[Rule Tuning] Windows DR Tuning - 10 (#3355)

* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294)

rules/windows/discovery_privileged_localgroup_membership.toml

@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/21"
 
 [transform]
 [[transform.osquery]]
@@ -131,8 +131,10 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera
     group.name:(*Admin* or "RemoteDesktopUsers") or
     winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555")
   ) and 
-  not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or 
-  winlog.event_data.CallerProcessName:("-" or 
+  not (
+    winlog.event_data.SubjectUserName: *$ or
+    winlog.event_data.SubjectUserSid: ("S-1-5-19" or "S-1-5-20") or 
+    winlog.event_data.CallerProcessName:("-" or 
                                        *\:\\\\Windows\\\\System32\\\\VSSVC.exe or 
                                        *\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or 
                                        *\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or 
@@ -142,6 +144,7 @@ host.os.type:windows and event.category:iam and event.action:user-member-enumera
                                        *\:\\\\Windows\\\\System32\\\\Netplwiz.exe or 
                                        *\:\\\\Windows\\\\System32\\\\msiexec.exe or
                                        *\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or
+                                       *\:\\\\Windows\\\\System32\\\\RuntimeBroker.exe or
                                        *\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or
                                        *\:\\\\Windows\\\\System32\\\\SrTasks.exe or
                                        *\:\\\\Windows\\\\System32\\\\diskshadow.exe or

rules/windows/discovery_whoami_command_activity.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -74,21 +74,29 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and
 (
-
- (/* scoped for whoami execution under system privileges */
-  (user.domain : ("NT AUTHORITY", "NT-AUTORITÄT", "AUTORITE NT", "IIS APPPOOL") or user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) and
-
-   not (process.parent.name : "cmd.exe" and
-        process.parent.args : ("chcp 437>nul 2>&1 & C:\\WINDOWS\\System32\\whoami.exe  /groups",
-                               "chcp 437>nul 2>&1 & %systemroot%\\system32\\whoami /user",
-                               "C:\\WINDOWS\\System32\\whoami.exe /groups",
-                               "*WINDOWS\\system32\\config\\systemprofile*")) and
-   not (process.parent.executable : "C:\\Windows\\system32\\inetsrv\\appcmd.exe" and process.parent.args : "LIST") and
-   not process.parent.executable : ("C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe",
-                                    "C:\\Program Files\\Cohesity\\cohesity_windows_agent_service.exe")) or
-
+  (
+    /* scoped for whoami execution under system privileges */
+    (
+      user.domain : ("NT *", "* NT", "IIS APPPOOL") and
+      user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20", "S-1-5-82-*") and
+      not ?winlog.event_data.SubjectUserName : "*$"
+    ) and
+    not (
+      process.parent.name : "cmd.exe" and
+      process.parent.args : (
+          "chcp 437>nul 2>&1 & C:\\WINDOWS\\System32\\whoami.exe  /groups",
+          "chcp 437>nul 2>&1 & %systemroot%\\system32\\whoami /user",
+          "C:\\WINDOWS\\System32\\whoami.exe /groups",
+          "*WINDOWS\\system32\\config\\systemprofile*"
+      )
+    ) and
+    not (process.parent.executable : "C:\\Windows\\system32\\inetsrv\\appcmd.exe" and process.parent.args : "LIST") and
+    not process.parent.executable : (
+        "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe",
+        "C:\\Program Files\\Cohesity\\cohesity_windows_agent_service.exe"
+    )
+  ) or
   process.parent.name : ("wsmprovhost.exe", "w3wp.exe", "wmiprvse.exe", "rundll32.exe", "regsvr32.exe")
-
 )
 '''
 

rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/21"
 
 [rule]
 author = ["Elastic"]
@@ -39,7 +39,8 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
  process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and
- not process.name : (
+ not (
+    process.name : (
         "APMServiceControl*.exe",
         "ExportToPDFCmd*.Exe",
         "SolarWinds.Credentials.Orion.WebApi*.exe",
@@ -49,7 +50,12 @@ process where host.os.type == "windows" and event.type == "start" and
         "WerFault.exe",
         "WerMgr.exe",
         "SolarWinds.BusinessLayerHost.exe",
-        "SolarWinds.BusinessLayerHostx64.exe") and
+        "SolarWinds.BusinessLayerHostx64.exe",
+        "SolarWinds.Topology.Calculator.exe",
+        "SolarWinds.Topology.Calculatorx64.exe",
+        "SolarWinds.APM.RealTimeProcessPoller.exe") and
+    process.code_signature.trusted == true
+ ) and
  not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe")
 '''
 

rules/windows/execution_command_prompt_connecting_to_the_internet.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/12/22"
 
 [transform]
 [[transform.osquery]]
@@ -118,7 +118,10 @@ sequence by process.entity_id
                                   "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
                                   "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
                                   "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
-                                  "FE80::/10", "FF00::/8")]
+                                  "FE80::/10", "FF00::/8") and
+    not dns.question.name : (
+          "wpad", "localhost", "ocsp.comodoca.com", "ocsp.digicert.com", "ocsp.sectigo.com", "crl.comodoca.com"
+    )]
 '''
 
 

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/12/22"
 
 [transform]
 [[transform.osquery]]
@@ -119,7 +119,8 @@ sequence by process.entity_id
        "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",
        "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
        "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
-       "FE80::/10", "FF00::/8")]
+       "FE80::/10", "FF00::/8") and
+     not dns.question.name : "localhost"]
 '''