[Rule Tuning] Adapt Rules to work with Sysmon (#4480)

w0rk3r · web-flow · commit bc3e12da3896 · 2025-02-25T09:54:18.000-03:00
* [Rule Tuning] Remove Sysmon from rules that would never trigger based on its events

* bump updated_date

* Update rules/windows/lateral_movement_incoming_wmi.toml

* Update Logic to support sysmon data

* Update command_and_control_tool_transfer_via_curl.toml
diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/03"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2025/02/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -75,19 +75,35 @@ tags = [
     "Data Source: Elastic Defend",
     "Data Source: Windows Security Event Logs",
     "Data Source: Microsoft Defender for Endpoint",
-    "Data Source: Sysmon",
     "Data Source: SentinelOne",
     "Data Source: Crowdstrike",
+    "Data Source: Sysmon",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "windows" and event.type == "start" and user.id != "S-1-5-18" and
- process.executable : ("?:\\Windows\\System32\\curl.exe", "?:\\Windows\\SysWOW64\\curl.exe") and
- process.command_line : "*http*" and
- process.parent.name : ("cmd.exe", "powershell.exe", "rundll32.exe", "explorer.exe", "conhost.exe", "forfiles.exe", "wscript.exe", "cscript.exe", "mshta.exe", "hh.exe", "mmc.exe")
+process where host.os.type == "windows" and event.type == "start" and
+  process.executable : (
+    "?:\\Windows\\System32\\curl.exe",
+    "?:\\Windows\\SysWOW64\\curl.exe"
+  ) and
+  process.command_line : "*http*" and
+  process.parent.name : (
+    "cmd.exe", "powershell.exe",
+    "rundll32.exe", "explorer.exe",
+    "conhost.exe", "forfiles.exe",
+    "wscript.exe", "cscript.exe",
+    "mshta.exe", "hh.exe", "mmc.exe"
+  ) and 
+  not (
+    user.id == "S-1-5-18" and
+    /* Don't apply the user.id exclusion to Sysmon for compatibility */
+    not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
+  ) and
+  /* Exclude System Integrity Processes for Sysmon */
+  not ?winlog.event_data.IntegrityLevel == "System"
 '''
 
 
diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/05/31"
 integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2025/02/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -81,8 +81,8 @@ tags = [
     "Data Source: Elastic Defend",
     "Data Source: Windows Security Event Logs",
     "Data Source: Microsoft Defender for Endpoint",
-    "Data Source: Sysmon",
     "Data Source: Crowdstrike",
+    "Data Source: Sysmon",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -94,8 +94,12 @@ process where host.os.type == "windows" and event.type == "start" and
         "/LSAQUERYFTI:*", "/PARENTDOMAIN",
         "/DOMAIN_TRUSTS", "/BDC_QUERY:*"
         ) and 
-not process.parent.name : "PDQInventoryScanner.exe" and 
-not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20")
+not process.parent.name : "PDQInventoryScanner.exe" and
+not (
+  user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
+  /* Don't apply the user.id exclusion to Sysmon for compatibility */
+  not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
+)
 '''
 
 
diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "system", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2025/02/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -75,8 +75,8 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: Microsoft Defender for Endpoint",
-    "Data Source: Windows Security Event Logs",
     "Data Source: Sysmon",
+    "Data Source: Windows Security Event Logs"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -87,9 +87,15 @@ process where host.os.type == "windows" and event.type == "start" and process.na
   (
     /* scoped for whoami execution under system privileges */
     (
-      user.domain : ("NT *", "* NT", "IIS APPPOOL") and
-      user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20", "S-1-5-82-*") and
-      not ?winlog.event_data.SubjectUserName : "*$"
+      (
+        user.domain : ("NT *", "* NT", "IIS APPPOOL") and
+        user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20", "S-1-5-82-*") and
+        not ?winlog.event_data.SubjectUserName : "*$" and
+
+        /* Sysmon will always populate user.id as S-1-5-18, leading to FPs */
+        not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
+      ) or
+      (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System")
     ) and
     not (
       process.parent.name : "cmd.exe" and
diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/15"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/22"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -13,12 +13,7 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a
 adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
 """
 from = "now-9m"
-index = [
-    "logs-endpoint.events.process-*",
-    "logs-endpoint.events.network-*",
-    "winlogbeat-*",
-    "logs-windows.sysmon_operational-*",
-]
+index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "WMI Incoming Lateral Movement"
@@ -49,7 +44,11 @@ sequence by host.id with maxspan = 2s
 
   [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and
    not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
-   not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
+   not (
+         user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
+         /* Don't apply the user.id exclusion to Sysmon for compatibility */
+         not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
+   ) and
    not process.executable :
                ("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe",
                 "?:\\Windows\\CCM\\Ccm32BitLauncher.exe",
