[Rule Tuning] Windows DR Tuning - 14 #3376
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
w0rk3r
added
Rule: Tuning
w0rk3r
requested review from
brokensound77,
DefSecSentinel,
imays11,
Samirbous,
Aegrah,
shashank-elastic and
terrancedejesus
w0rk3r
commented
Jan 9, 2024
| @@ -13,7 +13,7 @@ Identifies Component Object Model (COM) hijacking via registry modification. Adv | |||
| executing malicious content triggered by hijacked references to COM objects. | |||
| """ | |||
| from = "now-9m" | |||
| index = ["logs-endpoint.events.*", "endgame-*"] | |||
| index = ["logs-endpoint.events.*"] | |||
There was a problem hiding this comment.
I removed Endgame support to check signer info; Endgame doesn't have this data outside process events.
Comment on lines
+109
to
+122
| process.name : "svchost.exe" and | ||
| process.code_signature.trusted == true and process.code_signature.subject_name == "Microsoft Windows Publisher" and | ||
| registry.value : "DelegateExecute" and | ||
| registry.data.strings : ( | ||
| /* https://strontic.github.io/xcyclopedia/library/clsid_4ED3A719-CEA8-4BD9-910D-E252F997AFC2.html */ | ||
| "{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}", | ||
|
|
||
| /* https://strontic.github.io/xcyclopedia/library/clsid_A56A841F-E974-45C1-8001-7E3F8A085917.html */ | ||
| "{A56A841F-E974-45C1-8001-7E3F8A085917}", | ||
|
|
||
| /* https://strontic.github.io/xcyclopedia/library/clsid_BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78.html */ | ||
| "{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}", | ||
| "%SystemRoot%\\system32\\shdocvw.dll" | ||
| ) |
There was a problem hiding this comment.
A second 👀 to confirm if we can exclude those would be nice.
Cc @Samirbous
| rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" | ||
| severity = "low" | ||
| severity = "medium" |
There was a problem hiding this comment.
Low volume, bumping severity
| "?:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\*.dll", | ||
| "?:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\*.dll", | ||
| "?:\\WINDOWS\\system32\\spool\\PRTPROCS\\x64\\*.dll", | ||
| "?:\\WINDOWS\\system32\\spool\\{????????-????-????-????-????????????}\\*.dll" |
There was a problem hiding this comment.
Super high volume (>900k events last 90d), ?s cover the GUID format
Aegrah
approved these changes
Jan 10, 2024
| registry.path : ("HK*\\InprocServer32\\", "\\REGISTRY\\*\\InprocServer32\\") and | ||
| registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and | ||
| registry.path : "HK*\\InprocServer32\\" and | ||
| registry.data.strings: ("scrobj.dll", "?:\\*\\scrobj.dll") and |
There was a problem hiding this comment.
Almost feel like we should audit all Windows rules and check for this.
w0rk3r
commented
Jan 12, 2024
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 15, 2024
* [Rule Tuning] Windows DR Tuning - 14 * Update persistence_suspicious_com_hijack_registry.toml * Update rules/windows/persistence_webshell_detection.toml (cherry picked from commit 0469785)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
Part of #3186
Summary
Tunes the following rules: