Skip to content

Commit

Permalink
[Rule Tuning] Windows Registry Rules Tuning - 2 (#3958)
Browse files Browse the repository at this point in the history
  • Loading branch information
w0rk3r authored Aug 6, 2024
1 parent 9b85079 commit a6f1aa6
Show file tree
Hide file tree
Showing 19 changed files with 72 additions and 45 deletions.
4 changes: 2 additions & 2 deletions rules/windows/persistence_app_compat_shim.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/09/02"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -30,7 +30,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and event.type in ("creation", "change") and
registry where host.os.type == "windows" and event.type == "change" and
registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" and
not process.executable :
("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe",
Expand Down
5 changes: 2 additions & 3 deletions rules/windows/persistence_appcertdlls_registry.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2024/06/25"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -33,8 +33,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and
/* uncomment once stable length(bytes_written_string) > 0 and */
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
Expand Down
4 changes: 2 additions & 2 deletions rules/windows/persistence_appinitdlls_registry.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/18"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[transform]
[[transform.osquery]]
Expand Down Expand Up @@ -121,7 +121,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/12/18"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -72,7 +72,8 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and registry.path : (
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\",
"\\REGISTRY\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\"
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -35,7 +35,8 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and length(registry.data.strings) > 0 and
registry where host.os.type == "windows" and event.type == "change" and
registry.value : ("Debugger", "MonitorProcess") and length(registry.data.strings) > 0 and
registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
"HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/03/15"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[transform]
[[transform.osquery]]
Expand Down Expand Up @@ -111,7 +111,8 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and
registry where host.os.type == "windows" and event.type == "change" and
registry.value : ("Common Startup", "Startup") and
registry.path : (
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup",
Expand Down
10 changes: 6 additions & 4 deletions rules/windows/persistence_local_scheduled_task_scripting.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/29"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -46,9 +46,11 @@ sequence by host.id with maxspan = 30s
(event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
(?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and
process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")]
[registry where host.os.type == "windows" and registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions")]
[registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and
registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"
)]
'''


Expand Down
19 changes: 16 additions & 3 deletions rules/windows/persistence_registry_uncommon.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/18"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -33,7 +33,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and event.type in ("creation", "change") and
registry where host.os.type == "windows" and event.type == "change" and
length(registry.data.strings) > 0 and
registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
Expand Down Expand Up @@ -92,7 +92,20 @@ registry where host.os.type == "windows" and event.type in ("creation", "change"
"C:\\Windows\\SysWOW64\\msiexec.exe",
"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"C:\\Program Files\\*.exe",
"C:\\Program Files (x86)\\*.exe")
"C:\\Program Files (x86)\\*.exe") and
not (process.name : ("TiWorker.exe", "poqexec.exe") and registry.value : "SetupExecute" and
registry.data.strings : (
"C:\\windows\\System32\\poqexec.exe /display_progress \\SystemRoot\\WinSxS\\pending.xml",
"C:\\Windows\\System32\\poqexec.exe /skip_critical_poq /display_progress \\SystemRoot\\WinSxS\\pending.xml"
)
) and
not (process.name : "svchost.exe" and registry.value : "SCRNSAVE.EXE" and
registry.data.strings : (
"%windir%\\system32\\rundll32.exe user32.dll,LockWorkStation",
"scrnsave.scr",
"%windir%\\system32\\Ribbons.scr"
)
)
'''


Expand Down
5 changes: 3 additions & 2 deletions rules/windows/persistence_run_key_and_startup_broad.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/18"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[transform]
[[transform.osquery]]
Expand Down Expand Up @@ -116,7 +116,8 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and registry.data.strings != null and
registry where host.os.type == "windows" and event.type == "change" and
registry.data.strings != null and registry.hive : ("HKEY_USERS", "HKLM") and
registry.path : (
/* Machine Hive */
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
Expand Down
8 changes: 6 additions & 2 deletions rules/windows/persistence_services_registry.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/18"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -34,6 +34,7 @@ type = "eql"

query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.value : ("ServiceDLL", "ImagePath") and
registry.path : (
"HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
"HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
Expand All @@ -43,6 +44,7 @@ registry where host.os.type == "windows" and event.type == "change" and
"?:\\windows\\system32\\Drivers\\*.sys",
"\\SystemRoot\\System32\\drivers\\*.sys",
"\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
"\\??\\?:\\Windows\\syswow64\\*.sys",
"system32\\DRIVERS\\USBSTOR") and
not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
not process.executable : (
Expand All @@ -53,7 +55,9 @@ registry where host.os.type == "windows" and event.type == "change" and
"?:\\Windows\\System32\\drvinst.exe",
"?:\\Windows\\System32\\services.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\regsvr32.exe")
"?:\\Windows\\System32\\regsvr32.exe",
"?:\\Windows\\System32\\WaaSMedicAgent.exe"
)
'''


Expand Down
4 changes: 2 additions & 2 deletions rules/windows/persistence_suspicious_com_hijack_registry.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/18"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -85,7 +85,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and
registry where host.os.type == "windows" and event.type == "change" and
/* not necessary but good for filtering privileged installations */
user.domain != "NT AUTHORITY" and process.executable != null and
(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -32,12 +32,14 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and registry.path : (
registry where host.os.type == "windows" and event.type == "change" and
registry.value : "ImagePath" and
registry.path : (
"HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
) and
/* add suspicious registry ImagePath values here */
registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*")
/* add suspicious registry ImagePath values here */
registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*")
'''


Expand Down
7 changes: 4 additions & 3 deletions rules/windows/persistence_time_provider_mod.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/01/19"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[transform]
[[transform.osquery]]
Expand Down Expand Up @@ -111,7 +111,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and event.type:"change" and
registry where host.os.type == "windows" and event.type == "change" and
registry.path: (
"HKLM\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*"
Expand All @@ -121,7 +121,8 @@ registry where host.os.type == "windows" and event.type:"change" and
(
process.executable : "?:\\Windows\\System32\\msiexec.exe" and
registry.data.strings : "?:\\Program Files\\VMware\\VMware Tools\\vmwTimeProvider\\vmwTimeProvider.dll"
)
) and
not registry.data.strings : "C:\\Windows\\SYSTEM32\\w32time.DLL"
'''


Expand Down
4 changes: 2 additions & 2 deletions rules/windows/persistence_via_hidden_run_key_valuename.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/15"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -46,7 +46,7 @@ type = "eql"

query = '''
/* Registry Path ends with backslash */
registry where host.os.type == "windows" and /* length(registry.data.strings) > 0 and */
registry where host.os.type == "windows" and event.type == "change" and length(registry.data.strings) > 0 and
registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/18"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -40,7 +40,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
"HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/03/15"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[transform]
[[transform.osquery]]
Expand Down Expand Up @@ -112,7 +112,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and
registry where host.os.type == "windows" and event.type == "change" and
registry.data.strings != null and process.name : "WmiPrvSe.exe" and
registry.path : (
"HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/01/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -32,7 +32,7 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and event.type in ("creation", "change") and
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
"HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/08/05"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -32,7 +32,9 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and registry.path : (
registry where host.os.type == "windows" and event.type == "change" and
registry.value : ("windir", "systemroot") and
registry.path : (
"HKEY_USERS\\*\\Environment\\windir",
"HKEY_USERS\\*\\Environment\\systemroot",
"HKU\\*\\Environment\\windir",
Expand Down
Loading

0 comments on commit a6f1aa6

Please sign in to comment.