-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 #3501
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:partywizard:
process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") | ||
( | ||
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or | ||
?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I barely ever see in
used in Windows, due to case insensitivity. Of course, pe.original_file_name
should always be the original file name, and if it's lowercase, in
should be fine. Just pointing it out, that it might be a :
candidate.
While continuing the review I noticed this in many rules, and I think it makes sense to use in
and ==
. So will leave it here as consideration, but LGTM!
Great work 🚀 I reviewed all of the changes, taking into consideration your notes from the original comment. My only questions are:
These seem like rather small questions and should not be a blocker, therefore I am approving. |
The ones I've specified the sysmon index are non-process creation detections, which should only work with Sysmon data sources.
Yup, I tested a small subset of them, but not them all. It seemed enough to test if there were interferences in the results. |
… 1 (#3501) * Initial commit * Date bump Removed changes from: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_suspicious_lsass_access_generic.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/initial_access_exfiltration_first_time_seen_usb.toml - rules/windows/persistence_sysmon_wmi_event_subscription.toml (selectively cherry picked from commit f5254f3)
… 1 (#3501) * Initial commit * Date bump Removed changes from: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_suspicious_lsass_access_generic.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/persistence_sysmon_wmi_event_subscription.toml (selectively cherry picked from commit f5254f3)
… 1 (#3501) * Initial commit * Date bump Removed changes from: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_suspicious_lsass_access_generic.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/persistence_sysmon_wmi_event_subscription.toml (selectively cherry picked from commit f5254f3)
… 1 (#3501) * Initial commit * Date bump Removed changes from: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_suspicious_lsass_access_generic.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/persistence_sysmon_wmi_event_subscription.toml (selectively cherry picked from commit f5254f3)
… 1 (#3501) * Initial commit * Date bump Removed changes from: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_suspicious_lsass_access_generic.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/persistence_sysmon_wmi_event_subscription.toml (selectively cherry picked from commit f5254f3)
Issues
Resolves #3422
Summary
Implemented a lot of different changes in this PR, but some of them are:
logs-windows.powershell*
Sysmon-Only
tag toData Source: Sysmon
logs-windows.sysmon_operational-*
instead oflogs-windows.*
This PR intentionally doesn't cover BBRs to include new data sources, as those rules need to be reviewed more closely to not cause performance problems.