[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)

* [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <[email protected]> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <[email protected]> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <[email protected]> * Formatting fix --------- Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> (cherry picked from commit 4cdf521)
elastic · Oct 11, 2023 · c6030f6 · c6030f6
1 parent a33ef18
commit c6030f6
Show file tree

Hide file tree

Showing 20 changed files with 468 additions and 174 deletions.
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -114,7 +114,8 @@
   },
   ".alerts-security.*": {
     "signal.rule.name": "keyword",
-    "kibana.alert.rule.threat.tactic.id": "keyword"
+    "kibana.alert.rule.threat.tactic.id": "keyword",
+    "kibana.alert.rule.rule_id": "keyword"
   },
   "logs-google_workspace*": {
     "gsuite.admin": "keyword",

diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/09/14"
 
 [rule]
 author = ["Elastic"]
@@ -56,7 +56,14 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "871ea072-1b71-4def-b016-6278b505138d"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+tags = ["Domain: Endpoint",
+        "OS: Windows",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Resources: Investigation Guide",
+        "Data Source: Elastic Endgame",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -74,42 +81,43 @@ process where host.os.type == "windows" and event.type == "start" and
 
   ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
      process.args : ("group", "useraccount"))
-)
+) and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1069"
 name = "Permission Groups Discovery"
 reference = "https://attack.mitre.org/techniques/T1069/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1069.001"
 name = "Local Groups"
 reference = "https://attack.mitre.org/techniques/T1069/001/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1069.002"
 name = "Domain Groups"
 reference = "https://attack.mitre.org/techniques/T1069/002/"
 
-
 [[rule.threat.technique]]
 id = "T1087"
 name = "Account Discovery"
 reference = "https://attack.mitre.org/techniques/T1087/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1087.001"
 name = "Local Account"
 reference = "https://attack.mitre.org/techniques/T1087/001/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1087.002"
 name = "Domain Account"
 reference = "https://attack.mitre.org/techniques/T1087/002/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-
diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/27"
+updated_date = "2023/09/14"
 
 [rule]
 author = ["Elastic"]
@@ -62,7 +62,14 @@ references = [
 risk_score = 21
 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
+tags = ["Domain: Endpoint",
+        "OS: Windows",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Endgame",
+        "Resources: Investigation Guide",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -71,16 +78,20 @@ process where host.os.type == "windows" and event.type == "start" and
     process.name : "nltest.exe" and process.args : (
         "/DCLIST:*", "/DCNAME:*", "/DSGET*",
         "/LSAQUERYFTI:*", "/PARENTDOMAIN",
-        "/DOMAIN_TRUSTS", "/BDC_QUERY:*")
+        "/DOMAIN_TRUSTS", "/BDC_QUERY:*"
+        ) and 
+not process.parent.name : "PDQInventoryScanner.exe" and 
+not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1482"
 name = "Domain Trust Discovery"
 reference = "https://attack.mitre.org/techniques/T1482/"
+
 [[rule.threat.technique]]
 id = "T1018"
 name = "Remote System Discovery"
@@ -90,4 +101,3 @@ reference = "https://attack.mitre.org/techniques/T1018/"
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-
diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/10/15"
 integration = ["system", "windows"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
+updated_date = "2023/10/10"
 
 [transform]
 [[transform.osquery]]
@@ -31,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa
 authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
 """
 
-
 [rule]
 author = ["Elastic"]
 description = """
@@ -40,7 +39,7 @@ Administrators or Remote Desktop users.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "Enumeration of Privileged Local Groups Membership"
 note = """## Triage and analysis
@@ -112,75 +111,81 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"]
+tags = ["Domain: Endpoint",
+        "OS: Windows",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Resources: Investigation Guide"
+        ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"
 
