[Rule Tuning] Windows BBR Tuning - 1

rules_building_block/collection_posh_webcam_video_capture.toml → rules/windows/collection_posh_webcam_video_capture.toml

@@ -4,8 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/19"
-bypass_bbr_timing = true
+updated_date = "2024/01/11"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +18,7 @@ language = "kuery"
 license = "Elastic License v2"
 name = "PowerShell Script with Webcam Video Capture Capabilities"
 references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"]
-risk_score = 21
+risk_score = 47
 rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43"
 setup = """
 The 'PowerShell Script Block Logging' logging policy must be enabled.
@@ -38,10 +37,9 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"]
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "query"
 
 query = '''

rules_building_block/credential_access_kirbi_file.toml → rules/windows/credential_access_kirbi_file.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2024/01/10"
 
 [rule]
 author = ["Elastic"]
@@ -13,18 +13,17 @@ Identifies the creation of .kirbi files. The creation of this kind of file is an
 Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the
 attacker to impersonate users using Kerberos tickets.
 """
-from = "now-119m"
+from = "now-9m"
 interval = "60m"
 index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kirbi File Creation"
-risk_score = 21
+risk_score = 47
 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
-severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"]
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
 
 query = '''

rules_building_block/collection_common_compressed_archived_file.toml

@@ -5,7 +5,7 @@ integration = "endpoint"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/11"
+updated_date = "2024/01/10"
 
 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where event.type in ("creation", "change") and
+file where event.type in ("creation", "change") and process.executable != null and not user.id : "S-1-5-18" and
  file.Ext.header_bytes : (
                           /* compression formats */
                           "1F9D*",             /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */
@@ -73,6 +73,32 @@ file where event.type in ("creation", "change") and
                           "78617221*",         /* xar */
                           "4F4152*",           /* oar */
                           "49536328*"          /* cab archive */
+ ) and
+ not (
+   (
+     process.name : "firefox.exe" and
+     process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true
+   ) or
+   (
+     process.name : "wazuh-agent.exe" and
+     process.code_signature.subject_name : "Wazuh, Inc" and process.code_signature.trusted == true and
+     file.name : ("ossec-*.log.gz", "tmp-entry.gz", "tmp-entry", "last-entry.gz")
+   ) or
+   (
+     process.name : "excel.exe" and
+     process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true and
+     file.extension : ("tmp", "xlsx", "gz", "xlsb", "xar", "xslm")
+   ) or
+   (
+     process.name : "Dropbox.exe" and
+     process.code_signature.subject_name : "Dropbox, Inc" and process.code_signature.trusted == true and
+     file.name : "store.bin"
+   ) or
+   (
+     process.name : "DellSupportAssistRemedationService.exe" and
+     process.code_signature.subject_name : "Dell Inc" and process.code_signature.trusted == true and
+     file.extension : "manifest"
+   )
  )
 '''
 

rules_building_block/credential_access_mdmp_file_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/21"
+updated_date = "2024/01/10"
 bypass_bbr_timing = true
 
 [rule]
@@ -35,13 +35,16 @@ file where host.os.type == "windows" and event.type == "creation" and
 
   (
     (
+      process.name : "System" or
       process.executable : (
         "?:\\Windows\\System32\\WerFault.exe",
         "?:\\Windows\\SysWOW64\\WerFault.exe",
         "?:\\Windows\\System32\\Wermgr.exe",
         "?:\\Windows\\SysWOW64\\Wermgr.exe",
         "?:\\Windows\\System32\\WerFaultSecure.exe",
+        "?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
         "?:\\Windows\\System32\\WUDFHost.exe",
+        "C:\\Windows\\System32\\rdrleakdiag.exe",
         "?:\\Windows\\System32\\Taskmgr.exe",
         "?:\\Windows\\SysWOW64\\Taskmgr.exe",
         "?:\\Program Files\\*.exe",

rules_building_block/credential_access_win_private_key_access.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/21"
+updated_date = "2024/01/10"
 
 [rule]
 author = ["Elastic"]
@@ -26,13 +26,23 @@ type = "eql"
 building_block_type = "default"
 
 query = '''
-process where host.os.type == "windows" and event.type == "start" and process.args : ("*.pem*", "*.id_rsa*") and
+process where host.os.type == "windows" and event.type == "start" and
+  process.args : ("*.pem *", "*.pem", "*.id_rsa*") and
+  not process.args: ("--tls-cert", "--ssl-cert") and
   not process.executable : (
     "?:\\ProgramData\\Logishrd\\LogiOptions\\Software\\*\\LogiLuUpdater.exe",
+    "?:\\Program Files\\Elastic\\Agent\\data\\*\\osqueryd.exe",
+    "?:\\Program Files\\Guardicore\\gc-controller.exe",
+    "?:\\Program Files\\Guardicore\\gc-deception-agent.exe",
+    "?:\\Program Files\\Guardicore\\gc-detection-agent.exe",
+    "?:\\Program Files\\Guardicore\\gc-enforcement-agent.exe",
+    "?:\\Program Files\\Guardicore\\gc-guest-agent.exe",
     "?:\\Program Files\\Logi\\LogiBolt\\LogiBoltUpdater.exe",
-    "?:\\Windows\\system32\\icacls.exe",
+    "?:\\Program Files (x86)\\Schneider Electric EcoStruxure\\Building Operation 5.0\\Device Administrator\\Python\\python.exe",
     "?:\\Program Files\\Splunk\\bin\\openssl.exe",
-    "?:\\Program Files\\Elastic\\Agent\\data\\*\\components\\osqueryd.exe",
+    "?:\\Program Files\\SplunkUniversalForwarder\\bin\\openssl.exe",
+    "?:\\Users\\*\\AppData\\Local\\Logi\\LogiBolt\\LogiBoltUpdater.exe",
+    "?:\\Windows\\system32\\icacls.exe",
     "?:\\Windows\\System32\\OpenSSH\\*"
   )
 '''