[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 #3501

w0rk3r · 2024-03-08T20:04:20Z

Issues

Resolves #3422

Summary

Implemented a lot of different changes in this PR, but some of them are:

Adds compatibility to system integration where possible
Adjusted the index for PowerShell rules to logs-windows.powershell*
Adjusted Sysmon-Only tag to Data Source: Sysmon
Adjusted Sysmon rules to use logs-windows.sysmon_operational-* instead of logs-windows.*
Adjusted rules that are compatible with sysmon to use optional fields in the Elastic Defend-specific fields so the rules run successfully
Drop Sysmon compatibility in rules that use unsupported fields in the core logic
Adjust registry rules to be compatible with sysmon
Adjusted Tags unit tests
And more...

This PR intentionally doesn't cover BBRs to include new data sources, as those rules need to be reviewed more closely to not cause performance problems.

Aegrah

:partywizard:

Aegrah · 2024-03-11T08:48:41Z

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

- process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
+  (
+    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
+    ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")


I barely ever see in used in Windows, due to case insensitivity. Of course, pe.original_file_name should always be the original file name, and if it's lowercase, in should be fine. Just pointing it out, that it might be a : candidate.

While continuing the review I noticed this in many rules, and I think it makes sense to use in and ==. So will leave it here as consideration, but LGTM!

terrancedejesus · 2024-03-12T22:37:07Z

Great work 🚀

I reviewed all of the changes, taking into consideration your notes from the original comment. My only questions are:

we are not loosing any potential detections for logs coming from logs-windows.forwarded* because we scoped in on sysmon_operational?
have we tested the the rules for any query adjustments that we made to ensure they are still on target for capturing the intended threat?

These seem like rather small questions and should not be a blocker, therefore I am approving.

w0rk3r · 2024-03-13T12:57:29Z

we are not loosing any potential detections for logs coming from logs-windows.forwarded* because we scoped in on sysmon_operational?

The ones I've specified the sysmon index are non-process creation detections, which should only work with Sysmon data sources.

have we tested the the rules for any query adjustments that we made to ensure they are still on target for capturing the intended threat?

Yup, I tested a small subset of them, but not them all. It seemed enough to test if there were interferences in the results.

… 1 (#3501) * Initial commit * Date bump Removed changes from: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_suspicious_lsass_access_generic.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/initial_access_exfiltration_first_time_seen_usb.toml - rules/windows/persistence_sysmon_wmi_event_subscription.toml (selectively cherry picked from commit f5254f3)

… 1 (#3501) * Initial commit * Date bump Removed changes from: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_suspicious_lsass_access_generic.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/persistence_sysmon_wmi_event_subscription.toml (selectively cherry picked from commit f5254f3)

… 1 (#3501) * Initial commit * Date bump (cherry picked from commit f5254f3)

w0rk3r added 2 commits February 24, 2024 11:54

Initial commit

cac386f

Date bump

0699d7b

w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Mar 8, 2024

w0rk3r self-assigned this Mar 8, 2024

w0rk3r requested review from brokensound77, Mikaayenson and terrancedejesus as code owners March 8, 2024 20:04

botelastic bot added the bbr Building Block Rules label Mar 8, 2024

w0rk3r requested review from DefSecSentinel, Samirbous and Aegrah March 8, 2024 20:05

Merge branch 'main' into compat_review

99614d9

w0rk3r mentioned this pull request Mar 8, 2024

[Rule Tuning] Compatible Windows Rule Index Updates with Winlog, Defend and System #3422

Closed

Aegrah approved these changes Mar 11, 2024

View reviewed changes

terrancedejesus approved these changes Mar 12, 2024

View reviewed changes

Merge branch 'main' into compat_review

91287c9

w0rk3r merged commit f5254f3 into main Mar 13, 2024
14 checks passed

w0rk3r deleted the compat_review branch March 13, 2024 13:27

protectionsmachine pushed a commit that referenced this pull request Mar 13, 2024

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part…

3708a38

… 1 (#3501) * Initial commit * Date bump (cherry picked from commit f5254f3)

protectionsmachine pushed a commit that referenced this pull request Mar 13, 2024

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part…

250e035

… 1 (#3501) * Initial commit * Date bump (cherry picked from commit f5254f3)

protectionsmachine pushed a commit that referenced this pull request Mar 13, 2024

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part…

b43003c

… 1 (#3501) * Initial commit * Date bump (cherry picked from commit f5254f3)

protectionsmachine pushed a commit that referenced this pull request Mar 13, 2024

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part…

22ed934

… 1 (#3501) * Initial commit * Date bump (cherry picked from commit f5254f3)

protectionsmachine pushed a commit that referenced this pull request Mar 13, 2024

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part…

0e3adc8

… 1 (#3501) * Initial commit * Date bump (cherry picked from commit f5254f3)

protectionsmachine pushed a commit that referenced this pull request Mar 13, 2024

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part…

9d046f9

… 1 (#3501) * Initial commit * Date bump (cherry picked from commit f5254f3)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 #3501

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 #3501

w0rk3r commented Mar 8, 2024 •

edited

Aegrah left a comment

Aegrah Mar 11, 2024

terrancedejesus commented Mar 12, 2024

w0rk3r commented Mar 13, 2024

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 #3501

[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 #3501

Conversation

w0rk3r commented Mar 8, 2024 • edited

Issues

Summary

Aegrah left a comment

Choose a reason for hiding this comment

Aegrah Mar 11, 2024

Choose a reason for hiding this comment

terrancedejesus commented Mar 12, 2024

w0rk3r commented Mar 13, 2024

w0rk3r commented Mar 8, 2024 •

edited