[New Rule] Building Block Rules - Part 3 (#2924)

* [New Rule] Building Block Rules - Part 3

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Apply suggestions from code review

* Update rules_building_block/discovery_generic_account_groups.toml

* Apply suggestions from code review

---------

Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit 6966a6d)

Author: w0rk3r

rules_building_block/defense_evasion_generic_deletion.toml

@@ -0,0 +1,58 @@
+[metadata]
+creation_date = "2023/07/13"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete
+files and directories on a host system, such as logs, browser history, or malware.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "File or Directory Deletion Command"
+risk_score = 21
+rule_id = "5919988c-29e1-4908-83aa-1f087a838f63"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and 
+(
+  (process.name: "rundll32.exe" and process.args: "*InetCpl.cpl,Clear*") or 
+  (process.name: "reg.exe" and process.args:"delete") or 
+  (
+    process.name: "cmd.exe" and process.args: ("*rmdir*", "*rm *", "rm") and
+    not process.args : ("*\\AppData\\Local\\Microsoft\\OneDrive\\*", "*\\AppData\\Local\\Temp\\DockerDesktop\\*")
+  ) or
+  (process.name: "powershell.exe" and process.args: ("*rmdir", "rm", "rd", "*Remove-Item*", "del", "*]::Delete(*"))
+) and not user.id : "S-1-5-18"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1070"
+name = "Indicator Removal"
+reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.004"
+name = "File Deletion"
+reference = "https://attack.mitre.org/techniques/T1070/004/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules_building_block/discovery_generic_account_groups.toml

@@ -0,0 +1,91 @@
+[metadata]
+creation_date = "2023/07/13"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule identifies the execution of commands that enumerates account or group information. Adversaries may use
+built-in applications to get a listing of local system or domain accounts and groups.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Windows Account or Group Discovery"
+risk_score = 21
+rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+(
+  (
+   (
+    (process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
+    (
+     (process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
+     not process.parent.name : "net.exe"
+    )
+   ) and process.args : ("group", "user", "localgroup") and not process.args : "/add"
+  ) or
+  (process.name:("dsquery.exe", "dsget.exe") and process.args:("*members*", "user")) or
+  (process.name:"dsquery.exe" and process.args:"*filter*") or
+  process.name:("quser.exe", "qwinsta.exe", "PsGetSID.exe", "PsLoggedOn.exe", "LogonSessions.exe", "whoami.exe") or
+  (
+    process.name: "cmd.exe" and
+    (
+      process.args : "echo" and process.args : (
+        "%username%", "%userdomain%", "%userdnsdomain%",
+        "%userdomain_roamingprofile%", "%userprofile%",
+        "%homepath%", "%localappdata%", "%appdata%"
+      ) or
+      process.args : "set"
+    )
+  )
+) and not user.id : "S-1-5-18"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1069"
+name = "Permission Groups Discovery"
+reference = "https://attack.mitre.org/techniques/T1069/"
+[[rule.threat.technique.subtechnique]]
+id = "T1069.001"
+name = "Local Groups"
+reference = "https://attack.mitre.org/techniques/T1069/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1069.002"
+name = "Domain Groups"
+reference = "https://attack.mitre.org/techniques/T1069/002/"
+
+[[rule.threat.technique]]
+id = "T1087"
+name = "Account Discovery"
+reference = "https://attack.mitre.org/techniques/T1087/"
+[[rule.threat.technique.subtechnique]]
+id = "T1087.001"
+name = "Local Account"
+reference = "https://attack.mitre.org/techniques/T1087/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1087.002"
+name = "Domain Account"
+reference = "https://attack.mitre.org/techniques/T1087/002/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules_building_block/discovery_generic_process_discovery.toml

@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2023/07/13"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may
+enumerate processes to identify installed applications and security solutions.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Process Discovery Using Built-in Tools"
+risk_score = 21
+rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  (
+   process.name == "reg.exe" and process.args : "query" or
+   (process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
+    (process.args: ("*Get-ChildItem*", "*Get-Item*", "*Get-ItemProperty*") and
+     process.args : (
+      "*HKLM*", "*HKCU*", "*HKEY_LOCAL_MACHINE*", "*HKEY_CURRENT_USER*", "Registry::"
+   )))
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1057"
+name = "Process Discovery"
+reference = "https://attack.mitre.org/techniques/T1057/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules_building_block/discovery_generic_registry_query.toml

@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2023/07/13"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the
+registry to gain situational awareness about the host, like installed security software, programs and settings.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Query Registry using Built-in Tools"
+risk_score = 21
+rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+(
+  (
+    process.name == "reg.exe" and process.args : "query" and
+    not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")
+  ) or
+  (
+    process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
+     (process.args: ("*Get-ChildItem*", "*Get-Item*", "*Get-ItemProperty*") and
+      process.args : ("*HKLM*", "*HKCU*", "*HKEY_LOCAL_MACHINE*", "*HKEY_CURRENT_USER*", "*Registry::*"))
+  )
+) and not user.id : "S-1-5-18"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1012"
+name = "Query Registry"
+reference = "https://attack.mitre.org/techniques/T1012/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules_building_block/execution_unsigned_service_executable.toml

@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2023/07/14"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM
+to execute malware or escalate privileges.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Execution of an Unsigned Service"
+risk_score = 21
+rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+( 
+  (
+    process.parent.executable : "C:\\Windows\\System32\\services.exe" and
+    (process.code_signature.exists == false or process.code_signature.trusted == false)
+  )
+)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1569"
+name = "System Services"
+reference = "https://attack.mitre.org/techniques/T1569/"
+[[rule.threat.technique.subtechnique]]
+id = "T1569.002"
+name = "Service Execution"
+reference = "https://attack.mitre.org/techniques/T1569/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"