diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index e1d3a90d392..866dd6206df 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -106,7 +106,10 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and + ( + (process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE")) or + (process.name : ("cmd.exe", "powershell.exe")) + ) and /* Create Symbolic Link to Shadow Copies */ process.args : ("*mklink*", "*SymbolicLink*") and process.command_line : ("*HarddiskVolumeShadowCopy*") diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index af1c745a665..cc320add128 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/25" [transform] [[transform.osquery]] @@ -105,26 +105,28 @@ type = "query" query = ''' event.category:"process" and host.os.type:windows and - (powershell.file.script_block_text : - ("System.Management.Automation.AmsiUtils" or - amsiInitFailed or - "Invoke-AmsiBypass" or - "Bypass.AMSI" or - "amsi.dll" or - AntimalwareProvider or - amsiSession or - amsiContext or - AmsiInitialize or - unloadobfuscated or - unloadsilent or - AmsiX64 or - AmsiX32 or - FindAmsiFun) or - powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or - powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") - ) - and not powershell.file.script_block_text : ( - "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ( + powershell.file.script_block_text : ( + "System.Management.Automation.AmsiUtils" or + amsiInitFailed or + "Invoke-AmsiBypass" or + "Bypass.AMSI" or + "amsi.dll" or + AntimalwareProvider or + amsiSession or + amsiContext or + AmsiInitialize or + unloadobfuscated or + unloadsilent or + AmsiX64 or + AmsiX32 or + FindAmsiFun + ) or + powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or + powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") + ) and + not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" ) ''' diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index e53afbb086e..7a58c236528 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -22,9 +22,9 @@ SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, de [rule] author = ["Elastic"] description = """ -Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides -authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. -By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a +program, and grants the user with the ability to check whether the program has been tampered with. By allowing the +execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 9b7d9ebe7f3..196f03e1b50 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/05" [rule] author = ["Elastic"] @@ -105,16 +105,26 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob" ) and - not process.executable : - ("?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\Windows\\System32\\*.exe", - "?:\\Windows\\SysWOW64\\*.exe", - "?:\\Windows\\Sysmon64.exe", - "?:\\Windows\\Sysmon.exe", - "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", - "?:\\Windows\\WinSxS\\*.exe", - "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe") + not process.executable : ( + "?:\\ProgramData\\Lenovo\\Vantage\\Addins\\LenovoHardwareScanAddin\\*\\LdeApi.Server.exe", + "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\64\\certmgr.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\ProgramData\\Quest\\KACE\\modules\\clientidentifier\\clientidentifier.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Windows\\CCM\\CcmExec.exe", + "?:\\Windows\\ccmsetup\\cache\\ccmsetup.exe", + "?:\\Windows\\Cluster\\clussvc.exe", + "?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", + "?:\\Windows\\Lenovo\\ImController\\PluginHost86\\Lenovo.Modern.ImController.PluginHost.Device.exe", + "?:\\Windows\\Lenovo\\ImController\\Service\\Lenovo.Modern.ImController.exe", + "?:\\Windows\\Sysmon.exe", + "?:\\Windows\\Sysmon64.exe", + "?:\\Windows\\System32\\*.exe", + "?:\\Windows\\SysWOW64\\*.exe", + "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\WinSxS\\*.exe" + ) ''' diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index d542076522d..41dabfb1bc1 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/23" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/05" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies modifications to the Windows Defender registry settings to disable th started manually. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Windows Defender Disabled via Registry Modification" @@ -98,10 +98,14 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" ) ) and - not process.executable : - ("?:\\WINDOWS\\system32\\services.exe", - "?:\\Windows\\System32\\svchost.exe", - "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\NTRmv.exe") + not + ( + process.executable : ( + "?:\\WINDOWS\\system32\\services.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\NTRmv.exe" + ) and user.id : "S-1-5-18" + ) '''