Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 #4222

Merged
merged 2 commits into from
Nov 4, 2024
Merged

[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3 #4222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f42f856
[Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 3
w0rk3r Oct 31, 2024
869eba8
Merge branch 'main' into crwd_2
w0rk3r Nov 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 20 additions & 3 deletions rules/windows/defense_evasion_masquerading_trusted_directory.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/11/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/15"
updated_date = "2024/10/31"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand All @@ -23,6 +23,7 @@ index = [
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand All @@ -41,13 +42,17 @@ tags = [
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
process.executable : "C:\\*Program*Files*\\*.exe" and
process.executable : (
"C:\\*Program*Files*\\*.exe",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason why there are wildcards?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To match directories that masquerade as Program Files, not the original

"\\Device\\HarddiskVolume?\\*Program*Files*\\*.exe"
) and
not process.executable : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
Expand All @@ -56,6 +61,18 @@ process where host.os.type == "windows" and event.type == "start" and
"?:\\Windows\\Downloaded Program Files\\*.exe",
"?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
"?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
) and
not (
event.dataset == "crowdstrike.fdr" and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious, what is this about?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To not execute these wildcards unless the dataset is Crowdstrike, so we don't make the query more expensive by adding it

process.executable : (
"\\Device\\HarddiskVolume?\\Program Files\\*.exe",
"\\Device\\HarddiskVolume?\\Program Files (x86)\\*.exe",
"\\Device\\HarddiskVolume?\\Users\\*.exe",
"\\Device\\HarddiskVolume?\\ProgramData\\*.exe",
"\\Device\\HarddiskVolume?\\Windows\\Downloaded Program Files\\*.exe",
"\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
"\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
)
)
'''

Expand Down
20 changes: 17 additions & 3 deletions rules/windows/defense_evasion_wsl_child_process.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/01/12"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/15"
updated_date = "2024/10/31"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand All @@ -21,6 +21,7 @@ index = [
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand All @@ -39,6 +40,7 @@ tags = [
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
Expand All @@ -53,7 +55,19 @@ process where host.os.type == "windows" and event.type : "start" and
"?:\\Windows\\System32\\conhost.exe",
"?:\\Windows\\System32\\lxss\\wslhost.exe",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\Sys*\\wslconfig.exe"
"?:\\Windows\\Sys?????\\wslconfig.exe"
) and
not (
event.dataset == "crowdstrike.fdr" and
process.executable : (
"\\Device\\HarddiskVolume?\\Program Files (x86)\\*",
"\\Device\\HarddiskVolume?\\Program Files\\*",
"\\Device\\HarddiskVolume?\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
"\\Device\\HarddiskVolume?\\Windows\\System32\\conhost.exe",
"\\Device\\HarddiskVolume?\\Windows\\System32\\lxss\\wslhost.exe",
"\\Device\\HarddiskVolume?\\Windows\\System32\\WerFault.exe",
"\\Device\\HarddiskVolume?\\Windows\\Sys?????\\wslconfig.exe"
)
)
'''

Expand Down
6 changes: 4 additions & 2 deletions rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/12/14"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/15"
updated_date = "2024/10/31"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand All @@ -22,6 +22,7 @@ index = [
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand All @@ -45,6 +46,7 @@ tags = [
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
Expand Down
6 changes: 4 additions & 2 deletions rules/windows/execution_enumeration_via_wmiprvse.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2021/01/19"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/15"
updated_date = "2024/10/31"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand All @@ -22,6 +22,7 @@ index = [
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand All @@ -40,6 +41,7 @@ tags = [
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
Expand Down
11 changes: 6 additions & 5 deletions rules/windows/execution_initial_access_foxmail_exploit.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2024/08/29"
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/15"
updated_date = "2024/10/31"

[rule]
author = ["Elastic"]
Expand All @@ -22,7 +22,8 @@ index = [
"logs-windows.sysmon_operational-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*",
"logs-endpoint.events.process-*"
"logs-endpoint.events.process-*",
"logs-crowdstrike.fdr*"
]
language = "eql"
license = "Elastic License v2"
Expand All @@ -42,15 +43,15 @@ tags = [
"Data Source: System",
"Data Source: Elastic Endgame",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint"
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Crowdstrike"
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*")

'''


Expand Down
7 changes: 4 additions & 3 deletions rules/windows/execution_mofcomp.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint", "m365_defender", "system"]
integration = ["endpoint", "m365_defender", "system", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/10"
updated_date = "2024/10/31"

[rule]
author = ["Elastic"]
Expand All @@ -12,7 +12,7 @@ files to build their own namespaces and classes into the Windows Management Inst
establish persistence using WMI Event Subscription.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*"]
index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*", "logs-crowdstrike.fdr*"]
language = "eql"
license = "Elastic License v2"
name = "Mofcomp Activity"
Expand All @@ -28,6 +28,7 @@ tags = [
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Elastic Endgame",
"Data Source: System",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
Expand Down
6 changes: 4 additions & 2 deletions rules/windows/execution_suspicious_cmd_wmi.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/10/19"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/15"
updated_date = "2024/10/31"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand All @@ -22,6 +22,7 @@ index = [
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand All @@ -44,6 +45,7 @@ tags = [
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
Expand Down
6 changes: 4 additions & 2 deletions rules/windows/execution_suspicious_pdf_reader.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/03/30"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/17"
updated_date = "2024/10/31"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand All @@ -22,6 +22,7 @@ index = [
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -90,6 +91,7 @@ tags = [
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
Expand Down
6 changes: 4 additions & 2 deletions rules/windows/execution_via_compiled_html_file.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/10/15"
updated_date = "2024/10/31"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand Down Expand Up @@ -56,6 +56,7 @@ index = [
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -132,6 +133,7 @@ tags = [
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
Expand Down
20 changes: 15 additions & 5 deletions rules/windows/execution_via_mmc_console_file_unusual_path.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2024/06/19"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/17"
updated_date = "2024/10/31"

[rule]
author = ["Elastic"]
Expand All @@ -13,7 +13,7 @@ Identifies attempts to open a Microsoft Management Console File from untrusted p
MSC files for initial access and execution.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
language = "eql"
license = "Elastic License v2"
name = "Microsoft Management Console File from Unusual Path"
Expand All @@ -31,14 +31,24 @@ tags = [
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: System",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
process.executable : "?:\\Windows\\System32\\mmc.exe" and process.args : "*.msc" and
not process.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc")
process.executable : (
"?:\\Windows\\System32\\mmc.exe",
"\\Device\\HarddiskVolume?\\Windows\\System32\\mmc.exe"
) and
process.args : "*.msc" and
not process.args : (
"?:\\Windows\\System32\\*.msc",
"?:\\Windows\\SysWOW64\\*.msc",
"?:\\Program files\\*.msc",
"?:\\Program Files (x86)\\*.msc"
)
'''


Expand Down
Loading