Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Rule Tuning] Windows DR Tuning - 13 #3369

Merged
merged 2 commits into from
Jan 17, 2024
Merged

[Rule Tuning] Windows DR Tuning - 13 #3369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f4da10d
[Rule Tuning] Windows DR Tuning - 13
w0rk3r Jan 5, 2024
f7c0f7e
Merge branch 'main' into rt_13
w0rk3r Jan 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 11 additions & 6 deletions rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2024/01/04"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -38,8 +38,7 @@ any where host.os.type == "windows" and
(event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
(dll.name : "mstscax.dll" or file.name : "mstscax.dll") and
/* depending on noise in your env add here extra paths */
process.executable :
(
process.executable : (
"C:\\Windows\\*",
"C:\\Users\\Public\\*",
"C:\\Users\\Default\\*",
Expand All @@ -48,9 +47,15 @@ any where host.os.type == "windows" and
"C:\\ProgramData\\*",
"\\Device\\Mup\\*",
"\\\\*"
) and
/* add here FPs */
not process.executable : ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")
) and
/* add here FPs */
not process.executable : (
"?:\\Windows\\System32\\mstsc.exe",
"?:\\Windows\\SysWOW64\\mstsc.exe",
"?:\\Windows\\System32\\vmconnect.exe",
"?:\\Windows\\System32\\WindowsSandboxClient.exe",
"?:\\Windows\\System32\\hvsirdpclient.exe"
)
'''


Expand Down
28 changes: 17 additions & 11 deletions rules/windows/persistence_appinitdlls_registry.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2024/01/04"

[transform]
[[transform.osquery]]
Expand Down Expand Up @@ -125,16 +125,22 @@ type = "eql"

query = '''
registry where host.os.type == "windows" and
registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"
) and not process.executable : (
"C:\\Windows\\System32\\msiexec.exe",
"C:\\Windows\\SysWOW64\\msiexec.exe",
"C:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe",
"C:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe")
registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"
) and
not process.executable : (
"?:\\Windows\\System32\\DriverStore\\FileRepository\\*\\Display.NvContainer\\NVDisplay.Container.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\SysWOW64\\msiexec.exe",
"?:\\Program Files\\Commvault\\Base\\cvd.exe",
"?:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe",
"?:\\Program Files (x86)\\Commvault\\Base\\cvd.exe",
"?:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe",
"?:\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe"
)
'''


Expand Down
17 changes: 15 additions & 2 deletions rules/windows/persistence_local_scheduled_job_creation.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2024/01/04"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -35,7 +35,20 @@ type = "eql"

query = '''
file where host.os.type == "windows" and event.type != "deletion" and
file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job"
file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and
not (
(
process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and
file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job"
) or
(
process.executable : (
"?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe",
"?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe"
) and
file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job"
)
)
'''


Expand Down
15 changes: 10 additions & 5 deletions rules/windows/persistence_scheduled_task_creation_winlog.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2024/01/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -33,11 +33,16 @@ iam where event.action == "scheduled-task-created" and
not user.name : "*$" and

/* TaskContent is not parsed, exclude by full taskname noisy ones */
not winlog.event_data.TaskName :
("\\OneDrive Standalone Update Task-S-1-5-21*",
"\\OneDrive Standalone Update Task-S-1-12-1-*",
not winlog.event_data.TaskName : (
"\\CreateExplorerShellUnelevatedTask",
"\\Hewlett-Packard\\HPDeviceCheck",
"\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker",
"\\Hewlett-Packard\\HP Support Assistant\\WarrantyChecker_backup",
"\\Hewlett-Packard\\HP Web Products Detection",
"\\Hewlett-Packard\\HPDeviceCheck")
"\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload",
"\\OneDrive Standalone Update Task-S-1-5-21*",
"\\OneDrive Standalone Update Task-S-1-12-1-*"
)
'''


Expand Down
4 changes: 2 additions & 2 deletions rules/windows/persistence_services_registry.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/09"
updated_date = "2024/01/05"

[rule]
author = ["Elastic"]
Expand All @@ -26,7 +26,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
"HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
Expand Down
Loading