[UEBA] Discovery Windows DR Performance Analysis

[Aegrah]

Summary

This issue is used to compile a list of Windows Discovery-related detection rules that can be leveraged as part of the "UEBA - Discovery - Unusual Discovery Activity from User". This list will, if necessary, be tuned/redesigned/converted to new_terms to reduce FPs while maintaining TP detection rate. These rules will then be shipped as a "UEBA Discovery" pack for telemetry gathering / evaluation.

Approach

1. Identify a list of useful Windows discovery detection rules.
2. Analyse the previously compiled list for TPs/FPs, and evaluate performance.
3. Based on performance evaluation:
   • In case of many FPs --> tune if possible. If tuning is not possible, redesign/convert to new_terms and potentially BBR.
   • In case of little FPs --> leave rule as-is.
4. Create new detection rules to fill in potential discovery gaps.
5. Add new tag to all rules related to UEBA Discovery package.
6. Add overall threshold rule to query this new pack.

[Aegrah]

Looping through our detection rules:

#!/bin/bash

# Find all files with "discovery" in their name and starting with "discovery_"
file_list=$(find /Users/ruben/Documents/GitHub/detection-rules/ -type f -name "discovery_*" -name "*.toml")

# Loop through the list of files
for file in $file_list; do
  # Search for lines starting with "tags = " containing "OS: Windows" recursively
  tags_lines=$(grep -R -E '^tags =.*OS: Windows' "$file" 2>/dev/null)

  # If any matching lines are found, extract and print the first occurrence of "name" and "rule_id"
  if [ -n "$tags_lines" ]; then
    name=$(grep -m 1 -E '^name =' "$file" | awk -F'= ' '{print $2}')
    rule_id=$(grep -E '^rule_id =' "$file" | awk -F'= ' '{print $2}')

    # Extract the filename without the path
    filename=$(basename "$file")

    echo "File: $filename"
    echo "Name: $name"
    echo "Rule ID: $rule_id"

    # Add a new line after each hit
    echo
  fi
done

Output:

File: discovery_win_network_connections.toml Name: "Windows System Network Connections Discovery" Rule ID: "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" File: discovery_generic_process_discovery.toml Name: "Process Discovery Using Built-in Tools" Rule ID: "4982ac3e-d0ee-4818-b95d-d9522d689259" File: discovery_net_share_discovery_winlog.toml Name: "Potential Network Share Discovery" Rule ID: "b2318c71-5959-469a-a3ce-3a0768e63b9c" File: discovery_generic_account_groups.toml Name: "Windows Account or Group Discovery" Rule ID: "089db1af-740d-4d84-9a5b-babd6de143b0" File: discovery_windows_system_information_discovery.toml Name: "Windows System Information Discovery" Rule ID: "51176ed2-2d90-49f2-9f3d-17196428b169" File: discovery_internet_capabilities.toml Name: "Discovery of Internet Capabilities via Built-in Tools" Rule ID: "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" File: discovery_posh_password_policy.toml Name: "PowerShell Script with Password Policy Discovery Capabilities" Rule ID: "fe25d5bc-01fa-494a-95ff-535c29cc4c96" File: discovery_posh_generic.toml Name: "PowerShell Script with Discovery Capabilities" Rule ID: "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be" File: discovery_generic_registry_query.toml Name: "Query Registry using Built-in Tools" Rule ID: "ded09d02-0137-4ccc-8005-c45e617e8d4c" File: discovery_command_system_account.toml Name: "Account Discovery Command via SYSTEM Account" Rule ID: "2856446a-34e6-435b-9fb5-f8f040bfa7ed" File: discovery_group_policy_object_discovery.toml Name: "Group Policy Discovery via Microsoft GPResult Utility" Rule ID: "94a401ba-4fa2-455c-b7ae-b6e037afc0b7" File: discovery_enumerating_domain_trusts_via_dsquery.toml Name: "Enumerating Domain Trusts via DSQUERY.EXE" Rule ID: "06a7a03c-c735-47a6-a313-51c354aef6c3" File: discovery_post_exploitation_external_ip_lookup.toml Name: "External IP Lookup from Non-Browser Process" Rule ID: "1d72d014-e2ab-4707-b056-9b96abe7b511" File: discovery_system_service_discovery.toml Name: "System Service Discovery through built-in Windows Utilities" Rule ID: "e0881d20-54ac-457f-8733-fe0bc5d44c55" File: discovery_enumerating_domain_trusts_via_nltest.toml Name: "Enumerating Domain Trusts via NLTEST.EXE" Rule ID: "84da2554-e12a-11ec-b896-f661ea17fbcd" File: discovery_admin_recon.toml Name: "Enumeration of Administrator Accounts" Rule ID: "871ea072-1b71-4def-b016-6278b505138d" File: discovery_system_time_discovery.toml Name: "System Time Discovery" Rule ID: "06568a02-af29-4f20-929c-f3af281e41aa" File: discovery_privileged_localgroup_membership.toml Name: "Enumeration of Privileged Local Groups Membership" Rule ID: "291a0de9-937a-4189-94c0-3e847c8b13e4" File: discovery_posh_invoke_sharefinder.toml Name: "PowerShell Share Enumeration Script" Rule ID: "4c59cff1-b78a-41b8-a9f1-4231984d1fb6" File: discovery_peripheral_device.toml Name: "Peripheral Device Discovery" Rule ID: "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4" File: discovery_net_view.toml Name: "Windows Network Enumeration" Rule ID: "7b8bfc26-81d2-435e-965c-d722ee397ef1" File: discovery_adfind_command_activity.toml Name: "AdFind Command Activity" Rule ID: "eda499b8-a073-4e35-9733-22ec71f57f3a" File: discovery_whoami_command_activity.toml Name: "Whoami Process Activity" Rule ID: "ef862985-3f13-4262-a686-5f357bbb9bc2" File: discovery_remote_system_discovery_commands_windows.toml Name: "Remote System Discovery Commands" Rule ID: "0635c542-1b96-4335-9b47-126582d2c19a" File: discovery_security_software_wmic.toml Name: "Security Software Discovery using WMIC" Rule ID: "6ea55c81-e2ba-42f2-a134-bccf857ba922" File: discovery_files_dir_systeminfo_via_cmd.toml Name: "System Information Discovery via Windows Command Shell" Rule ID: "d68e95ad-1c82-4074-a12a-125fe10ac8ba" File: discovery_posh_suspicious_api_functions.toml Name: "PowerShell Suspicious Discovery Related Windows API Functions" Rule ID: "61ac3638-40a3-44b2-855a-985636ca985e"

