From 608b7cb73aa5b430a9ab222cc325835339e65b62 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 18 Oct 2024 10:30:59 -0400 Subject: [PATCH 1/5] adding rule tuning --- ...evasion_process_termination_followed_by_deletion.toml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 5ed21ba1c98..a02ab9aab50 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [transform] [[transform.osquery]] @@ -112,11 +112,13 @@ sequence by host.id with maxspan=5s not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe") ] by process.executable [file where host.os.type == "windows" and event.type == "deletion" and file.extension : ("exe", "scr", "com") and + and process.code_signature.trusted != true and not process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\System32\\svchost.exe", - "?:\\Windows\\System32\\drvinst.exe") and + "?:\\Windows\\System32\\drvinst.exe" + "?:\\Windows\\Postillion\\Office\\*.exe) and not file.path : ( "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", @@ -124,7 +126,8 @@ sequence by host.id with maxspan=5s "?:\\$WINDOWS.~BT\\Work\\*\\DismHost.exe", "?:\\$WinREAgent\\Scratch\\*\\DismHost.exe", "?:\\Windows\\tenable_mw_scan_*.exe", - "?:\\Users\\*\\AppData\\Local\\Temp\\LogiUI\\Pak\\uninstall.exe" + "?:\\Users\\*\\AppData\\Local\\Temp\\LogiUI\\Pak\\uninstall.exe", + "?:\\ProgramData\\chocolatey\\*.exe ) ] by file.path ''' From 6fcebe16218caf6098a8e4132f00568412d377fc Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 18 Oct 2024 11:03:18 -0400 Subject: [PATCH 2/5] adjusted operators; fixed missing quotes --- ...ocess_termination_followed_by_deletion.toml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index a02ab9aab50..849c2e1b6f4 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -109,17 +109,19 @@ query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "windows" and event.type == "end" and process.code_signature.trusted != true and - not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe") + not process.executable like + ("C:\\Windows\\SoftwareDistribution\\*.exe", + "C:\\Windows\\WinSxS\\*.exe", + "?:\\Windows\\Postillion\\Office\\*.exe") ] by process.executable - [file where host.os.type == "windows" and event.type == "deletion" and file.extension : ("exe", "scr", "com") and - and process.code_signature.trusted != true and - not process.executable : + [file where host.os.type == "windows" and event.type == "deletion" and file.extension in ("exe", "scr", "com") and + not process.executable like ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\System32\\svchost.exe", - "?:\\Windows\\System32\\drvinst.exe" - "?:\\Windows\\Postillion\\Office\\*.exe) and - not file.path : ( + "?:\\Windows\\System32\\drvinst.exe", + "?:\\Windows\\Postillion\\Office\\*.exe") and + not file.path like ( "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\Temp\\*\\DismHost.exe", @@ -127,7 +129,7 @@ sequence by host.id with maxspan=5s "?:\\$WinREAgent\\Scratch\\*\\DismHost.exe", "?:\\Windows\\tenable_mw_scan_*.exe", "?:\\Users\\*\\AppData\\Local\\Temp\\LogiUI\\Pak\\uninstall.exe", - "?:\\ProgramData\\chocolatey\\*.exe + "?:\\ProgramData\\chocolatey\\*.exe" ) ] by file.path ''' From c8d9328cebfa07103113b8ca8cd4fd088f025ee3 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 30 Oct 2024 09:03:02 +0000 Subject: [PATCH 3/5] Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml --- ...efense_evasion_process_termination_followed_by_deletion.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 849c2e1b6f4..f54b66f1a52 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -114,7 +114,7 @@ sequence by host.id with maxspan=5s "C:\\Windows\\WinSxS\\*.exe", "?:\\Windows\\Postillion\\Office\\*.exe") ] by process.executable - [file where host.os.type == "windows" and event.type == "deletion" and file.extension in ("exe", "scr", "com") and + [file where host.os.type == "windows" and event.type == "deletion" and file.extension in~ ("exe", "scr", "com") and not process.executable like ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", From 9f853a2ba19b38b8252dfabc44919baa349d138c Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 4 Nov 2024 18:56:49 -0300 Subject: [PATCH 4/5] Update defense_evasion_process_termination_followed_by_deletion.toml --- ..._process_termination_followed_by_deletion.toml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index f54b66f1a52..b82881751c7 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/10/18" +updated_date = "2024/11/04" [transform] [[transform.osquery]] @@ -112,7 +112,12 @@ sequence by host.id with maxspan=5s not process.executable like ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe", - "?:\\Windows\\Postillion\\Office\\*.exe") + "?:\\Windows\\Postillion\\Office\\*.exe") and + not ( + process.name : "infinst.exe" and process.parent.name: "dxsetup.exe" and + process.parent.code_signature.subject_name == "NVIDIA Corporation" and + process.parent.code_signature.status == "trusted" + ) ] by process.executable [file where host.os.type == "windows" and event.type == "deletion" and file.extension in~ ("exe", "scr", "com") and not process.executable like @@ -130,6 +135,12 @@ sequence by host.id with maxspan=5s "?:\\Windows\\tenable_mw_scan_*.exe", "?:\\Users\\*\\AppData\\Local\\Temp\\LogiUI\\Pak\\uninstall.exe", "?:\\ProgramData\\chocolatey\\*.exe" + ) and + not (process.name : "OktaVerifySetup-*.exe" and process.code_signature.subject_name == "Okta, Inc.") and + not ( + process.executable : "?:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\CitrixReceiver\\*" and + process.code_signature.subject_name == "Citrix Systems, Inc." and + file.path : "?:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\CitrixReceiver\\*\\bootstrapperhelper.exe" ) ] by file.path ''' From 4ebb3b7d3ade75b0080a2ef400b398a5d435b521 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 5 Nov 2024 10:39:22 -0300 Subject: [PATCH 5/5] Update defense_evasion_process_termination_followed_by_deletion.toml --- ...efense_evasion_process_termination_followed_by_deletion.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index b82881751c7..607d7adcfcc 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -39,7 +39,7 @@ of these files can occur during an intrusion, or as part of a post-intrusion pro footprint. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Process Termination followed by Deletion"