From c55eb80d2a3ba870b942d21cde0a98e12fd46ea2 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 12 Dec 2023 11:37:54 -0300 Subject: [PATCH] [Rule Tuning] Windows DR Tuning - 6 (#3246) * [Rule Tuning] Windows DR Tuning - 6 * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update defense_evasion_network_connection_from_windows_binary.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 6f4c323929be015b332b8c7dd6924bd8d9e1e1f0) --- ...querading_as_elastic_endpoint_process.toml | 32 +++++++++--- ...vasion_masquerading_trusted_directory.toml | 14 +++-- ...fense_evasion_msbuild_beacon_sequence.toml | 51 ------------------- ...on_msbuild_making_network_connections.toml | 4 +- .../windows/defense_evasion_msxsl_beacon.toml | 45 ---------------- ...etwork_connection_from_windows_binary.toml | 20 +++++--- ...cess_termination_followed_by_deletion.toml | 12 ++++- 7 files changed, 61 insertions(+), 117 deletions(-) delete mode 100644 rules/windows/defense_evasion_msbuild_beacon_sequence.toml delete mode 100644 rules/windows/defense_evasion_msxsl_beacon.toml diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 8952dee1271..e3ffd906e37 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/11" [rule] author = ["Elastic"] @@ -34,13 +34,31 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.name : ("esensor.exe", "elastic-endpoint.exe") and - process.parent.executable != null and + process.name : ("esensor.exe", "elastic-endpoint.exe") and + process.parent.executable != null and /* add FPs here */ - not process.parent.executable : ("C:\\Program Files\\Elastic\\*", - "C:\\Windows\\System32\\services.exe", - "C:\\Windows\\System32\\WerFault*.exe", - "C:\\Windows\\System32\\wermgr.exe") + not process.parent.executable : ( + "?:\\Program Files\\Elastic\\*", + "?:\\Windows\\System32\\services.exe", + "?:\\Windows\\System32\\WerFault*.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\Windows\\explorer.exe" + ) and + not ( + process.parent.executable : ( + "?:\\Windows\\System32\\cmd.exe", + "?:\\Windows\\System32\\SecurityHealthHost.exe", + "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + ) and + process.args : ( + "test", "version", + "top", "run", + "*help", "status", + "upgrade", "/launch", + "/enable" + ) + ) + ''' diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 0d71ea1ff63..0e9d8150766 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/11" [rule] author = ["Elastic"] @@ -35,8 +35,16 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.executable : "C:\\*Program*Files*\\*.exe" and - not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") + process.executable : "C:\\*Program*Files*\\*.exe" and + not process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Users\\*.exe", + "?:\\ProgramData\\*.exe", + "?:\\Windows\\Downloaded Program Files\\*.exe", + "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe", + "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe" + ) ''' diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml deleted file mode 100644 index a190c6bcaff..00000000000 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ /dev/null @@ -1,51 +0,0 @@ -[metadata] -creation_date = "2020/09/02" -integration = ["endpoint", "windows"] -maturity = "development" -updated_date = "2023/06/22" - -[rule] -author = ["Elastic"] -description = """ -Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often -leveraged by adversaries to execute code and evade detection. -""" -from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] -language = "eql" -license = "Elastic License v2" -name = "MsBuild Network Connection Sequence" -risk_score = 47 -rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] -type = "eql" - -query = ''' -/* duplicate of MsBuild Making Network Connections - 0e79980b-4250-4a50-a509-69294c14e84b */ - -sequence by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and process.name : "MSBuild.exe"] - [network where host.os.type == "windows" and process.name : "MSBuild.exe" and - not (destination.ip == "127.0.0.1" and source.ip == "127.0.0.1")] -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1127" -name = "Trusted Developer Utilities Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1127/" -[[rule.threat.technique.subtechnique]] -id = "T1127.001" -name = "MSBuild" -reference = "https://attack.mitre.org/techniques/T1127/001/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index bb31c61767d..ac56fd92294 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/26" [transform] [[transform.osquery]] @@ -107,7 +107,7 @@ query = ''' sequence by process.entity_id [process where host.os.type == "windows" and process.name : "MSBuild.exe" and event.type == "start"] [network where host.os.type == "windows" and process.name : "MSBuild.exe" and - not cidrmatch(destination.ip, "127.0.0.1", "::1")] + not cidrmatch(destination.ip, "127.0.0.1", "::1", "localhost")] ''' diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml deleted file mode 100644 index ffce1df2d60..00000000000 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ /dev/null @@ -1,45 +0,0 @@ -[metadata] -creation_date = "2020/09/02" -integration = ["endpoint", "windows"] -maturity = "development" -updated_date = "2023/06/22" - -[rule] -author = ["Elastic"] -description = """ -Identifies MsXsl.exe making outbound network connections. This may indicate adversarial activity as MsXsl is often -leveraged by adversaries to execute malicious scripts and evade detection. -""" -from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] -language = "eql" -license = "Elastic License v2" -name = "MsXsl Making Network Connections" -risk_score = 47 -rule_id = "870d1753-1078-403e-92d4-735f142edcca" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] -type = "eql" - -query = ''' -/* duplicate of Network Connection via MsXsl - b86afe07-0d98-4738-b15d-8d7465f95ff5 */ - -sequence by process.entity_id - [process where host.os.type == "windows" and event.type == "start" and process.name : "msxsl.exe"] - [network where host.os.type == "windows" and process.name : "msxsl.exe" and network.direction : ("outgoing", "egress")] -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1220" -name = "XSL Script Processing" -reference = "https://attack.mitre.org/techniques/T1220/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 8ab0013701a..fa25ac41419 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2023/12/11" [transform] [[transform.osquery]] @@ -140,15 +140,21 @@ sequence by process.entity_id with maxspan=5m process.name : "iexpress.exe" or process.name : "installutil.exe" or process.name : "Microsoft.Workflow.Compiler.exe" or - process.name : "MSBuild.exe" or + ( + process.name : "msbuild.exe" and + destination.ip != "127.0.0.1" + ) or process.name : "msdt.exe" or process.name : "mshta.exe" or ( - process.name : "msiexec.exe" and not - dns.question.name : ( - "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com", - "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local" - ) + process.name : "msiexec.exe" and not + dns.question.name : ( + "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com", + "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local" + ) and + /* Localhost, DigiCert and Comodo CA IP addresses */ + not cidrmatch(destination.ip, "127.0.0.1", "192.229.211.108/32", "192.229.221.95/32", + "152.195.38.76/32", "104.18.14.101/32") ) or process.name : "msxsl.exe" or process.name : "odbcconf.exe" or diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 3c844a402a9..29517e1a056 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2023/10/26" [transform] [[transform.osquery]] @@ -110,7 +110,15 @@ sequence by host.id with maxspan=5s "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\drvinst.exe") and - not file.path : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") + not file.path : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\Temp\\*\\DismHost.exe", + "?:\\$WINDOWS.~BT\\Work\\*\\DismHost.exe", + "?:\\$WinREAgent\\Scratch\\*\\DismHost.exe", + "?:\\Windows\\tenable_mw_scan_*.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\LogiUI\\Pak\\uninstall.exe" + ) ] by file.path '''