[Rule Tuning] Windows BBR Tuning - 3 (#3382)

w0rk3r · github-actions[bot] · commit 75ec77c8a728 · 2024-02-14T18:06:35.000Z
* [Rule Tuning] Windows BBR Tuning - 3 * Update defense_evasion_service_disabled_registry.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 5334601)
diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2024/01/11"
 
 [rule]
 author = ["Elastic"]
@@ -57,6 +57,9 @@ event.category:process and host.os.type:windows and
   ) and
   not file.path : (
     ?\:\\\\*\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1
+  ) and
+  not powershell.file.script_block_text : (
+    "CmdletsToExport=@(\"Add-Content\""
   )
 '''
 
diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/29"
+updated_date = "2024/01/11"
 
 [rule]
 author = ["Elastic"]
@@ -44,6 +44,7 @@ registry where host.os.type == "windows" and event.type == "change" and
     (
       process.name : "services.exe" and user.id : "S-1-5-18"
     )
+  and not registry.path : "HKLM\\SYSTEM\\ControlSet001\\Services\\MrxSmb10\\Start"
 '''
 
 
diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/29"
+updated_date = "2024/01/11"
 
 [rule]
 author = ["Elastic"]
@@ -35,8 +35,8 @@ building_block_type = "default"
 type = "eql"
 
 query = '''
-process where event.type == "start" and
-  process.name : "sc.exe" and process.args : "*binPath*"
+process where event.type == "start" and process.name : "sc.exe" and
+  process.args : "*config*" and process.args : "*binPath*"
 '''
 
 
diff --git a/rules_building_block/defense_evasion_unusual_process_extension.toml b/rules_building_block/defense_evasion_unusual_process_extension.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/09"
+updated_date = "2024/01/11"
 
 [rule]
 author = ["Elastic"]
@@ -43,7 +43,11 @@ process where host.os.type == "windows" and event.type == "start" and
     (process.name : "C9632CF058AE4321B6B0B5EA39B710FE" and process.code_signature.subject_name == "Dell Inc") or
     (process.name : "*.upd" and process.code_signature.subject_name == "Bloomberg LP") or
     (process.name: "FD552E21-686E-413C-931D-3B82A9D29F3B" and process.code_signature.subject_name: "Adobe Inc.") or
-    (process.name: "3B91051C-AE82-43C9-BCEF-0309CD2DD9EB" and process.code_signature.subject_name: "McAfee, LLC")
+    (process.name: "3B91051C-AE82-43C9-BCEF-0309CD2DD9EB" and process.code_signature.subject_name: "McAfee, LLC") or
+    (process.name: "soffice.bin" and process.code_signature.subject_name: "The Document Foundation") or
+    (process.name: ("VeeamVixProxy_*", "{????????-????-????-????-????????????}") and process.code_signature.subject_name: "Veeam Software Group GmbH") or
+    (process.name: "1cv8p64.bin" and process.code_signature.subject_name: "LLC 1C-Soft") or
+    (process.name: "AGSRunner.bin" and process.code_signature.subject_name: "Intel Corporation")
   )
 '''
 
diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/09/20"
+updated_date = "2024/01/11"
 bypass_bbr_timing = true
 
 [rule]
@@ -36,7 +36,7 @@ type = "new_terms"
 query = '''
 host.os.type:windows and event.category:process and event.type:start and 
 process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and
-not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "1.1.1.1" or "1.2.3.4" or "::1")
+not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "::1")
 '''
 
 [[rule.threat]]

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ integration = ["endpoint"]`
`4`	`4`	`maturity = "production"`
`5`	`5`	`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
`6`	`6`	`min_stack_version = "8.3.0"`
`7`		`-updated_date = "2023/08/29"`
	`7`	`+updated_date = "2024/01/11"`
`8`	`8`
`9`	`9`	`[rule]`
`10`	`10`	`author = ["Elastic"]`
`@@ -44,6 +44,7 @@ registry where host.os.type == "windows" and event.type == "change" and`
`44`	`44`	`(`
`45`	`45`	`process.name : "services.exe" and user.id : "S-1-5-18"`
`46`	`46`	`)`
	`47`	`+ and not registry.path : "HKLM\\SYSTEM\\ControlSet001\\Services\\MrxSmb10\\Start"`
`47`	`48`	`'''`
`48`	`49`
`49`	`50`