[Tuning] Add Missing executable file extensions (#5857)

Add Missing executable file extensions such as execution_windows_script_from_internet.toml didn't cover wsf and sct.

rules/windows/command_and_control_ingress_transfer_bits.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/13"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2026/03/19"
 
 [transform]
 [[transform.osquery]]
@@ -129,7 +129,7 @@ type = "eql"
 query = '''
 file where host.os.type == "windows" and event.action == "rename" and
   process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and 
-  (file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or
+  (file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "vbe", "wsh", "wsf", "sct", "js", "jse", "hta", "pif", "scr", "cmd", "cpl") or
    file.Ext.header_bytes : "4d5a*") and 
  
   /* noisy paths, for hunting purposes you can use the same query without the following exclusions */

rules/windows/command_and_control_remote_file_copy_powershell.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/30"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/04"
+updated_date = "2026/03/19"
 
 [transform]
 [[transform.osquery]]
@@ -148,7 +148,7 @@ sequence by process.entity_id with maxspan=30s
   dns.question.name regex """.*\.[a-zA-Z]{2,5}"""]
 [file where host.os.type == "windows" and event.type == "creation" and
   process.name : "powershell.exe" and 
-  (file.extension : ("exe", "dll", "ps1", "bat") or file.Ext.header_bytes : "4d5a*") and
+  (file.extension : ("exe", "dll", "ps1", "bat", "cmd", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta", "cpl", "scr", "pif", "com") or file.Ext.header_bytes : "4d5a*") and
   not file.name : "__PSScriptPolicy*.ps1" and
   not file.path : (
         "?:\\Users\\*\\AppData\\Local\\Temp\\????????.dll",

rules/windows/command_and_control_remote_file_copy_scripts.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/29"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2026/03/19"
 
 [transform]
 [[transform.osquery]]
@@ -116,7 +116,8 @@ sequence by host.id, process.entity_id
   [network where host.os.type == "windows" and process.name : ("wscript.exe", "cscript.exe") and network.protocol != "dns" and
    network.direction : ("outgoing", "egress") and network.type == "ipv4" and destination.ip != "127.0.0.1"
   ]
-  [file where host.os.type == "windows" and event.type == "creation" and file.extension : ("exe", "dll")]
+  [file where host.os.type == "windows" and event.type == "creation" and
+   file.extension : ("exe", "dll", "bat", "cmd", "ps1", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta", "scr", "pif", "com", "cpl")]
 '''
 
 

rules/windows/command_and_control_teamviewer_remote_file_copy.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2026/03/19"
 
 [transform]
 [[transform.osquery]]
@@ -108,7 +108,7 @@ type = "eql"
 
 query = '''
 file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and
-  file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") and
+  file.extension : ("exe", "dll", "scr", "com", "bat", "cmd", "ps1", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta") and
   not 
   (
     file.path : (

rules/windows/defense_evasion_unusual_ads_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/21"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/01/15"
+updated_date = "2026/03/19"
 
 [transform]
 [[transform.osquery]]
@@ -126,8 +126,8 @@ query = '''
 file where host.os.type == "windows" and event.type == "creation" and
    process.name : ("cmd.exe", "powershell.exe", "mshta.exe", "wscript.exe", "node.exe", "python*.exe") and
    file.extension in~ (
-    "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js",
-    "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso"
+    "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "vbe", "ps1", "hta", "txt", "js", "jse",
+    "wsh", "wsf", "sct", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso"
   ) and
   file.path : "C:\\*:*" and
   not file.name :("*:$DATA", "*PG$Secure", "*Zone.Identifier", "*com.apple.lastuseddate#PS", "*com.apple.provenance")

rules/windows/execution_windows_script_from_internet.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/01/31"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/01/12"
+updated_date = "2026/03/19"
 min_stack_version = "9.1.0"
 min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases."
 
@@ -35,14 +35,16 @@ query = '''
 sequence by host.id, user.id with maxspan=3m
 [file where host.os.type == "windows" and event.action == "creation" and user.id != "S-1-5-18" and
   process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "explorer.exe", "winrar.exe", "7zFM.exe", "7zG.exe", "Bandizip.exe") and
-  file.extension in~ ("js", "jse", "vbs", "vbe", "wsh", "hta", "cmd", "bat") and
+  file.extension in~ ("js", "jse", "vbs", "vbe", "wsh", "wsf", "sct", "hta", "cmd", "bat", "ps1", "msi") and
   (file.origin_url != null or file.origin_referrer_url != null)]
 [process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "explorer.exe", "winrar.exe", "7zFM.exe", "7zG.exe", "Bandizip.exe") and 
  process.args_count >= 2 and
  (
-  process.name in~ ("wscript.exe", "mshta.exe") or
-  (process.name : "cmd.exe" and process.command_line : ("*.cmd*", "*.bat*"))
+  process.name in~ ("wscript.exe", "cscript.exe", "mshta.exe") or
+  (process.name : "cmd.exe" and process.command_line : ("*.cmd*", "*.bat*", "*.wsf*")) or
+  (process.name in~ ("powershell.exe", "pwsh.exe") and process.command_line : "*.ps1*") or 
+  (process.name : "msiexec.exe" and process.command_line : "*.msi" and process.args : ("/i*", "-i*"))
   )]
 '''
 note = """## Triage and analysis
@@ -123,6 +125,11 @@ id = "T1218.005"
 name = "Mshta"
 reference = "https://attack.mitre.org/techniques/T1218/005/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1218.007"
+name = "Msiexec"
+reference = "https://attack.mitre.org/techniques/T1218/007/"
+
 
 
 [rule.threat.tactic]

rules/windows/lateral_movement_executable_tool_transfer_smb.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/10"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2026/03/19"
 
 [rule]
 author = ["Elastic"]
@@ -79,9 +79,9 @@ sequence by host.id with maxspan=30s
    network.direction : ("incoming", "ingress") and
    network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1"
   ] by process.entity_id
-  /* add more executable extensions here if they are not noisy in your environment */
-  [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and 
-   (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll"))] by process.entity_id
+  /* add more executable / script extensions here if they are not noisy in your environment */
+  [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and user.id like ("S-1-5-21*", "S-1-12-*") and 
+   (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll", "bat", "cmd", "ps1", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta", "cpl"))] by process.entity_id
 '''
 
 

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/04"
+updated_date = "2026/03/19"
 
 [transform]
 [[transform.osquery]]
@@ -110,7 +110,7 @@ type = "eql"
 query = '''
 sequence with maxspan=1m
   [file where host.os.type == "windows" and event.type in ("creation", "change") and 
-   process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path
+   process.pid == 4 and (file.extension : ("exe", "scr", "pif", "com") or file.Ext.header_bytes : "4d5a*")] by host.id, file.path
   [process where host.os.type == "windows" and event.type == "start" and
     not (
       (

rules/windows/persistence_startup_folder_scripts.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/18"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2026/03/19"
 
 [transform]
 [[transform.osquery]]
@@ -132,7 +132,7 @@ file where host.os.type == "windows" and event.type != "deletion" and
   /* Call attention to file extensions that may be used for malicious purposes */
   /* Optionally, Windows scripting engine processes targeting shortcut files */
   (
-    file.extension : ("vbs", "vbe", "wsh", "wsf", "js") or
+    file.extension : ("vbs", "vbe", "wsh", "wsf", "js", "jse", "sct", "hta", "ps1", "bat", "cmd") or
     process.name : ("wscript.exe", "cscript.exe")
   ) and not (startsWith(user.domain, "NT") or endsWith(user.domain, "NT"))