[Aegrah]

Rule_Name	Rule_ID	Tune	Comment
Windows System Network Connections Discovery	"c4e9ed3e-55a2-4309-a012-bc3c78dad10a"	Yes	19k hits 7 days. Convert to new_terms, perfect candidate --> will not require complicated exclusions.
Process Discovery Using Built-in Tools	"4982ac3e-d0ee-4818-b95d-d9522d689259"	Yes	Need to talk about performance, could be good new_terms with user.name & process.args combination.
Potential Network Share Discovery	"b2318c71-5959-469a-a3ce-3a0768e63b9c"	Yes	280k hits last 7 days.
Windows Account or Group Discovery	"089db1af-740d-4d84-9a5b-babd6de143b0"	Yes	new_terms on user.name & process.command_line
Windows System Information Discovery	"51176ed2-2d90-49f2-9f3d-17196428b169"	Yes	new_terms on user.name & process.command_line
Discovery of Internet Capabilities via Built-in Tools	"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db"	Yes	new_terms on user.name & process.command_line
PowerShell Script with Password Policy Discovery Capabilities	"fe25d5bc-01fa-494a-95ff-535c29cc4c96"	No
PowerShell Script with Discovery Capabilities	"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be"	Yes	Very noisy. Could be converted to new_terms on user.name & process.command_line. Not sure if this would be enough for this rule to stop generating noise.
Query Registry using Built-in Tools	"ded09d02-0137-4ccc-8005-c45e617e8d4c"	Yes	Could be converted to new_terms on user.name & process.parent.command_line.
Account Discovery Command via SYSTEM Account	"2856446a-34e6-435b-9fb5-f8f040bfa7ed"	Debatable	Might be good to add a new new_terms rule for UEBA instead.
Group Policy Discovery via Microsoft GPResult Utility	"94a401ba-4fa2-455c-b7ae-b6e037afc0b7"	No	Good as-is.
Enumerating Domain Trusts via DSQUERY.EXE	"06a7a03c-c735-47a6-a313-51c354aef6c3"	No	0 hits, should be merged with NLTEST.EXE rule
External IP Lookup from Non-Browser Process	"1d72d014-e2ab-4707-b056-9b96abe7b511"	Yes	Convert to new_terms, on process.executable and user.name
System Service Discovery through built-in Windows Utilities	"e0881d20-54ac-457f-8733-fe0bc5d44c55"	Yes	Convert to new_terms to reduce noise, could leverage user.name & process.command_line
Enumerating Domain Trusts via NLTEST.EXE	"84da2554-e12a-11ec-b896-f661ea17fbcd"	No	Rule is good, not a lot of noise. Can be combined with the DSQUERY.EXE rule
Enumeration of Administrator Accounts	"871ea072-1b71-4def-b016-6278b505138d"	Debatable	This one could work as-is, but could end up generating noise for the UEBA model due to baseline behavior. Could choose to convert, think I would vote for conversion.
System Time Discovery	"06568a02-af29-4f20-929c-f3af281e41aa"	No	Good results after excluding system user
Enumeration of Privileged Local Groups Membership	"291a0de9-937a-4189-94c0-3e847c8b13e4"	Yes	Should be converted, way too noisy.
PowerShell Share Enumeration Script	"4c59cff1-b78a-41b8-a9f1-4231984d1fb6"	No	Seems to be limited hits, should be fine.
Peripheral Device Discovery	"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4"	No	Limited hits, only TPs.
Windows Network Enumeration	"7b8bfc26-81d2-435e-965c-d722ee397ef1"	Debatable	Could work as DR, with some additional tuning. Could also work as new_terms, with unique user.name and potentially command line
AdFind Command Activity	"eda499b8-a073-4e35-9733-22ec71f57f3a"	No	Rule is good, no FPs
Whoami Process Activity	"ef862985-3f13-4262-a686-5f357bbb9bc2"	Yes	Could either choose to keep this one + system whoami one and create a third new_terms rule to ensure it only triggers on new users. Otherwise it will be too noisy for UEBA.
Remote System Discovery Commands	"0635c542-1b96-4335-9b47-126582d2c19a"	Yes	Either a lot of exclusions or conversion to new_terms would work
Security Software Discovery using WMIC	"6ea55c81-e2ba-42f2-a134-bccf857ba922"	Yes	Could work with some additional tuning, or convert to new_terms.
System Information Discovery via Windows Command Shell	"d68e95ad-1c82-4074-a12a-125fe10ac8ba"	Yes	This one has to be converted to new_terms, way too noisy.
PowerShell Suspicious Discovery Related Windows API Functions	"61ac3638-40a3-44b2-855a-985636ca985e"	Yes	Either new_terms or a lot of tuning. Would be a good new_terms candidate though.

[Aegrah]

This issue is no longer needed, tuning has finished.