[Tuning] Add logs-system. index where applicable #3390

sbousseaden · 2024-01-16T15:26:06Z

adding logs-system.* index where applicable. 60 rules identified that are compatible with 4688 (process winlog) :

Adding Hidden File Attribute via Attrib 
AdFind Command Activity
Attempt to Install Kali Linux via WSL
Bypass UAC via Event Viewer 
Clearing Windows Console History
Clearing Windows Event Logs
Code Signing Policy Modification Through Built-in tools
Command Execution via SolarWinds Process
Control Panel Process with Unusual Arguments
Credential Acquisition via Registry Hive Dumping  
Delete Volume USN Journal with Fsutil 
Deleting Backup Catalogs with Wbadmin 
Potential Evasion via Windows Filtering Platform
UAC Bypass Attempt via Windows Directory Masquerading
UAC Bypass via DiskCleanup Scheduled Task Hijack
Unusual Parent-Child Relationship
Unusual Print Spooler Child Process
Suspicious MS Outlook Child Process
Volume Shadow Copy Deletion via PowerShell
Microsoft Exchange Server UM Spawning Suspicious Processes
Volume Shadow Copy Deleted or Resized via VssAdmin
Execution from Unusual Directory - Command Line
Enumeration Command Spawned via WMIPrvSE
Svchost spawning Cmd"
Enumerating Domain Trusts via NLTEST.EXE
Enumerating Domain Trusts via DSQUERY.EXE
Signed Proxy Execution via MS Work Folders
IIS HTTP Logging Disabled
Remote Desktop Enabled in Windows Firewall by Netsh
Disable Windows Event and Security Logs Using Built-in Tools
Wireless Credential Dumping using Netsh Command
Microsoft IIS Service Account Password Dumped
Microsoft IIS Connection Strings Decryption
Remote File Download via Desktopimgdownldr Utility
Remote File Download via MpCmdRun
Potential DNS Tunneling via NsLookup
Web Shell Detection: Script Process Child of Common Web Processes
Execution via MSSQL xp_cmdshell Stored Procedure
Disable Windows Firewall Rules via Netsh
Privilege Escalation via Named Pipe Impersonation
Potential File Transfer via Certreq
Suspicious CertUtil Commands
Microsoft Build Engine Started an Unusual Process
System Shells via Services
Suspicious Cmd Execution via WMI
NTDS or SAM Database File Copied
ImageLoad via Windows Update Auto Update Client
Microsoft Build Engine Started by a Script Process
Unusual Process Execution Path - Alternate Data Stream
Execution via Windows Subsystem for Linux
Suspicious Execution via Windows Subsystem for Linux
Windows Subsystem for Linux Enabled via Dism Utility
Enumeration of Administrator Accounts
Persistence via WMI Event Subscription
Persistence via TelemetryController Scheduled Task Hijack
Potential Application Shimming via Sdbinst

…ibexe.toml

….toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml

rules/windows/execution_command_shell_started_by_svchost.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Removed changes from: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/execution_command_shell_started_by_svchost.toml - rules/windows/lateral_movement_alternate_creds_pth.toml (selectively cherry picked from commit 27262a5)

* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Removed changes from: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit 27262a5)

mbudge · 2024-01-17T13:52:30Z

process.name.caseless is a Fleet mapping issue, can you add it?

If process.pe.original_file_name is causing a problem can you remove the field from the rule or add related.process_name ?

* Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 27262a5)

Samirbous · 2024-01-17T16:22:28Z

If process.pe.original_file_name is causing a problem can you remove the field from the rule or add related.process_name ?

@mbudge
for process.pe.original_file_name, if the rule logic use it in an OR condition (e.g. process.name:notepad.exe or process.pe.original_file_name:notepad.exe) we can skip validation for ?process.pe.original_file_name missing in logs-system by placing ? after the field name (many rules in the current PR were adjusted this way). but when the rule logic use this field as the main trigger (e.g. rename cmd.exe as notepad.exe can be detected by looking at process.pe.original_file_name:cmd.exe and not process.name:cmd.exe). This is an 4688 event limitation.

mbudge · 2024-01-29T12:22:43Z

Just an FYI seems to be 2 index patterns used for elastic-agent winlogbeat, logs-system.* and logs-system.security*

For example look at LSASS Memory Dump Handle Access, the index pattern is logs-system.* but the rule is for the security event log.

