Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Direct Outbound SMB Connection #3400

Merged
merged 2 commits into from
Jan 23, 2024
Merged

[Rule Tuning] Direct Outbound SMB Connection #3400

merged 2 commits into from
Jan 23, 2024

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jan 23, 2024

Summary

  • Drops Sysmon support as we are using process code signature fields.
  • Limits the query to unsigned or MS-signed executables.

@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Jan 23, 2024
@w0rk3r w0rk3r self-assigned this Jan 23, 2024
terrancedejesus
terrancedejesus approved these changes Jan 23, 2024
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tuning looks good.

  • We removed the compatibility with the Windows integration.
  • We removed the index searches for Winlogbeat and Windows integration; this should reduce the doc counts and searches in general, hopefully increasing performance of the rule at execution time
  • After conversation with @w0rk3r and @Samirbous, the goal of not (process.code_signature.trusted == true and not process.code_signature.subject_name : "Microsoft *") is to capture unsigned executables + MS LOLbins (inherently signed).

The approach is to capture all potentially signed MS LOLbins sending direct outbound SMB connections. If this is too broad, performance-wise, we can revisit in an attempt to tune further.

@w0rk3r w0rk3r merged commit e33389b into main Jan 23, 2024
12 checks passed
@w0rk3r w0rk3r deleted the rt_17 branch January 23, 2024 18:33
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
07f2ab7 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
d222f23 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
be0f33d 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
f46e182 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
79b8930 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
738511d 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
47d406a 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
9f18adf 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
c421546 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
protectionsmachine pushed a commit that referenced this pull request Jan 23, 2024
@w0rk3r @github-actions
[Rule Tuning] Direct Outbound SMB Connection (#3400)
1dd6cb5 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Samirbous Samirbous Samirbous approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@Aegrah Aegrah Awaiting requested review from Aegrah

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@w0rk3r @Samirbous @terrancedejesus