From 4ab61e0e30893e8e1911762dc7a4b7749438bce3 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 5 Feb 2024 12:47:24 -0300 Subject: [PATCH] [Rule Tuning] Windows BBR Tuning - 1 (#3380) * [Rule Tuning] Windows BBR Tuning - 1 * . --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 8274f9a8166d8dbb4545e9753c9ecaedf6330875) --- .../collection_posh_webcam_video_capture.toml | 10 +++---- .../credential_access_kirbi_file.toml | 11 ++++--- ...ction_common_compressed_archived_file.toml | 30 +++++++++++++++++-- .../credential_access_mdmp_file_creation.toml | 5 +++- ...dential_access_win_private_key_access.toml | 18 ++++++++--- 5 files changed, 55 insertions(+), 19 deletions(-) rename {rules_building_block => rules/windows}/collection_posh_webcam_video_capture.toml (92%) rename {rules_building_block => rules/windows}/credential_access_kirbi_file.toml (91%) diff --git a/rules_building_block/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml similarity index 92% rename from rules_building_block/collection_posh_webcam_video_capture.toml rename to rules/windows/collection_posh_webcam_video_capture.toml index 14e286f5ef1..538b1cc3f89 100644 --- a/rules_building_block/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -4,8 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" -bypass_bbr_timing = true +updated_date = "2024/01/11" [rule] author = ["Elastic"] @@ -19,7 +18,7 @@ language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Webcam Video Capture Capabilities" references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"] -risk_score = 21 +risk_score = 47 rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43" setup = """ The 'PowerShell Script Block Logging' logging policy must be enabled. @@ -38,10 +37,9 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"] +severity = "medium" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" -building_block_type = "default" type = "query" query = ''' diff --git a/rules_building_block/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml similarity index 91% rename from rules_building_block/credential_access_kirbi_file.toml rename to rules/windows/credential_access_kirbi_file.toml index 38e0ade1d5b..1c2a2b89dd5 100644 --- a/rules_building_block/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2024/01/10" [rule] author = ["Elastic"] @@ -13,18 +13,17 @@ Identifies the creation of .kirbi files. The creation of this kind of file is an Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. """ -from = "now-119m" +from = "now-9m" interval = "60m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" -risk_score = 21 +risk_score = 47 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" -severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +severity = "medium" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index c3482ff67b7..6ffa4ffaff6 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -5,7 +5,7 @@ integration = "endpoint" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/11" +updated_date = "2024/01/10" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type in ("creation", "change") and +file where event.type in ("creation", "change") and process.executable != null and not user.id : "S-1-5-18" and file.Ext.header_bytes : ( /* compression formats */ "1F9D*", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */ @@ -73,6 +73,32 @@ file where event.type in ("creation", "change") and "78617221*", /* xar */ "4F4152*", /* oar */ "49536328*" /* cab archive */ + ) and + not ( + ( + process.name : "firefox.exe" and + process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true + ) or + ( + process.name : "wazuh-agent.exe" and + process.code_signature.subject_name : "Wazuh, Inc" and process.code_signature.trusted == true and + file.name : ("ossec-*.log.gz", "tmp-entry.gz", "tmp-entry", "last-entry.gz") + ) or + ( + process.name : "excel.exe" and + process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true and + file.extension : ("tmp", "xlsx", "gz", "xlsb", "xar", "xslm") + ) or + ( + process.name : "Dropbox.exe" and + process.code_signature.subject_name : "Dropbox, Inc" and process.code_signature.trusted == true and + file.name : "store.bin" + ) or + ( + process.name : "DellSupportAssistRemedationService.exe" and + process.code_signature.subject_name : "Dell Inc" and process.code_signature.trusted == true and + file.extension : "manifest" + ) ) ''' diff --git a/rules_building_block/credential_access_mdmp_file_creation.toml b/rules_building_block/credential_access_mdmp_file_creation.toml index fd56e0601cf..6e4b5fd9364 100644 --- a/rules_building_block/credential_access_mdmp_file_creation.toml +++ b/rules_building_block/credential_access_mdmp_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/21" +updated_date = "2024/01/10" bypass_bbr_timing = true [rule] @@ -35,13 +35,16 @@ file where host.os.type == "windows" and event.type == "creation" and ( ( + process.name : "System" or process.executable : ( "?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Windows\\System32\\Wermgr.exe", "?:\\Windows\\SysWOW64\\Wermgr.exe", "?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\Windows\\SysWOW64\\WerFaultSecure.exe", "?:\\Windows\\System32\\WUDFHost.exe", + "C:\\Windows\\System32\\rdrleakdiag.exe", "?:\\Windows\\System32\\Taskmgr.exe", "?:\\Windows\\SysWOW64\\Taskmgr.exe", "?:\\Program Files\\*.exe", diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index 135cc290184..76d54a6b848 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/21" +updated_date = "2024/01/10" [rule] author = ["Elastic"] @@ -26,13 +26,23 @@ type = "eql" building_block_type = "default" query = ''' -process where host.os.type == "windows" and event.type == "start" and process.args : ("*.pem*", "*.id_rsa*") and +process where host.os.type == "windows" and event.type == "start" and + process.args : ("*.pem *", "*.pem", "*.id_rsa*") and + not process.args: ("--tls-cert", "--ssl-cert") and not process.executable : ( "?:\\ProgramData\\Logishrd\\LogiOptions\\Software\\*\\LogiLuUpdater.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\*\\osqueryd.exe", + "?:\\Program Files\\Guardicore\\gc-controller.exe", + "?:\\Program Files\\Guardicore\\gc-deception-agent.exe", + "?:\\Program Files\\Guardicore\\gc-detection-agent.exe", + "?:\\Program Files\\Guardicore\\gc-enforcement-agent.exe", + "?:\\Program Files\\Guardicore\\gc-guest-agent.exe", "?:\\Program Files\\Logi\\LogiBolt\\LogiBoltUpdater.exe", - "?:\\Windows\\system32\\icacls.exe", + "?:\\Program Files (x86)\\Schneider Electric EcoStruxure\\Building Operation 5.0\\Device Administrator\\Python\\python.exe", "?:\\Program Files\\Splunk\\bin\\openssl.exe", - "?:\\Program Files\\Elastic\\Agent\\data\\*\\components\\osqueryd.exe", + "?:\\Program Files\\SplunkUniversalForwarder\\bin\\openssl.exe", + "?:\\Users\\*\\AppData\\Local\\Logi\\LogiBolt\\LogiBoltUpdater.exe", + "?:\\Windows\\system32\\icacls.exe", "?:\\Windows\\System32\\OpenSSH\\*" ) '''