Overview of Windows Threats Category

This document provides an overview of the rule sets in the Windows Threats category, the required data sources, and configuration you can use to tune the alerts generated by these rule sets.

Rule sets in the Windows Threats category help identify threats in Windows environments using Endpoint Detection and Response (EDR) logs. This category includes the following rule sets:

  • Crypto Activity: Activity associated with suspicious crypto currency.
  • Hacktool: Freely available tool that may be deemed suspicious, but may potentially be legitimate depending on the organization's use.
  • Info Stealer: Tools used to steal credentials including passwords, cookies, crypto wallets, and other sensitive credentials.
  • Initial Access: Tools used to gain initial execution on a machine with suspicious behavior.
  • Legitimate but Misused: Legitimate software that is known to be abused for malicious purposes.
  • Named Threat: Behavior associated with a known threat actor.
  • Ransomware: Activity associated with ransomware.
  • Suspicious Behavior: General suspicious behavior.
  • RAT: Tools used to provide remote command and control of network assets.

Supported devices and log types

Rule sets in the Windows Threats category have been tested and are supported with the following Chronicle supported EDR data sources:

  • Carbon Black (CB_EDR)
  • Microsoft Sysmon (WINDOWS_SYSMON)
  • SentinelOne (SENTINEL_EDR)
  • Crowdstrike Falcon (CS_EDR)

Rule sets in the Windows Threats category are being tested and optimized for the following Chronicle supported EDR data sources:

  • Tanium
  • Cybereason EDR (CYBEREASON_EDR)
  • Lima Charlie (LIMACHARLIE_EDR)
  • OSQuery
  • Zeek
  • Cylance (CYLANCE_PROTECT)

Contact your Chronicle representative if you are collecting endpoint data using different EDR software.

For a list of all Chronicle supported data sources, see Supported default parsers.

Required fields needed by Windows Threats category

The following section describes specific data needed by rule sets in the Windows Threats category to get the greatest benefit. Make sure that your devices are configured to record the following data to device event logs.

  • Event Timestamp
  • Hostname: Hostname of the system where the EDR software is running.
  • Principal Process: Name of the current process being logged.
  • Principal Process Path: Location on disk of the current running process, if available.
  • Principal Process Command Line: Command line parameters of the process, if available.
  • Target Process: Name of the spawned process being launched by the principal process.
  • Target Process Path: Location on disk of the target process, if available.
  • Target Process Command Line: Command line parameters of the target process, if available.
  • Target Process SHA256\MD5: Checksum of the target process, if available. This is used to tune alerts.
  • User ID: The username of the principal process.

Tuning alerts returned by Windows Threats category

The Windows Threats category includes a set of reference lists that enable you to control the alerts generated by rule set detections. You define criteria in the reference list that is used to exclude a UDM event from evaluation by the rule set.

All rule sets use the same criteria to exclude events from evaluation, these are:

  • process command line
  • process path
  • target command line
  • file hash
  • target path

However, each rule set has its own set of uniquely named reference lists. For example, Hacktool reference lists only filter Hacktool alerts and will not filter RAT alerts. The Hacktool reference list to exclude events based on process path is gcti__win__hacktool__process_path__exclusion_list whereas the RAT reference list to exclude events based on process path is gcti__win__rat__process_path__exclusion_list.

This section describes each reference list type and provides an example showing how to populate data in that list.

  • Crypto Activity: Reference lists that tune these alerts are named with the following prefix: gcti__win__crypto.
  • Hacktool: Reference lists that tune these alerts are named with the following prefix: gcti__win__hacktool.
  • Info Stealer: Reference lists that tune these alerts are named with the following prefix: gcti__win__info_stealer.
  • Initial Access: Reference lists that tune these alerts are named with the following prefix: gcti__win__initial_access.
  • Legitimate but Misused: Reference lists that tune these alerts are named with the following prefix: gcti__win__legit_but_misused.
  • Named Threat: Reference lists that tune these alerts are named with the following prefix: gcti__win__named_threat.
  • Ransomware: Reference lists that tune these alerts are named with the following prefix: gcti__win__ransomware.
  • RAT: Reference lists that tune these alerts are named with the following prefix: gcti__win__rat.
  • Suspicious Behavior: Reference lists that tune these alerts are named with the following prefix: gcti__win__suspicious_behavior.
Generic name Description
Process Command Line Reference list name: `(prefix)__process_command_line__exclusion_list`

Enter command line parameters of the parent process. See the alert for detail about how the command line is recorded in the log. Here is an example:

powershell.exe -ExecutionPolicy Bypass -Command

Events with the values that you provide will be excluded from evaluation.

Process Path Reference list name: `(prefix)__process_path__exclusion_list`

Enter the path of the process that is generating the alert. The value provided may be different, depending on how the data source records the value. Refer to an example alert for the exact format. Here are examples:

powershell.exe

c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe

c:\windows\system32\windowspowershell\v1.0\powershell.exe

\\Device\\HarddiskVolume2\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe

Events with the values that you provide will be excluded from evaluation.

Target Command Line Reference list name: `(prefix)__target_command_line__exclusion_list`

The command line of the target process being launched, for example:

rundll32.exe c:\windows\system32\foobar.dll,Uninstall 0 0 1

Events with the values that you provide will be excluded from evaluation.

Target Path Reference list name: `(prefix)__target_path__exclusion_list`

The path of the child process being spawned that is part of the alert. The value provided may be different, depending on how the data source records the value. Refer to an example alert for the exact format. Here are examples:

\\Device\\HarddiskVolume2\\Windows\\System32\\rundll32.exe

c:\\windows\\system32\\rundll32.exe

c:\windows\system32\rundll32.exe

Events with the values will be excluded from evaluation.

Target Hash Reference list name: `(prefix)__target_hash__exclusion_list`

The SHA256 hash of the target file generating the alert, for example:

9a86a081884a7a659a2aaaa0a55aa015a3aa4a1a2a0a822aa15a6a15a0a00a08

Events with the values that you provide will be excluded from evaluation.