" and
  (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
  (dll.name : "mstscax.dll" or file.name : "mstscax.dll") and
    /* depending on noise in your env add here extra paths  */
-  process.executable :
-    (
+  process.executable : (
     "C:\\Windows\\*",
     "C:\\Users\\Public\\*",
     "C:\\Users\\Default\\*",
@@ -48,9 +47,15 @@ any where host.os.type == "windows" and
     "C:\\ProgramData\\*",
     "\\Device\\Mup\\*",
     "\\\\*"
-    ) and
-    /* add here FPs */
-  not process.executable : ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")
+  ) and
+  /* add here FPs */
+  not process.executable : (
+    "?:\\Windows\\System32\\mstsc.exe",
+    "?:\\Windows\\SysWOW64\\mstsc.exe",
+    "?:\\Windows\\System32\\vmconnect.exe",
+    "?:\\Windows\\System32\\WindowsSandboxClient.exe",
+    "?:\\Windows\\System32\\hvsirdpclient.exe"
+  )
 '''
 
 

diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/04"
 
 [transform]
 [[transform.osquery]]
@@ -125,16 +125,22 @@ type = "eql"
 
 query = '''
 registry where host.os.type == "windows" and
-   registry.path : (
-      "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
-      "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
-      "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
-      "\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"
-   ) and not process.executable : (
-      "C:\\Windows\\System32\\msiexec.exe",
-      "C:\\Windows\\SysWOW64\\msiexec.exe",
-      "C:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe",
-      "C:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe")
+  registry.path : (
+     "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
+     "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
+     "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
+     "\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"
+  ) and
+  not process.executable : (
+     "?:\\Windows\\System32\\DriverStore\\FileRepository\\*\\Display.NvContainer\\NVDisplay.Container.exe",
+     "?:\\Windows\\System32\\msiexec.exe",
+     "?:\\Windows\\SysWOW64\\msiexec.exe",
+     "?:\\Program Files\\Commvault\\Base\\cvd.exe",
+     "?:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe",
+     "?:\\Program Files (x86)\\Commvault\\Base\\cvd.exe",
+     "?:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe",
+     "?:\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe"
+  )
 '''
 
 

diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/04"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,20 @@ type = "eql"
 
 query = '''
 file where host.os.type == "windows" and event.type != "deletion" and
- file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job"
+  file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and
+  not (
+    (
+      process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and
+      file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job"
+    ) or
+    (
+      process.executable : (
+        "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe",
+        "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe"
+      ) and
+      file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job"
+    )
+  )
 '''
 
 

diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -33,11 +33,16 @@ iam where event.action == "scheduled-task-created" and
  not user.name : "*$" and
 
  /* TaskContent is not parsed, exclude by full taskname noisy ones */
- not winlog.event_data.TaskName :
-             ("\\OneDrive Standalone Update Task-S-1-5-21*",
-              "\\OneDrive Standalone Update Task-S-1-12-1-*",
+ not winlog.event_data.TaskName : (
+              "\\CreateExplorerShellUnelevatedTask",
+              "\\Hewlett-Packard\\HPDeviceCheck",
+              "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker",
+              "\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup",
               "\\Hewlett-Packard\\HP Web Products Detection",
-              "\\Hewlett-Packard\\HPDeviceCheck")
+              "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload",
+              "\\OneDrive Standalone Update Task-S-1-5-21*",
+              "\\OneDrive Standalone Update Task-S-1-12-1-*"
+ )
 '''
 
 

diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2024/01/05"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-registry where host.os.type == "windows" and
+registry where host.os.type == "windows" and event.type == "change" and
   registry.path : (
       "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
       "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",