Skip to content

[Rule Tuning] Adapt Rules to work with Sysmon #4480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Feb 25, 2025
Merged

[Rule Tuning] Adapt Rules to work with Sysmon #4480

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c1315b8
[Rule Tuning] Remove Sysmon from rules that would never trigger based…
w0rk3r Feb 21, 2025
c4c3b9a
bump updated_date
w0rk3r Feb 21, 2025
13b8590
Update rules/windows/lateral_movement_incoming_wmi.toml
w0rk3r Feb 21, 2025
3633ceb
Update Logic to support sysmon data
w0rk3r Feb 21, 2025
c9ea60e
Update command_and_control_tool_transfer_via_curl.toml
w0rk3r Feb 21, 2025
bec569e
Merge branch 'main' into sysmon_rt
w0rk3r Feb 21, 2025
f8bf47c
Merge branch 'main' into sysmon_rt
w0rk3r Feb 25, 2025
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 22 additions & 6 deletions rules/windows/command_and_control_tool_transfer_via_curl.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2025/02/03"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/21"
updated_date = "2025/02/22"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand Down Expand Up @@ -75,19 +75,35 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
"Data Source: Sysmon",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and user.id != "S-1-5-18" and
process.executable : ("?:\\Windows\\System32\\curl.exe", "?:\\Windows\\SysWOW64\\curl.exe") and
process.command_line : "*http*" and
process.parent.name : ("cmd.exe", "powershell.exe", "rundll32.exe", "explorer.exe", "conhost.exe", "forfiles.exe", "wscript.exe", "cscript.exe", "mshta.exe", "hh.exe", "mmc.exe")
process where host.os.type == "windows" and event.type == "start" and
process.executable : (
"?:\\Windows\\System32\\curl.exe",
"?:\\Windows\\SysWOW64\\curl.exe"
) and
process.command_line : "*http*" and
process.parent.name : (
"cmd.exe", "powershell.exe",
"rundll32.exe", "explorer.exe",
"conhost.exe", "forfiles.exe",
"wscript.exe", "cscript.exe",
"mshta.exe", "hh.exe", "mmc.exe"
) and
not (
user.id == "S-1-5-18" and
/* Don't apply the user.id exclusion to Sysmon for compatibility */
not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
) and
/* Exclude System Integrity Processes for Sysmon */
not ?winlog.event_data.IntegrityLevel == "System"
'''


Expand Down
12 changes: 8 additions & 4 deletions rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2022/05/31"
integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2025/02/21"
updated_date = "2025/02/22"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand Down Expand Up @@ -81,8 +81,8 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Windows Security Event Logs",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: Crowdstrike",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
Expand All @@ -94,8 +94,12 @@ process where host.os.type == "windows" and event.type == "start" and
"/LSAQUERYFTI:*", "/PARENTDOMAIN",
"/DOMAIN_TRUSTS", "/BDC_QUERY:*"
) and
not process.parent.name : "PDQInventoryScanner.exe" and
not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20")
not process.parent.name : "PDQInventoryScanner.exe" and
not (
user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
/* Don't apply the user.id exclusion to Sysmon for compatibility */
not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
)
'''


Expand Down
16 changes: 11 additions & 5 deletions rules/windows/discovery_whoami_command_activity.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "system", "windows", "m365_defender"]
maturity = "production"
updated_date = "2025/02/21"
updated_date = "2025/02/22"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand Down Expand Up @@ -75,8 +75,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Windows Security Event Logs",
"Data Source: Sysmon",
"Data Source: Windows Security Event Logs"
]
timestamp_override = "event.ingested"
type = "eql"
Expand All @@ -87,9 +87,15 @@ process where host.os.type == "windows" and event.type == "start" and process.na
(
/* scoped for whoami execution under system privileges */
(
user.domain : ("NT *", "* NT", "IIS APPPOOL") and
user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20", "S-1-5-82-*") and
not ?winlog.event_data.SubjectUserName : "*$"
(
user.domain : ("NT *", "* NT", "IIS APPPOOL") and
user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20", "S-1-5-82-*") and
not ?winlog.event_data.SubjectUserName : "*$" and

/* Sysmon will always populate user.id as S-1-5-18, leading to FPs */
not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
) or
(?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System")
) and
not (
process.parent.name : "cmd.exe" and
Expand Down
15 changes: 7 additions & 8 deletions rules/windows/lateral_movement_incoming_wmi.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/15"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/22"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

Expand All @@ -13,12 +13,7 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a
adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
"""
from = "now-9m"
index = [
"logs-endpoint.events.process-*",
"logs-endpoint.events.network-*",
"winlogbeat-*",
"logs-windows.sysmon_operational-*",
]
index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
language = "eql"
license = "Elastic License v2"
name = "WMI Incoming Lateral Movement"
Expand Down Expand Up @@ -49,7 +44,11 @@ sequence by host.id with maxspan = 2s

[process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and
not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
not (
user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
/* Don't apply the user.id exclusion to Sysmon for compatibility */
not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
) and
not process.executable :
("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe",
"?:\\Windows\\CCM\\Ccm32BitLauncher.exe",
Expand Down
Loading