[Rule Tuning] Windows DR Tuning - 7 (#3344)

* [Rule Tuning] Windows Rule Tuning -1 * Update command_and_control_ingress_transfer_bits.toml (cherry picked from commit 2f468dd)
elastic · Dec 18, 2023 · 51c4e5b · 51c4e5b
1 parent 42fdcbe
commit 51c4e5b
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 9 deletions.
diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2023/12/12"
 
 [rule]
 author = ["Elastic"]
@@ -72,7 +72,9 @@ event.category:process and host.os.type:windows and
   powershell.file.script_block_text : "New-MailboxExportRequest" and
   not (
     file.path : (
-      ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*
+      ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\* or
+      ?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1* or
+      ?\:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1*
     ) and file.name:(*.psd1 or *.psm1)
   )
 '''

diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/22"
+updated_date = "2023/12/13"
 
 [rule]
 author = ["Elastic"]
@@ -39,6 +39,7 @@ file where host.os.type == "windows" and event.action == "rename" and
   not file.path : (
         "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp",
         "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe",
+        "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\AcroServicesUpdater2_x64.exe",
         "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe"
   )
 '''

diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml
@@ -4,7 +4,7 @@ maturity = "production"
 integration = ["endpoint"]
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -90,7 +90,10 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S
                 "Audinate Pty Ltd",
                 "CyberArk Software Ltd.",
                 "McAfeeSysPrep",
-                "NVIDIA Corporation PE Sign v2016") and
+                "NVIDIA Corporation PE Sign v2016",
+                "Trend Micro, Inc.",
+                "Fortinet Technologies (Canada) Inc.",
+                "Carbon Black, Inc.") and
        dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and
 
      not dll.hash.sha256 :

diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -87,7 +87,8 @@ event.category:process and host.os.type:windows and
     KerberosRequestorSecurityToken
   ) and not user.id : ("S-1-5-18" or "S-1-5-20") and
   not powershell.file.script_block_text : (
-    "sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs")
+    ("sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs")) or
+    ("function global" and "\\windows\\sentinel\\4")
   )
 '''
 

diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic", "Anabella Cristaldi"]
@@ -56,7 +56,8 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog"
+event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" and
+  not winlog.provider_name:"AD FS Auditing"
 '''