 query = '''
-iam where event.action == "user-member-enumerated" and
-
-  /* excluding machine account */
-  not winlog.event_data.SubjectUserName: ("*$", "LOCAL SERVICE", "NETWORK SERVICE") and
-
-  /* noisy and usual legit processes excluded */
-  not winlog.event_data.CallerProcessName:
-               ("-",
-                "?:\\Windows\\System32\\VSSVC.exe",
-                "?:\\Windows\\System32\\SearchIndexer.exe",
-                "?:\\Windows\\System32\\CompatTelRunner.exe",
-                "?:\\Windows\\System32\\oobe\\msoobe.exe",
-                "?:\\Windows\\System32\\net1.exe",
-                "?:\\Windows\\System32\\svchost.exe",
-                "?:\\Windows\\System32\\Netplwiz.exe",
-                "?:\\Windows\\System32\\msiexec.exe",
-                "?:\\Windows\\SysWOW64\\msiexec.exe",
-                "?:\\Windows\\System32\\CloudExperienceHostBroker.exe",
-                "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
-                "?:\\Windows\\System32\\SrTasks.exe",
-                "?:\\Windows\\System32\\lsass.exe",
-                "?:\\Windows\\System32\\diskshadow.exe",
-                "?:\\Windows\\System32\\dfsrs.exe",
-                "?:\\Program Files\\*.exe",
-                "?:\\Program Files (x86)\\*.exe",
-                "?:\\WindowsAzure\\*\\WaAppAgent.exe",
-                "?:\\Windows\\System32\\vssadmin.exe",
-                "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
-                "?:\\Windows\\System32\\dllhost.exe",
-                "?:\\Windows\\System32\\mmc.exe",
-                "?:\\Windows\\System32\\SettingSyncHost.exe",
-                "?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe",
-                "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe",
-                "?:\\Windows\\Temp\\rubrik_vmware???\\snaptool.exe",
-                "?:\\Windows\\System32\\inetsrv\\w3wp.exe",
-                "?:\\$WINDOWS.~BT\\Sources\\*.exe",
-                "?:\\Windows\\System32\\wsmprovhost.exe",
-                "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\x3jobt3?.exe",
-                "?:\\Windows\\System32\\mstsc.exe",
-                "?:\\Windows\\System32\\esentutl.exe",
-                "?:\\Windows\\System32\\RecoveryDrive.exe",
-                "?:\\Windows\\System32\\SystemPropertiesComputerName.exe") and
-
-  /* privileged local groups */
-  (group.name:("*admin*","RemoteDesktopUsers") or
-   winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555"))
+host.os.type:windows and event.category:iam and event.action:user-member-enumerated and 
+  (
+    group.name:(*Admin* or "RemoteDesktopUsers") or
+    winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555")
+  ) and 
+  not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or 
+  winlog.event_data.CallerProcessName:("-" or 
+                                       *\:\\\\Windows\\\\System32\\\\VSSVC.exe or 
+                                       *\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or 
+                                       *\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or 
+                                       *\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or
+                                       *\:\\\\Windows\\\\System32\\\\net1.exe or 
+                                       *\:\\\\Windows\\\\System32\\\\svchost.exe or 
+                                       *\:\\\\Windows\\\\System32\\\\Netplwiz.exe or 
+                                       *\:\\\\Windows\\\\System32\\\\msiexec.exe or
+                                       *\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or
+                                       *\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or
+                                       *\:\\\\Windows\\\\System32\\\\SrTasks.exe or
+                                       *\:\\\\Windows\\\\System32\\\\diskshadow.exe or
+                                       *\:\\\\Windows\\\\System32\\\\dfsrs.exe or
+                                       *\:\\\\Windows\\\\System32\\\\vssadmin.exe or
+                                       *\:\\\\Windows\\\\System32\\\\dllhost.exe or
+                                       *\:\\\\Windows\\\\System32\\\\mmc.exe or
+                                       *\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or
+                                       *\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or
+                                       *\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or
+                                       *\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe or
+                                       *\:\\\\Windows\\\\System32\\\\mstsc.exe or
+                                       *\:\\\\Windows\\\\System32\\\\esentutl.exe or
+                                       *\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or
+                                       *\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or
+                                       *\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or
+                                       *\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or
+                                       *\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe or
+                                       *\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or
+                                       ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe or
+                                       ?\:\\\\Program?Files?\(x86\)\\\\*.exe or
+                                       ?\:\\\\Program?Files\\\\*.exe or
+                                       ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe
+                                      )
+  )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1069"
 name = "Permission Groups Discovery"
 reference = "https://attack.mitre.org/techniques/T1069/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1069.001"
 name = "Local Groups"
 reference = "https://attack.mitre.org/techniques/T1069/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
 
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2023/09/22"
+maturity = "production"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
+updated_date = "2023/09/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
+host.id, user.id and process.command_line entries.
+"""
+from = "now-9m"
+index = [".alerts-security.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Unusual Discovery Signal Alert with Unusual Process Command Line"
+risk_score = 21
+rule_id = "29ef5686-9b93-433e-91b5-683911094698"
+severity = "low"
+tags = ["Domain: Endpoint",
+        "OS: Windows",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Rule Type: Higher-Order Rule"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(
+  "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or
+  "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or
+  "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or
+  "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169"
+)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["host.id", "user.id", "process.command_line"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"