[Rule Tuning] Windows DR Tuning - 6 (#3246)

* [Rule Tuning] Windows DR Tuning - 6 * Update defense_evasion_masquerading_as_elastic_endpoint_process.toml * Update defense_evasion_network_connection_from_windows_binary.toml --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit 6f4c323)
elastic · Dec 12, 2023 · dc432c5 · dc432c5
1 parent 60283ae
commit dc432c5
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 117 deletions.
diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -34,13 +34,31 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.name : ("esensor.exe", "elastic-endpoint.exe") and
- process.parent.executable != null and
+  process.name : ("esensor.exe", "elastic-endpoint.exe") and
+  process.parent.executable != null and
   /* add FPs here */
- not process.parent.executable : ("C:\\Program Files\\Elastic\\*",
-                                  "C:\\Windows\\System32\\services.exe",
-                                  "C:\\Windows\\System32\\WerFault*.exe",
-                                  "C:\\Windows\\System32\\wermgr.exe")
+  not process.parent.executable : (
+        "?:\\Program Files\\Elastic\\*",
+        "?:\\Windows\\System32\\services.exe",
+        "?:\\Windows\\System32\\WerFault*.exe",
+        "?:\\Windows\\System32\\wermgr.exe",
+        "?:\\Windows\\explorer.exe"
+  ) and
+  not (
+    process.parent.executable : (
+        "?:\\Windows\\System32\\cmd.exe",
+        "?:\\Windows\\System32\\SecurityHealthHost.exe",
+        "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+    ) and
+    process.args : (
+        "test", "version",
+        "top", "run",
+        "*help", "status",
+        "upgrade", "/launch",
+        "/enable"
+    )
+  )
+  
 '''
 
 

diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -35,8 +35,16 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.executable : "C:\\*Program*Files*\\*.exe" and
- not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
+  process.executable : "C:\\*Program*Files*\\*.exe" and
+  not process.executable : (
+        "?:\\Program Files\\*.exe",
+        "?:\\Program Files (x86)\\*.exe",
+        "?:\\Users\\*.exe",
+        "?:\\ProgramData\\*.exe",
+        "?:\\Windows\\Downloaded Program Files\\*.exe",
+        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
+        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
+  )
 '''
 
 

diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml
diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/10/26"
 
 [transform]
 [[transform.osquery]]
@@ -107,7 +107,7 @@ query = '''
 sequence by process.entity_id
   [process where host.os.type == "windows" and process.name : "MSBuild.exe" and event.type == "start"]
   [network where host.os.type == "windows" and process.name : "MSBuild.exe" and
-     not cidrmatch(destination.ip, "127.0.0.1", "::1")]
+     not cidrmatch(destination.ip, "127.0.0.1", "::1", "localhost")]
 '''
 
 

diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml
diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2023/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -140,15 +140,21 @@ sequence by process.entity_id with maxspan=5m
       process.name : "iexpress.exe" or
       process.name : "installutil.exe" or
       process.name : "Microsoft.Workflow.Compiler.exe" or
-      process.name : "MSBuild.exe" or
+      (
+        process.name : "msbuild.exe" and
+          destination.ip != "127.0.0.1"
+      ) or
       process.name : "msdt.exe" or
       process.name : "mshta.exe" or
       (
-         process.name : "msiexec.exe" and not
-         dns.question.name : (
-            "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com",
-            "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local"
-         )
+        process.name : "msiexec.exe" and not
+        dns.question.name : (
+           "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com",
+           "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local"
+        ) and
+        /* Localhost, DigiCert and Comodo CA IP addresses */
+        not cidrmatch(destination.ip, "127.0.0.1", "192.229.211.108/32", "192.229.221.95/32",
+                      "152.195.38.76/32", "104.18.14.101/32")
       ) or
       process.name : "msxsl.exe" or
       process.name : "odbcconf.exe" or

diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2023/10/26"
 
 [transform]
 [[transform.osquery]]
@@ -110,7 +110,15 @@ sequence by host.id with maxspan=5s
               "?:\\Program Files (x86)\\*.exe",
               "?:\\Windows\\System32\\svchost.exe",
               "?:\\Windows\\System32\\drvinst.exe") and
-    not file.path : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe")
+    not file.path : (
+          "?:\\Program Files\\*.exe",
+          "?:\\Program Files (x86)\\*.exe",
+          "?:\\Windows\\Temp\\*\\DismHost.exe",
+          "?:\\$WINDOWS.~BT\\Work\\*\\DismHost.exe",
+          "?:\\$WinREAgent\\Scratch\\*\\DismHost.exe",
+          "?:\\Windows\\tenable_mw_scan_*.exe",
+          "?:\\Users\\*\\AppData\\Local\\Temp\\LogiUI\\Pak\\uninstall.exe"
+    )
    ] by file.path
 '''