From afd17a6ada4d15972bd27e072f59ca1ca33e1e50 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 23 Dec 2024 14:13:41 +0000 Subject: [PATCH 1/5] Update persistence_sysmon_wmi_event_subscription.toml --- ...rsistence_sysmon_wmi_event_subscription.toml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index 586426af047..e6d82725ff9 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/02/02" -integration = ["windows"] +integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/12/23" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Detects the creation of a WMI Event Subscription. Attackers can abuse this mecha SYSTEM privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-endpoint.events.api-*"] language = "eql" license = "Elastic License v2" name = "Suspicious WMI Event Subscription Created" @@ -30,13 +30,20 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "windows.sysmon_operational" and event.code == "21" and - winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*") +any where + ( + (event.dataset == "windows.sysmon_operational" and event.code == "21" and + winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or + + (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and process.Ext.api.name == "IWbemServices::PutInstance" and + process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer")) + ) ''' From 701f3a4578287f3ce9dc26f71184adf953381b0c Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 23 Dec 2024 14:17:35 +0000 Subject: [PATCH 2/5] Update non-ecs-schema.json --- detection_rules/etc/non-ecs-schema.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index ef82fd53792..d6bcb634786 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -82,7 +82,8 @@ "process.Ext.relative_file_name_modify_time": "double", "process.Ext.relative_file_creation_time": "double", "Target.process.name": "keyword", - "process.Ext.api.name": "keyword" + "process.Ext.api.name": "keyword", + "process.Ext.api.parameters.consumer_type": "keyword" }, "logs-endpoint.events.file-*": { "file.Ext.header_bytes": "keyword", From cac8fa75fb643bea3fdb78cb19dfdb877e95205f Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 23 Dec 2024 14:24:31 +0000 Subject: [PATCH 3/5] Update persistence_sysmon_wmi_event_subscription.toml --- rules/windows/persistence_sysmon_wmi_event_subscription.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index e6d82725ff9..3a2b3cca798 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -3,8 +3,8 @@ creation_date = "2023/02/02" integration = ["windows", "endpoint"] maturity = "production" updated_date = "2024/12/23" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +min_stack_version = "8.15.0" +min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0." [rule] author = ["Elastic"] From e0a6d6246aca17a6c377830b27d40bb0bc066e03 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 24 Dec 2024 14:09:35 -0300 Subject: [PATCH 4/5] Update detection_rules/etc/non-ecs-schema.json --- detection_rules/etc/non-ecs-schema.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index d6bcb634786..2932901531c 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -82,8 +82,11 @@ "process.Ext.relative_file_name_modify_time": "double", "process.Ext.relative_file_creation_time": "double", "Target.process.name": "keyword", - "process.Ext.api.name": "keyword", - "process.Ext.api.parameters.consumer_type": "keyword" + "process.Ext.api.name": "keyword" + }, + "logs-endpoint.events.api-*": { + "process.Ext.api.parameters.consumer_type": "keyword", + "process.Ext.api.name": "keyword" }, "logs-endpoint.events.file-*": { "file.Ext.header_bytes": "keyword", From cec5c8e815085eef0a07e4512c799c27f2854ce4 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 6 Jan 2025 09:26:30 -0300 Subject: [PATCH 5/5] Update pyproject.toml --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 8ef7db21195..b1977c0871e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.3.6" +version = "0.3.7" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"