Hi Vishal,
well the reason I'm asking is that a few months ago I ran across a rule (initially converted from SIGMA) which also had the AQL filter query part and it seemed completely different in formatting than any other rule (with id=-1, conditions being duplicated in various formatting).
(It seems by far better w/ conversion being made right now:
devicetype=12 AND (("Event ID"=4656 AND LOWER("Object Name") LIKE '%\lsass.exe' AND (LOWER("Access Mask") LIKE '%0x40%' OR LOWER("Access Mask") LIKE '%0x1400%' OR LOWER("Access Mask") LIKE '%0x100000%' OR LOWER("Access Mask") LIKE '%0x1410%' OR LOWER("Access Mask") LIKE '%0x1010%' OR LOWER("Access Mask") LIKE '%0x1438%' OR LOWER("Access Mask") LIKE '%0x143a%' OR LOWER("Access Mask") LIKE '%0x1418%' OR LOWER("Access Mask") LIKE '%0x1f0fff%' OR LOWER("Access Mask") LIKE '%0x1f1fff%' OR LOWER("Access Mask") LIKE '%0x1f2fff%' OR LOWER("Access Mask") LIKE '%0x1f3fff%')) OR ("Event ID"=4663 AND LOWER("Object Name") LIKE '%\lsass.exe' AND ("Rule Name" LIKE '%4484%' OR "Rule Name" LIKE '%4416%'))) AND (NOT((((LOWER("Process Name") LIKE '%\csrss.exe' OR LOWER("Process Name") LIKE '%\gamingservices.exe' OR LOWER("Process Name") LIKE '%\lsm.exe' OR LOWER("Process Name") LIKE '%\microsoftedgeupdate.exe' OR LOWER("Process Name") LIKE '%\minionhost.exe' OR LOWER("Process Name") LIKE '%\mrt.exe' OR LOWER("Process Name") LIKE '%\msmpeng.exe' OR LOWER("Process Name") LIKE '%\perfmon.exe' OR LOWER("Process Name") LIKE '%\procexp.exe' OR LOWER("Process Name") LIKE '%\procexp64.exe' OR LOWER("Process Name") LIKE '%\svchost.exe' OR LOWER("Process Name") LIKE '%\taskmgr.exe' OR LOWER("Process Name") LIKE '%\thor.exe' OR LOWER("Process Name") LIKE '%\thor64.exe' OR LOWER("Process Name") LIKE '%\vmtoolsd.exe' OR LOWER("Process Name") LIKE '%\vstskmgr.exe' OR LOWER("Process Name") LIKE '%\wininit.exe' OR LOWER("Process Name") LIKE '%\wmiprvse.exe' OR LOWER("Process Name") LIKE '%rtkauduservice64') AND (LOWER("Process Name") LIKE '%:\program files (x86)\%' OR LOWER("Process Name") LIKE '%:\program files\%' OR LOWER("Process Name") LIKE '%:\programdata\microsoft\windows defender\platform\%' OR LOWER("Process Name") LIKE '%:\windows\sysnative\%' OR LOWER("Process Name") LIKE '%:\windows\system32\%' OR LOWER("Process Name") LIKE '%:\windows\syswow64\%' OR LOWER("Process Name") LIKE '%:\windows\temp\asgard2-agent\%')) OR LOWER("Process Name") LIKE '%:\program files%' OR (LOWER("Process Name") LIKE '%:\windows\system32\taskhostw.exe' OR LOWER("Process Name") LIKE '%:\windows\system32\msiexec.exe' OR LOWER("Process Name") LIKE '%:\windows\ccm\ccmexec.exe') OR (LOWER("Process Name") LIKE '%:\windows\sysmon64.exe' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\temp\asgard2-agent-sc\aurora\%' AND LOWER("Process Name") LIKE '%\aurora-agent-64.exe' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%\x64\scenarioengine.exe' AND "Rule Name" LIKE '%%%4484%') OR ((LOWER("Process Name") LIKE '%:\users\%' AND LOWER("Process Name") LIKE '%\appdata\local\temp\is-%') AND LOWER("Process Name") LIKE '%\avira_system_speedup.tmp' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\temp\%' AND LOWER("Process Name") LIKE '%\avira_speedup_setup_update.tmp' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\system32\snmp.exe' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\systemtemp\%' AND LOWER("Process Name") LIKE '%\googleupdate.exe' AND "Rule Name" LIKE '%%%4484%')))) AND (NOT(((LOWER("Process Name") LIKE '%\procmon64.exe' OR LOWER("Process Name") LIKE '%\procmon.exe') AND "Rule Name" LIKE '%%%4484%')))
)
Was there some kind of a glitch back at the time?
Kind regards,
------------------------------
Vedran Zulin
------------------------------
Original Message:
Sent: Tue June 18, 2024 04:53 AM
From: Vedran Zulin
Subject: "AQL filter query" contained in Building Blocks?
Hi all,
during some testing on my testing environment, I've discovered the unusual "AQL filter query" content in a few Building Blocks (mainly sysmon-related, quite old - 2017 content).
E.g.:
Apply BB:CategoryDefinition: Scheduled Task Creation by a Process on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event QID is one of the following (5001828) Process Create
and when the event matches "Parent Command" IMATCHES 'C\:\\Windows\\system32\\svchost\.exe\s\-k\snetsvcs' AQL filter query
and when the event matches "Process Path" not in ('C:\Windows\System32\taskhost.exe','C:\Windows\System32\consent.exe','C:\Windows\System32\taskhostex.exe','C:\Windows\System32\rundll32.exe','C:\Windows\System32\wbem\WMIADAP.exe','C:\Windows\System32\wermgr.exe','C:\Windows\System32\wsqmcons.exe','C:\Windows\System32\ServerManagerLauncher.exe','C:\Windows\System32\aitagent.exe','C:\Windows\System32\taskeng.exe','C:\Windows\System32\Defrag.exe','C:\Windows\System32\schtasks.exe','C:\Windows\System32\ceipdata.exe', 'C:\Windows\System32\tzsync.exe', 'C:\Windows\System32\lpremove.exe') AQL filter query
Has anyone observed something similar, i.e. can this content be purged?
Thanks,
wish you all a nice day,
------------------------------
Vedran Zulin
------------------------------