w0rk3r
commented
2 years ago Remove Windows Integration & Winlogbeat support:
Solved in #1773
- Connection to Commonly Abused Web Services
- Network Logon Provider Registry Modification -> Remove Sysmon support as the integration fails to parse the registry strings.
- External IP Lookup from Non-Browser Process
- Service Control Spawned via Script Interpreter
- Startup or Run Key Registry Modification
- Potential LSA Authentication Package Abuse
- Potential Port Monitor or Print Processor Registration Abuse -> Remove Sysmon support as the integration fails to parse the registry strings.
Modified to use Integrity fields instead of user.id:
Solved in #1772
- Net command via SYSTEM account -> Solved in #1769
- Network Connection via Registration Utility
- Local Scheduled Task Creation
- Potential Privilege Escalation via InstallerFileTakeOver
- Unusual Print Spooler Child Process
Use user.name on the sequence instead of user.id:
Solved in #1771
- Potential Command and Control via Internet Explorer
Description
Rules that support sysmon and uses the
user.idfield are prone to FPs and FNs because sysmon don't really haveuser.iddata, as per this screenshot as an example:The SID is not related to the user that created the process. But it is part of the event metadata:
Rules that uses the user.id field and supports sysmon:
Actions that we could take to fix the problem:
A. use (process.Ext.token.integrity_level_name : "System" or winlog.event_data.IntegrityLevel : "System")
B. use user.name or an alternative field
C. remove beats and windows integration indexes (support)