IBM Security QRadar

 View Only

  • 1.  "AQL filter query" contained in Building Blocks?

    Posted 17 days ago
    Edited by Vedran Zulin 12 days ago

    Hi all,

    during some testing on my testing environment, I've discovered the unusual "AQL filter query" content in a few Building Blocks (mainly sysmon-related, quite old - 2017 content).

    E.g.:
    Apply BB:CategoryDefinition: Scheduled Task Creation by a Process on events which are detected by the Local system
    and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
    and when the event QID is one of the following (5001828) Process Create
    and when the event matches "Parent Command" IMATCHES 'C\:\\Windows\\system32\\svchost\.exe\s\-k\snetsvcs' AQL filter query
    and when the event matches "Process Path" not in ('C:\Windows\System32\taskhost.exe','C:\Windows\System32\consent.exe','C:\Windows\System32\taskhostex.exe','C:\Windows\System32\rundll32.exe','C:\Windows\System32\wbem\WMIADAP.exe','C:\Windows\System32\wermgr.exe','C:\Windows\System32\wsqmcons.exe','C:\Windows\System32\ServerManagerLauncher.exe','C:\Windows\System32\aitagent.exe','C:\Windows\System32\taskeng.exe','C:\Windows\System32\Defrag.exe','C:\Windows\System32\schtasks.exe','C:\Windows\System32\ceipdata.exe', 'C:\Windows\System32\tzsync.exe', 'C:\Windows\System32\lpremove.exe') AQL filter query

    Has anyone observed something similar?

    Thanks,

    wish you all a nice day,



    ------------------------------
    Vedran Zulin
    ------------------------------



  • 2.  RE: "AQL filter query" contained in Building Blocks?

    Posted 16 days ago

    Hello Vedran,

    These are not unusual query contents. They are actually valid test conditions which is using AQL. Which seems fine to me and no issue related to those. 
    Can you please confirm if any other issue you observed with it?



    ------------------------------
    Vishal Tangadkar
    IBM INDIA PVT LTD
    ------------------------------

    Original Message


  • 3.  RE: "AQL filter query" contained in Building Blocks?

    Posted 15 days ago
    Edited by Vedran Zulin 15 days ago

    Hi Vishal,

    well the reason I'm asking is that a few months ago I ran across a rule (initially converted from SIGMA) which also had the AQL filter query part and it seemed completely different in formatting than any other rule (with id=-1, conditions being duplicated in various formatting).

    (It seems by far better w/ conversion being made right now:

    devicetype=12 AND (("Event ID"=4656 AND LOWER("Object Name") LIKE '%\lsass.exe' AND (LOWER("Access Mask") LIKE '%0x40%' OR LOWER("Access Mask") LIKE '%0x1400%' OR LOWER("Access Mask") LIKE '%0x100000%' OR LOWER("Access Mask") LIKE '%0x1410%' OR LOWER("Access Mask") LIKE '%0x1010%' OR LOWER("Access Mask") LIKE '%0x1438%' OR LOWER("Access Mask") LIKE '%0x143a%' OR LOWER("Access Mask") LIKE '%0x1418%' OR LOWER("Access Mask") LIKE '%0x1f0fff%' OR LOWER("Access Mask") LIKE '%0x1f1fff%' OR LOWER("Access Mask") LIKE '%0x1f2fff%' OR LOWER("Access Mask") LIKE '%0x1f3fff%')) OR ("Event ID"=4663 AND LOWER("Object Name") LIKE '%\lsass.exe' AND ("Rule Name" LIKE '%4484%' OR "Rule Name" LIKE '%4416%'))) AND (NOT((((LOWER("Process Name") LIKE '%\csrss.exe' OR LOWER("Process Name") LIKE '%\gamingservices.exe' OR LOWER("Process Name") LIKE '%\lsm.exe' OR LOWER("Process Name") LIKE '%\microsoftedgeupdate.exe' OR LOWER("Process Name") LIKE '%\minionhost.exe' OR LOWER("Process Name") LIKE '%\mrt.exe' OR LOWER("Process Name") LIKE '%\msmpeng.exe' OR LOWER("Process Name") LIKE '%\perfmon.exe' OR LOWER("Process Name") LIKE '%\procexp.exe' OR LOWER("Process Name") LIKE '%\procexp64.exe' OR LOWER("Process Name") LIKE '%\svchost.exe' OR LOWER("Process Name") LIKE '%\taskmgr.exe' OR LOWER("Process Name") LIKE '%\thor.exe' OR LOWER("Process Name") LIKE '%\thor64.exe' OR LOWER("Process Name") LIKE '%\vmtoolsd.exe' OR LOWER("Process Name") LIKE '%\vstskmgr.exe' OR LOWER("Process Name") LIKE '%\wininit.exe' OR LOWER("Process Name") LIKE '%\wmiprvse.exe' OR LOWER("Process Name") LIKE '%rtkauduservice64') AND (LOWER("Process Name") LIKE '%:\program files (x86)\%' OR LOWER("Process Name") LIKE '%:\program files\%' OR LOWER("Process Name") LIKE '%:\programdata\microsoft\windows defender\platform\%' OR LOWER("Process Name") LIKE '%:\windows\sysnative\%' OR LOWER("Process Name") LIKE '%:\windows\system32\%' OR LOWER("Process Name") LIKE '%:\windows\syswow64\%' OR LOWER("Process Name") LIKE '%:\windows\temp\asgard2-agent\%')) OR LOWER("Process Name") LIKE '%:\program files%' OR (LOWER("Process Name") LIKE '%:\windows\system32\taskhostw.exe' OR LOWER("Process Name") LIKE '%:\windows\system32\msiexec.exe' OR LOWER("Process Name") LIKE '%:\windows\ccm\ccmexec.exe') OR (LOWER("Process Name") LIKE '%:\windows\sysmon64.exe' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\temp\asgard2-agent-sc\aurora\%' AND LOWER("Process Name") LIKE '%\aurora-agent-64.exe' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%\x64\scenarioengine.exe' AND "Rule Name" LIKE '%%%4484%') OR ((LOWER("Process Name") LIKE '%:\users\%' AND LOWER("Process Name") LIKE '%\appdata\local\temp\is-%') AND LOWER("Process Name") LIKE '%\avira_system_speedup.tmp' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\temp\%' AND LOWER("Process Name") LIKE '%\avira_speedup_setup_update.tmp' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\system32\snmp.exe' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\systemtemp\%' AND LOWER("Process Name") LIKE '%\googleupdate.exe' AND "Rule Name" LIKE '%%%4484%')))) AND (NOT(((LOWER("Process Name") LIKE '%\procmon64.exe' OR LOWER("Process Name") LIKE '%\procmon.exe') AND "Rule Name" LIKE '%%%4484%')))

    )

    Was there some kind of a glitch back at the time?
    Kind regards,



    ------------------------------
    Vedran Zulin
    ------------------------------

    Original Message