The 60 pre built rules released last week added this index pattern logs-system.security* but it probably should have been logs-system.* to use the same index pattern convention.

Here's some of the elastic rules with logs-system.security*

Samirbous · 2024-01-30T11:48:41Z

lThe 60 pre built rules released last week added this index pattern logs-system.security* but it probably should have been logs-system.* to use the same index pattern convention.

@mbudge yes we are aware of this, when a rule is expected to use logs-system.security* better be explicit with the index to improve overall performance and reduce lookups on other sub indexes of the logs-system.* index (a.k.a the more specific the better for performance).

We will need to duplicate this effort to other rules (like the Lsass 4656 one you showed in the example to be specific too).

mbudge · 2024-02-01T16:54:01Z

Hi,

I've spent all afternoon reviewing the elastic rules for OS: Windows

It would be a lot easier if the rule management page filtering was improved so we can include/exclude tags, index patterns, integrations and required fields.

logs-system.security*

The following security rules have the data to work with logs-system.security*
All of them will work with winlogbeat-, logs-windows. and logs-system.security*
I've tried to check the event.action values where they exist.

Accessing Outlook Data Files
At.exe Command Lateral Movement
Attempted Private Key Access
Binary Content Copy via Cmd.exe
Command Shell Activity Started via RunDLL32
Disabling Windows Defender Security Settings via PowerShell
Enable Host Network Discovery via Netsh
Encrypting Files with WinRar or 7z
Execution of COM object via Xwizard : Add process.name"xwizard.exe or ?process.pe.original_file_name:xwizard.exe
Execution of Persistent Suspicious Program: Use process.name instead of process.pe.original_file_name
Execution via TSClient Mountpoint
Exporting Exchange Mailbox via PowerShell
Group Policy Discovery via Microsoft GPResult Utility
High Number of Process and/or Service Terminations
Microsoft Build Engine Started by a Script Process
Microsoft Build Engine Started by a System Process
Microsoft Build Engine Started by an Office Application
Microsoft Exchange Worker Spawning Suspicious Processes
Modification of Boot Configuration
New ActiveSyncAllowedDeviceID Added via PowerShell
Peripheral Device Discovery
Persistence via BITS Job Notify Cmdline
Persistence via Update Orchestrator Service Hijack
Potential Cookies Theft via Browser Debugging
Potential Evasion via Filter Manager
Potential Local NTLM Relay via HTTP
Potential Modification of Accessibility Binaries. <- Contains comment about winlogbeat
Potential Remote Desktop Tunneling Detected
Process Activity via Compiled HTML File
Process Discovery Using Built-in Tools
Process Execution from an Unusual Directory
Program Files Directory Masquerading
Remote File Copy to a Hidden Share
Remote System Discovery Commands
Searching for Saved Credentials via VaultCmd
Security Software Discovery using WMIC
Suspicious .NET Code Compilation
Suspicious Endpoint Security Parent Process
Suspicious Execution from a Mounted Device
Suspicious Execution via Microsoft Office Add-Ins
Suspicious Execution via Scheduled Task
Suspicious Explorer Child Process
Suspicious PDF Reader Child Process
Suspicious WerFault Child Process
Suspicious Zoom Child Process
Symbolic Link to Shadow Copy Created
System Information Discovery via Windows Command Shell
System Service Discovery through built-in Windows Utilities
System Time Discovery
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
UAC Bypass via Windows Firewall Snap-In Hijack
Unusual Child Process from a System Virtual Process
Unusual Child Process of dns.exe
Unusual Parent Process for cmd.exe
Unusual Service Host Child Process - Childless Service
User Account Creation
Volume Shadow Copy Deletion via WMIC
Windows Firewall Disabled via PowerShell
Windows Network Enumeration
Windows Script Executing PowerShell
Windows System Information Discovery

