[Rule Tuning] - Tuning of 3 Existing Windows Rules

rules/windows/discovery_net_command_system_account.toml

@@ -2,13 +2,12 @@
 creation_date = "2020/03/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/08/12"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It
-is used in command line operations for control of users, groups, services, and network connections.
+Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
@@ -23,7 +22,7 @@ type = "query"
 
 query = '''
 event.category:process and event.type:(start or process_started) and
-  (process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and
+  (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and
   user.name:SYSTEM
 '''
 
@@ -40,4 +39,3 @@ reference = "https://attack.mitre.org/techniques/T1087/"
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-

rules/windows/execution_register_server_program_connecting_to_the_internet.toml

@@ -2,12 +2,12 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/03"
+updated_date = "2020/08/12"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of
+Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of
 an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.
 """
 false_positives = [
@@ -20,7 +20,7 @@ from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
-name = "Network Connection via Regsvr"
+name = "Network Connection via Registration Utility"
 risk_score = 21
 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa"
 severity = "low"
@@ -29,7 +29,7 @@ type = "query"
 
 query = '''
 event.category:network and event.type:connection and
-  process.name:(regsvr32.exe or regsvr64.exe) and
+  process.name:(regsvr32.exe or regsvr64.exe or RegAsm.exe or RegSvcs.exe) and
   not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)
 '''
 
@@ -49,13 +49,12 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-id = "T1117"
-name = "Regsvr32"
-reference = "https://attack.mitre.org/techniques/T1117/"
+id = "T1218"
+name = "Signed Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
 
 
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/windows/persistence_priv_escalation_via_accessibility_features.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/08/12"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)
+event.code:1 and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)
 '''