From f42f85640b46c9d28128c77b191f2ed83fe01dfe Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 31 Oct 2024 12:11:22 -0300 Subject: [PATCH] [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 --- ...vasion_masquerading_trusted_directory.toml | 23 ++++++++++++++++--- .../defense_evasion_wsl_child_process.toml | 20 +++++++++++++--- ...arwinds_backdoor_child_cmd_powershell.toml | 6 +++-- .../execution_enumeration_via_wmiprvse.toml | 6 +++-- ...cution_initial_access_foxmail_exploit.toml | 11 +++++---- rules/windows/execution_mofcomp.toml | 7 +++--- .../windows/execution_suspicious_cmd_wmi.toml | 6 +++-- .../execution_suspicious_pdf_reader.toml | 6 +++-- .../execution_via_compiled_html_file.toml | 6 +++-- ...ion_via_mmc_console_file_unusual_path.toml | 20 ++++++++++++---- 10 files changed, 82 insertions(+), 29 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 6528fa02643..34442a07c20 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/18" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,6 +23,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -41,13 +42,17 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.executable : "C:\\*Program*Files*\\*.exe" and + process.executable : ( + "C:\\*Program*Files*\\*.exe", + "\\Device\\HarddiskVolume?\\*Program*Files*\\*.exe" + ) and not process.executable : ( "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", @@ -56,6 +61,18 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Windows\\Downloaded Program Files\\*.exe", "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe", "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe" + ) and + not ( + event.dataset == "crowdstrike.fdr" and + process.executable : ( + "\\Device\\HarddiskVolume?\\Program Files\\*.exe", + "\\Device\\HarddiskVolume?\\Program Files (x86)\\*.exe", + "\\Device\\HarddiskVolume?\\Users\\*.exe", + "\\Device\\HarddiskVolume?\\ProgramData\\*.exe", + "\\Device\\HarddiskVolume?\\Windows\\Downloaded Program Files\\*.exe", + "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe", + "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe" + ) ) ''' diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index e30d5e1abf6..eb1713f9cfb 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/01/12" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -21,6 +21,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -39,6 +40,7 @@ tags = [ "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" @@ -53,7 +55,19 @@ process where host.os.type == "windows" and event.type : "start" and "?:\\Windows\\System32\\conhost.exe", "?:\\Windows\\System32\\lxss\\wslhost.exe", "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\Sys*\\wslconfig.exe" + "?:\\Windows\\Sys?????\\wslconfig.exe" + ) and + not ( + event.dataset == "crowdstrike.fdr" and + process.executable : ( + "\\Device\\HarddiskVolume?\\Program Files (x86)\\*", + "\\Device\\HarddiskVolume?\\Program Files\\*", + "\\Device\\HarddiskVolume?\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\conhost.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\lxss\\wslhost.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\WerFault.exe", + "\\Device\\HarddiskVolume?\\Windows\\Sys?????\\wslconfig.exe" + ) ) ''' diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 4014a9c33c4..e80673b2bbd 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/12/14" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -45,6 +46,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 19bfe52c6de..dce7b4392db 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/01/19" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -40,6 +41,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index c399add922e..7a82513cf24 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/08/29" -integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -22,7 +22,8 @@ index = [ "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", - "logs-endpoint.events.process-*" + "logs-endpoint.events.process-*", + "logs-crowdstrike.fdr*" ] language = "eql" license = "Elastic License v2" @@ -42,7 +43,8 @@ tags = [ "Data Source: System", "Data Source: Elastic Endgame", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint" + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike" ] timestamp_override = "event.ingested" type = "eql" @@ -50,7 +52,6 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*") - ''' diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index 88b65dbfb4f..be4fb305278 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint", "m365_defender", "system"] +integration = ["endpoint", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ files to build their own namespaces and classes into the Windows Management Inst establish persistence using WMI Event Subscription. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*"] +index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Mofcomp Activity" @@ -28,6 +28,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: System", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 02324988eac..1e55aa7ab0d 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/10/19" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -44,6 +45,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 2375058dbc0..bc5b378da09 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/30" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/17" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -90,6 +91,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index e46a66a7627..06deb8ff765 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/31" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -56,6 +56,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -132,6 +133,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 3be58a29e04..5e8bd3c2454 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/06/19" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/17" +updated_date = "2024/10/31" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies attempts to open a Microsoft Management Console File from untrusted p MSC files for initial access and execution. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Microsoft Management Console File from Unusual Path" @@ -31,14 +31,24 @@ tags = [ "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.executable : "?:\\Windows\\System32\\mmc.exe" and process.args : "*.msc" and - not process.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc") + process.executable : ( + "?:\\Windows\\System32\\mmc.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\mmc.exe" + ) and + process.args : "*.msc" and + not process.args : ( + "?:\\Windows\\System32\\*.msc", + "?:\\Windows\\SysWOW64\\*.msc", + "?:\\Program files\\*.msc", + "?:\\Program Files (x86)\\*.msc" + ) '''