Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Windows DR Tuning - 10 #3355

Merged
merged 5 commits into from
Jan 17, 2024
Merged

[Rule Tuning] Windows DR Tuning - 10 #3355

merged 5 commits into from
Jan 17, 2024

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Dec 22, 2023

Issues

Part of #3186

Summary

Tunes the following rules:

  • Enumeration of Privileged Local Groups Membership
  • Whoami Process Activity
  • Suspicious SolarWinds Child Process
  • Command Prompt Network Connection
  • Network Connection via Compiled HTML File

@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Dec 22, 2023
@w0rk3r w0rk3r self-assigned this Dec 22, 2023
@w0rk3r w0rk3r mentioned this pull request Jan 3, 2024
Closed
terrancedejesus
terrancedejesus reviewed Jan 12, 2024
View reviewed changes
rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
@@ -119,7 +119,8 @@ sequence by process.entity_id
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",
"192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
"100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
"FE80::/10", "FF00::/8")]
"FE80::/10", "FF00::/8") and
not dns.question.name : "localhost"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for fixing this!

@terrancedejesus
Copy link
Contributor

Unit tests failing for winlog.event_data.SubjectUserName, rather odd as its a valid field.

@w0rk3r w0rk3r merged commit c6ab294 into main Jan 17, 2024
13 checks passed
@w0rk3r w0rk3r deleted the rt_10 branch January 17, 2024 12:44
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
44e62d9 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

Removed changes from:
- rules/windows/discovery_privileged_localgroup_membership.toml

(selectively cherry picked from commit c6ab294)
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
309a789 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

Removed changes from:
- rules/windows/discovery_privileged_localgroup_membership.toml

(selectively cherry picked from commit c6ab294)
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
0b22854 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

Removed changes from:
- rules/windows/discovery_privileged_localgroup_membership.toml

(selectively cherry picked from commit c6ab294)
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
e5c9ea8 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294)
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
e6075ab 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294)
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
25423a3 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294)
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
0bf0251 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294)
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
b1c8876 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294)
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
345298f 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294)
protectionsmachine pushed a commit that referenced this pull request Jan 17, 2024
@w0rk3r @github-actions
[Rule Tuning] Windows DR Tuning - 10 (#3355)
60fa648 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Aegrah Aegrah Aegrah approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@imays11 imays11 Awaiting requested review from imays11

@Samirbous Samirbous Awaiting requested review from Samirbous

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@w0rk3r @terrancedejesus @Aegrah