[Rule Tuning] Exclude MS OneDrive/Teams from Component Object Model H…

…ijacking (elastic#1932)

* adjusted query to exclude OneDrive process name and MS Teams DLL reference in registry data strings

* adjusted formatting for altered query

* removed unecessary string used for reference

* removed unecessary parenthesis from new filters in query

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <[email protected]>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <[email protected]>

* added FileSyncConfig.exe for OneDrive, added regsvr32 to Teams DLL filter

* added investigation notes

* removed comment from original rule creation

Co-authored-by: Jonhnathan <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

rules/windows/persistence_suspicious_com_hijack_registry.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/04/20"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,48 @@ index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Component Object Model Hijacking"
+note = """## Triage and analysis
+
+### Investigating Component Object Model Hijacking
+
+Adversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check for similar behavior in other hosts on the environment.
+- Retrieve the file referenced in the registry and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Immediately block the IoCs identified.
+- Remove and block malicious artifacts identified on the triage.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
 references = [
     "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/",
 ]
@@ -26,7 +68,6 @@ type = "eql"
 
 query = '''
 registry where
- /* uncomment once length is stable length(bytes_written_string) > 0 and */
  (registry.path : "HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and
  not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") 
  or
@@ -39,7 +80,13 @@ registry where
  not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and
       registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and
  /* not necessary but good for filtering privileged installations */
- user.domain != "NT AUTHORITY")
+ user.domain != "NT AUTHORITY"
+ ) and
+ /* removes false-positives generated by OneDrive and Teams */
+ not process.name : ("OneDrive.exe","OneDriveSetup.exe","FileSyncConfig.exe","Teams.exe") and
+ /* Teams DLL loaded by regsvr */
+ not (process.name: "regsvr32.exe" and
+ registry.data.strings : "*Microsoft.Teams.*.dll")
 '''