[Rule Tuning] Windows BBR Tuning - 5 (#3385)

Co-authored-by: Samirbous <[email protected]> (cherry picked from commit 97e4979)
elastic · Feb 14, 2024 · be4bc16 · be4bc16
1 parent 0336015
commit be4bc16
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 16 deletions.
diff --git a/...ccess_execution_from_removable_media.toml → ...ccess_execution_from_removable_media.toml b/...ccess_execution_from_removable_media.toml → ...ccess_execution_from_removable_media.toml
@@ -4,8 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/27"
-bypass_bbr_timing = true
+updated_date = "2024/01/12"
 
 [rule]
 author = ["Elastic"]
@@ -22,8 +21,7 @@ name = "Execution from a Removable Media with Network Connection"
 risk_score = 21
 rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"]
-building_block_type = "default"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"]
 type = "eql"
 
 query = '''

diff --git a/..._access_execution_remote_via_msiexec.toml → ..._access_execution_remote_via_msiexec.toml b/..._access_execution_remote_via_msiexec.toml → ..._access_execution_remote_via_msiexec.toml
@@ -4,8 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/28"
-bypass_bbr_timing = true
+updated_date = "2024/01/12"
 
 [rule]
 author = ["Elastic"]
@@ -21,8 +20,7 @@ name = "Potential Remote File Execution via MSIEXEC"
 risk_score = 21
 rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
-building_block_type = "default"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 type = "eql"
 
 query = '''

diff --git a/..._access_xsl_script_execution_via_com.toml → ..._access_xsl_script_execution_via_com.toml b/..._access_xsl_script_execution_via_com.toml → ..._access_xsl_script_execution_via_com.toml
@@ -4,8 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/27"
-bypass_bbr_timing = true
+updated_date = "2024/01/12"
 
 [rule]
 author = ["Elastic"]
@@ -21,8 +20,7 @@ name = "Remote XSL Script Execution via COM"
 risk_score = 21
 rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
-building_block_type = "default"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
 type = "eql"
 
 query = '''

diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/19"
+updated_date = "2024/01/12"
 
 [rule]
 author = ["Elastic"]
@@ -61,6 +61,10 @@ event.category:process and host.os.type:windows and
     ?\:\\\\Logicmonitor\\\\tmp* or
     ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\* or
     ?\:\\\\ExchangeServer\\\\bin*
+  ) and not
+  powershell.file.script_block_text : (
+    "Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')" and
+    "function Invoke-Command {"
   )
 '''
 

diff --git a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/29"
+updated_date = "2024/01/12"
 
 [rule]
 author = ["Elastic"]
@@ -30,8 +30,16 @@ type = "eql"
 query = '''
 network where host.os.type == "windows" and
   event.action == "connection_attempted" and destination.port == 3389 and
-  not process.executable : "?:\\Windows\\System32\\mstsc.exe" and
-  destination.ip != "::1" and destination.ip != "127.0.0.1"
+  destination.ip != "::1" and destination.ip != "127.0.0.1" and
+  not (
+    process.executable : (
+      "?:\\Windows\\System32\\mstsc.exe",
+      "?:\\Program Files (x86)\\mRemoteNG\\mRemoteNG.exe",
+      "?:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe",
+      "?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe",
+      "?:\\Program Files (x86)\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.exe"
+    ) and process.code_signature.trusted == true
+  )
 '''