Missing logs-system.security and logs-windows. and winlogbeat-***

These rules have logs-endpoint.events.* but will work with winlogbeat-, logs-windows. and logs-system.security*

Discovery of Internet Capabilities via Built-in Tools
Elastic Agent Service Terminated
Execution via Microsoft DotNet ClickOnce Host
File and Directory Permissions Modification
File or Directory Deletion Command
Indirect Command Execution via Forfiles/Pcalua
InstallUtil Activity
Mofcomp Activity
Mounting Hidden or WebDav Remote Shares
Potential Defense Evasion via CMSTP.exe
Potential Exploitation of an Unquoted Service Path Vulnerability
Service Path Modification via sc.exe
Suspicious Execution via MSIEXEC
Suspicious Troubleshooting Pack Cabinet Execution
Unusual Process Execution on WBEM Path
Windows Account or Group Discovery
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
Windows System Network Connections Discovery
WMI WBEMTEST Utility Execution
WMIC Remote Command

logs-system.*

This rule might work with logs-system.* as the Windows System event channel was moved to the Elastic System integration.

Account Discovery Command via SYSTEM Account

Add ? to make fields like process.pe.original_file_name optional

I've highlighted rules which will work with logs-system.* or logs-system.security* if you add ? to the query here.
I'm not sure how ? works in EQL security rules.

Encrypting Files with WinRar or 7z
Execution of COM object via Xwizard : process.name"xwizard.exe or ?process.pe.original_file_name:xwizard.exe
Group Policy Discovery via Microsoft GPResult Utility
Microsoft Build Engine Started by a Script Process
Modification of Boot Configuration
Mounting Hidden or WebDav Remote Shares
Peripheral Device Discovery
Potential Credential Access via Windows Utilities
Searching for Saved Credentials via VaultCmd
Security Software Discovery using WMIC
Suspicious Execution via Scheduled Task
Suspicious Troubleshooting Pack Cabinet Execution
Symbolic Link to Shadow Copy Created
System Service Discovery through built-in Windows Utilities
Volume Shadow Copy Deletion via WMIC
Windows Account or Group Discovery
Windows Firewall Disabled via PowerShell
Windows Network Enumeration
Windows System Network Connections Discovery

Missing sysmon tag

Adding the Sysmon or powershell tag will make it easier to exclude rules during each review.

Command Prompt Network Connection
Connection to Commonly Abused Free SSL Certificate Providers
Creation or Modification of a new GPO Scheduled Task or Service
DNS-over-HTTPS Enabled via Registry
First Time Seen Commonly Abused Remote Access Tool Execution
Incoming DCOM Lateral Movement with MMC
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
Incoming Execution via PowerShell Remoting
Incoming Execution via WinRM Remote Shell
InstallUtil Process Making Network Connections
Kerberos Traffic from Unusual Process
Mshta Making Network Connections

Need process.name.caseless adding to mappings

Discovery of Internet Capabilities via Built-in Tools
Microsoft Build Engine Started by a Script Process
Query Registry using Built-in Tools

Rule will work with crowdstrike FDR intergration

Unusual Process Network Connection

Please can you add the missing index patterns as we're about to replace Beats with Elastic-Agent? A good chunk of the security rules will stop working when this happens.

Thanks

w0rk3r · 2024-02-05T15:35:21Z

@mbudge, the work around this will be tracked here: #3422

Update discovery_adfind_command_activity.toml

5dd32a3

botelastic bot added Domain: Endpoint OS: Windows windows related rules labels Jan 16, 2024

