Skip to content

Commit fe89e69

Browse files
w0rk3rw0rk3r
committed
[Rule Tuning] Direct Outbound SMB Connection
1 parent e0bdb59 commit fe89e69

File tree

1 file changed

+4
-10
lines changed

1 file changed

+4
-10
lines changed

rules/windows/lateral_movement_direct_outbound_smb_connection.toml

+4-10
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
7-
updated_date = "2024/01/03"
7+
updated_date = "2024/01/22"
88

99
[transform]
1010
[[transform.osquery]]
@@ -41,7 +41,7 @@ connections are established by the kernel. Processes making 445/tcp connections
4141
suspicious user-level processes moving laterally.
4242
"""
4343
from = "now-9m"
44-
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
44+
index = ["logs-endpoint.events.*"]
4545
language = "eql"
4646
license = "Elastic License v2"
4747
name = "Direct Outbound SMB Connection"
@@ -104,14 +104,8 @@ query = '''
104104
sequence by process.entity_id with maxspan=2m
105105
[process where host.os.type == "windows" and event.type == "start" and process.pid != 4 and
106106
not user.id : ("S-1-5-19", "S-1-5-20") and
107-
not (process.code_signature.trusted == true and not process.code_signature.subject_name : ("Famatech Corp.", "Insecure.Com LLC")) and
108-
not (process.name : "powershell.exe" and process.args : "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_*.ps1") and
109-
not (process.executable : "?:\\EnterpriseCare\\tools\\*\\bin\\java.exe" and process.args : "com.*.launcher.Invoker") and
110-
not (process.executable : "?:\\Docusnap*\\Tools\\*\\nmap.exe" and process.args : "smb-os-discovery.nse") and
111-
not process.executable :
112-
("?:\\Program Files\\*.exe",
113-
"?:\\Program Files (x86)\\*.exe",
114-
"?:\\Windows\\ProPatches\\Installation\\InstallationSandbox*\\stdeploy.exe")]
107+
not (process.code_signature.trusted == true and not process.code_signature.subject_name : "Microsoft *") and
108+
not (process.name : "powershell.exe" and process.args : "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_*.ps1")]
115109
[network where host.os.type == "windows" and destination.port == 445 and process.pid != 4 and
116110
not cidrmatch(destination.ip, "127.0.0.1", "::1")]
117111
until [process where host.os.type == "windows" and event.type == "end"]

0 commit comments

Comments
 (0)