From 1dbd44679e7c3ca356cb56068371a00766e78086 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 12 Jan 2024 10:08:20 -0300 Subject: [PATCH 1/2] [Rule Tuning] Windows BBR Tuning - 4 --- rules_building_block/discovery_posh_generic.toml | 13 +++++++++---- .../discovery_posh_password_policy.toml | 6 +++++- .../discovery_system_time_discovery.toml | 8 +++++--- .../execution_settingcontent_ms_file_creation.toml | 5 +++-- .../execution_unsigned_service_executable.toml | 5 +++-- 5 files changed, 25 insertions(+), 12 deletions(-) diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index 90aef70220d..8614a570246 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/01/12" [rule] @@ -47,9 +47,6 @@ building_block_type = "default" query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : ( - ( - ("Get-ItemProperty" or "Get-Item") and "-Path" - ) or ( "Get-ADDefaultDomainPasswordPolicy" or "Get-ADDomain" or "Get-ComputerInfo" or @@ -132,6 +129,14 @@ event.category:process and host.os.type:windows and ) ) ) and + not powershell.file.script_block_text : ( + ( + "__cmdletization_BindCommonParameters" and + "Microsoft.PowerShell.Core\Export-ModuleMember" and + "Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter" + ) or + "CmdletsToExport=@(\"Add-Content\"," + ) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and not file.path : ( ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psd1 or diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index 36899ec8823..b2021ba7caa 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/01/12" [rule] author = ["Elastic"] @@ -76,6 +76,10 @@ event.category: "process" and host.os.type:windows and ) and not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" ) + and not + ( + powershell.file.script_block_text : ("43c15630-959c-49e4-a977-758c5cc93408" and "CmdletsToExport" and "ActiveDirectory.Types.ps1xml") + ) and not user.id : "S-1-5-18" ''' diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 6ec48630391..48969a68d7c 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/21" +updated_date = "2024/01/12" bypass_bbr_timing = true [rule] @@ -36,8 +36,10 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and - process.args : "time") or + ( + (process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and + process.args : "time" and not process.args : ("/set") + ) or (process.name: "w32tm.exe" and process.args: "/tz") or (process.name: "tzutil.exe" and process.args: "/g") ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index c2caa7014c8..af5335d6065 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2024/01/12" [rule] author = ["Elastic"] @@ -31,7 +31,8 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "creation" and - file.extension : "settingcontent-ms" + file.extension : "settingcontent-ms" and + not file.path : "?:\\Users\\*\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_*\\LocalState\\Indexed\\Settings\\*" ''' [[rule.threat]] diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index dccb42a8f75..2df42a152e8 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/19" +updated_date = "2024/01/12" bypass_bbr_timing = true [rule] @@ -36,7 +36,8 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and process.parent.executable:"C:\\Windows\\System32\\services.exe" and -(process.code_signature.exists:false or process.code_signature.trusted:false) +(process.code_signature.exists:false or process.code_signature.trusted:false) and +not process.code_signature.status : (errorCode_endpoint* or "errorChaining") ''' [[rule.threat]] From 06a93c85bb04cdbd9dc048d734e555c55f1e71f8 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 12 Jan 2024 10:09:57 -0300 Subject: [PATCH 2/2] Update discovery_system_time_discovery.toml --- rules_building_block/discovery_system_time_discovery.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 48969a68d7c..7787837210a 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -38,7 +38,7 @@ process where host.os.type == "windows" and event.type == "start" and ( ( (process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and - process.args : "time" and not process.args : ("/set") + process.args : "time" and not process.args : "/set" ) or (process.name: "w32tm.exe" and process.args: "/tz") or (process.name: "tzutil.exe" and process.args: "/g")