github-actions bot added backport: auto community labels Jan 16, 2024

sbousseaden added 18 commits January 16, 2024 15:29

Update defense_evasion_adding_the_hidden_file_attribute_with_via_attr…

92b8394

…ibexe.toml

Update defense_evasion_clearing_windows_console_history.toml

8eb476a

Update defense_evasion_clearing_windows_event_logs.toml

347464b

Update defense_evasion_execution_control_panel_suspicious_args.toml

dc62098

Update credential_access_dump_registry_hives.toml

907047a

Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

c5484d1

Update impact_deleting_backup_catalogs_with_wbadmin.toml

e791058

Update defense_evasion_code_signing_policy_modification_builtin_tools…

0d5f91c

….toml

Update privilege_escalation_uac_bypass_event_viewer.toml

410fe57

Update privilege_escalation_uac_bypass_mock_windir.toml

10f3897

Update privilege_escalation_unusual_parentchild_relationship.toml

1610a0d

Update privilege_escalation_unusual_printspooler_childprocess.toml

396e174

Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

278a5fb

Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

b64e2d6

Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

e051764

Update defense_evasion_wsl_kalilinux.toml

b38c08d

Update initial_access_suspicious_ms_outlook_child_process.toml

6adc5f6

Update initial_access_suspicious_ms_office_child_process.toml

379ac14

terrancedejesus self-requested a review January 16, 2024 16:51

sbousseaden added 3 commits January 16, 2024 16:52

Update initial_access_suspicious_ms_exchange_worker_child_process.toml

64fcd35

Update initial_access_suspicious_ms_exchange_process.toml

2e97347

Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

b1b372d

Mikaayenson assigned sbousseaden Jan 16, 2024

sbousseaden added 2 commits January 16, 2024 17:04

Update impact_volume_shadow_copy_deletion_via_powershell.toml

1b1455d

Update execution_from_unusual_path_cmdline.toml

555cd69

Update defense_evasion_execution_msbuild_started_unusal_process.toml

5cec9d5

w0rk3r reviewed Jan 17, 2024

View reviewed changes

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml Show resolved Hide resolved

Samirbous added 3 commits January 17, 2024 12:57

Update execution_command_shell_started_by_svchost.toml

580a9d5

Update initial_access_suspicious_ms_exchange_worker_child_process.toml

f1561dc

Merge branch 'main' into patch-2

566a024

w0rk3r reviewed Jan 17, 2024

View reviewed changes

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml Show resolved Hide resolved

Samirbous added 3 commits January 17, 2024 13:03

Update execution_command_shell_started_by_svchost.toml

1ad520d

Update execution_command_shell_started_by_svchost.toml

5d58faa

Update execution_command_shell_started_by_svchost.toml

70e2d0b

w0rk3r reviewed Jan 17, 2024

View reviewed changes

rules/windows/execution_command_shell_started_by_svchost.toml Outdated Show resolved Hide resolved

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml Show resolved Hide resolved

w0rk3r approved these changes Jan 17, 2024

View reviewed changes

Samirbous merged commit 27262a5 into elastic:main Jan 17, 2024
13 checks passed

mbudge mentioned this pull request Jan 17, 2024

Add process.name.caseless to logs-system.* mapping elastic/integrations#8913

Open

terrancedejesus mentioned this pull request Feb 1, 2024

[Rule Tuning] Compatible Windows Rule Index Updates with Winlog, Defend and System #3422

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Tuning] Add logs-system. index where applicable #3390

[Tuning] Add logs-system. index where applicable #3390

sbousseaden commented Jan 16, 2024 •

edited

mbudge commented Jan 17, 2024

Samirbous commented Jan 17, 2024

mbudge commented Jan 29, 2024 •

edited

Samirbous commented Jan 30, 2024

mbudge commented Feb 1, 2024

w0rk3r commented Feb 5, 2024

[Tuning] Add logs-system. index where applicable #3390

[Tuning] Add logs-system. index where applicable #3390

Conversation

sbousseaden commented Jan 16, 2024 • edited

mbudge commented Jan 17, 2024

Samirbous commented Jan 17, 2024

mbudge commented Jan 29, 2024 • edited

Samirbous commented Jan 30, 2024

mbudge commented Feb 1, 2024

w0rk3r commented Feb 5, 2024

sbousseaden commented Jan 16, 2024 •

edited

mbudge commented Jan 29, 2024 •

edited