[Rule Tuning] Windows DR Tuning - 5

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

@@ -106,7 +106,10 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and
+ (
+    (process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE")) or
+    (process.name : ("cmd.exe", "powershell.exe"))
+ ) and
 
  /* Create Symbolic Link to Shadow Copies */
  process.args : ("*mklink*", "*SymbolicLink*") and process.command_line : ("*HarddiskVolumeShadowCopy*")

rules/windows/defense_evasion_amsi_bypass_powershell.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/05"
+updated_date = "2023/10/25"
 
 [transform]
 [[transform.osquery]]
@@ -105,26 +105,28 @@ type = "query"
 
 query = '''
 event.category:"process" and host.os.type:windows and
- (powershell.file.script_block_text :
-        ("System.Management.Automation.AmsiUtils" or
-				 amsiInitFailed or 
-				 "Invoke-AmsiBypass" or 
-				 "Bypass.AMSI" or 
-				 "amsi.dll" or 
-				 AntimalwareProvider  or 
-				 amsiSession or 
-				 amsiContext or
-				 AmsiInitialize or 
-				 unloadobfuscated or 
-				 unloadsilent or 
-				 AmsiX64 or 
-				 AmsiX32 or 
-				 FindAmsiFun) or
-  powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or
-  powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(")
- )
-  and not powershell.file.script_block_text : (
-    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
+  (
+    powershell.file.script_block_text : (
+      "System.Management.Automation.AmsiUtils" or
+			amsiInitFailed or 
+			"Invoke-AmsiBypass" or 
+			"Bypass.AMSI" or 
+			"amsi.dll" or 
+			AntimalwareProvider  or 
+			amsiSession or 
+			amsiContext or
+			AmsiInitialize or 
+			unloadobfuscated or 
+			unloadsilent or 
+			AmsiX64 or 
+			AmsiX32 or 
+			FindAmsiFun
+    ) or
+    powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or
+    powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(")
+  ) and
+  not powershell.file.script_block_text : (
+    "sentinelbreakpoints" and "Set-PSBreakpoint"
   )
 '''
 

rules/windows/defense_evasion_code_signing_policy_modification_registry.toml

@@ -22,9 +22,9 @@ SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, de
 [rule]
 author = ["Elastic"]
 description = """
-Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides 
-authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. 
-By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. 
+Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a
+program, and grants the user with the ability to check whether the program has been tampered with. By allowing the
+execution of unsigned or self-signed code, threat actors can craft and execute malicious code. 
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]

rules/windows/defense_evasion_create_mod_root_certificate.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -105,16 +105,26 @@ registry where host.os.type == "windows" and event.type in ("creation", "change"
       "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
       "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
     ) and
-  not process.executable :
-              ("?:\\Program Files\\*.exe",
-               "?:\\Program Files (x86)\\*.exe",
-               "?:\\Windows\\System32\\*.exe",
-               "?:\\Windows\\SysWOW64\\*.exe",
-               "?:\\Windows\\Sysmon64.exe",
-               "?:\\Windows\\Sysmon.exe",
-               "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
-               "?:\\Windows\\WinSxS\\*.exe",
-               "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe")
+  not process.executable : (
+          "?:\\ProgramData\\Lenovo\\Vantage\\Addins\\LenovoHardwareScanAddin\\*\\LdeApi.Server.exe",
+          "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\64\\certmgr.exe",
+          "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
+          "?:\\ProgramData\\Quest\\KACE\\modules\\clientidentifier\\clientidentifier.exe",
+          "?:\\Program Files (x86)\\*.exe",
+          "?:\\Program Files\\*.exe",
+          "?:\\Windows\\CCM\\CcmExec.exe",
+          "?:\\Windows\\ccmsetup\\cache\\ccmsetup.exe",
+          "?:\\Windows\\Cluster\\clussvc.exe",
+          "?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe",
+          "?:\\Windows\\Lenovo\\ImController\\PluginHost86\\Lenovo.Modern.ImController.PluginHost.Device.exe",
+          "?:\\Windows\\Lenovo\\ImController\\Service\\Lenovo.Modern.ImController.exe",
+          "?:\\Windows\\Sysmon.exe",
+          "?:\\Windows\\Sysmon64.exe",
+          "?:\\Windows\\System32\\*.exe",
+          "?:\\Windows\\SysWOW64\\*.exe",
+          "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe",
+          "?:\\Windows\\WinSxS\\*.exe"
+  )
 '''
 
 

rules/windows/defense_evasion_defender_disabled_via_registry.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/12/23"
-integration = ["endpoint", "windows"]
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies modifications to the Windows Defender registry settings to disable th
 started manually.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Defender Disabled via Registry Modification"
@@ -98,10 +98,14 @@ registry where host.os.type == "windows" and event.type in ("creation", "change"
    )
   ) and
 
-  not process.executable :
-           ("?:\\WINDOWS\\system32\\services.exe",
-            "?:\\Windows\\System32\\svchost.exe",
-            "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\NTRmv.exe")
+  not
+    (
+      process.executable : (
+          "?:\\WINDOWS\\system32\\services.exe",
+          "?:\\Windows\\System32\\svchost.exe",
+          "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\NTRmv.exe"
+      ) and user.id : "S-1-5-18"
+    )
 '''