From 062a06572263ffd34aeb9965afe3f01aa98e7e5b Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 23 Mar 2026 12:23:51 +0000 Subject: [PATCH] [Tuning] Add Missing executable file extensions (#5857) Add Missing executable file extensions such as execution_windows_script_from_internet.toml didn't cover wsf and sct. --- ...command_and_control_ingress_transfer_bits.toml | 4 ++-- ...d_and_control_remote_file_copy_powershell.toml | 4 ++-- ...mand_and_control_remote_file_copy_scripts.toml | 5 +++-- ...d_and_control_teamviewer_remote_file_copy.toml | 4 ++-- ...defense_evasion_unusual_ads_file_creation.toml | 6 +++--- .../execution_windows_script_from_internet.toml | 15 +++++++++++---- ...ral_movement_executable_tool_transfer_smb.toml | 8 ++++---- ...vement_execution_via_file_shares_sequence.toml | 4 ++-- .../persistence_startup_folder_scripts.toml | 4 ++-- 9 files changed, 31 insertions(+), 23 deletions(-) diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index 9be479997..44030d0b0 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -129,7 +129,7 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.action == "rename" and process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and - (file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or + (file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "vbe", "wsh", "wsf", "sct", "js", "jse", "hta", "pif", "scr", "cmd", "cpl") or file.Ext.header_bytes : "4d5a*") and /* noisy paths, for hunting purposes you can use the same query without the following exclusions */ diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 56c445ecd..a390d1750 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -148,7 +148,7 @@ sequence by process.entity_id with maxspan=30s dns.question.name regex """.*\.[a-zA-Z]{2,5}"""] [file where host.os.type == "windows" and event.type == "creation" and process.name : "powershell.exe" and - (file.extension : ("exe", "dll", "ps1", "bat") or file.Ext.header_bytes : "4d5a*") and + (file.extension : ("exe", "dll", "ps1", "bat", "cmd", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta", "cpl", "scr", "pif", "com") or file.Ext.header_bytes : "4d5a*") and not file.name : "__PSScriptPolicy*.ps1" and not file.path : ( "?:\\Users\\*\\AppData\\Local\\Temp\\????????.dll", diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index a6a497a81..9042a919e 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -116,7 +116,8 @@ sequence by host.id, process.entity_id [network where host.os.type == "windows" and process.name : ("wscript.exe", "cscript.exe") and network.protocol != "dns" and network.direction : ("outgoing", "egress") and network.type == "ipv4" and destination.ip != "127.0.0.1" ] - [file where host.os.type == "windows" and event.type == "creation" and file.extension : ("exe", "dll")] + [file where host.os.type == "windows" and event.type == "creation" and + file.extension : ("exe", "dll", "bat", "cmd", "ps1", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta", "scr", "pif", "com", "cpl")] ''' diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index d21bb941d..3bb1e29bf 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -108,7 +108,7 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and - file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") and + file.extension : ("exe", "dll", "scr", "com", "bat", "cmd", "ps1", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta") and not ( file.path : ( diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index b1847ea15..27cda437a 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -126,8 +126,8 @@ query = ''' file where host.os.type == "windows" and event.type == "creation" and process.name : ("cmd.exe", "powershell.exe", "mshta.exe", "wscript.exe", "node.exe", "python*.exe") and file.extension in~ ( - "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js", - "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso" + "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "vbe", "ps1", "hta", "txt", "js", "jse", + "wsh", "wsf", "sct", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso" ) and file.path : "C:\\*:*" and not file.name :("*:$DATA", "*PG$Secure", "*Zone.Identifier", "*com.apple.lastuseddate#PS", "*com.apple.provenance") diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index 8e5d6c3ee..b0f8b6c40 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/19" min_stack_version = "9.1.0" min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." @@ -35,14 +35,16 @@ query = ''' sequence by host.id, user.id with maxspan=3m [file where host.os.type == "windows" and event.action == "creation" and user.id != "S-1-5-18" and process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "explorer.exe", "winrar.exe", "7zFM.exe", "7zG.exe", "Bandizip.exe") and - file.extension in~ ("js", "jse", "vbs", "vbe", "wsh", "hta", "cmd", "bat") and + file.extension in~ ("js", "jse", "vbs", "vbe", "wsh", "wsf", "sct", "hta", "cmd", "bat", "ps1", "msi") and (file.origin_url != null or file.origin_referrer_url != null)] [process where host.os.type == "windows" and event.type == "start" and process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "explorer.exe", "winrar.exe", "7zFM.exe", "7zG.exe", "Bandizip.exe") and process.args_count >= 2 and ( - process.name in~ ("wscript.exe", "mshta.exe") or - (process.name : "cmd.exe" and process.command_line : ("*.cmd*", "*.bat*")) + process.name in~ ("wscript.exe", "cscript.exe", "mshta.exe") or + (process.name : "cmd.exe" and process.command_line : ("*.cmd*", "*.bat*", "*.wsf*")) or + (process.name in~ ("powershell.exe", "pwsh.exe") and process.command_line : "*.ps1*") or + (process.name : "msiexec.exe" and process.command_line : "*.msi" and process.args : ("/i*", "-i*")) )] ''' note = """## Triage and analysis @@ -123,6 +125,11 @@ id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + [rule.threat.tactic] diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 5c039bad9..c2c614f4a 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/19" [rule] author = ["Elastic"] @@ -79,9 +79,9 @@ sequence by host.id with maxspan=30s network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] by process.entity_id - /* add more executable extensions here if they are not noisy in your environment */ - [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and - (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll"))] by process.entity_id + /* add more executable / script extensions here if they are not noisy in your environment */ + [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and user.id like ("S-1-5-21*", "S-1-12-*") and + (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll", "bat", "cmd", "ps1", "vbs", "vbe", "js", "jse", "wsh", "wsf", "sct", "hta", "cpl"))] by process.entity_id ''' diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 665a60a6e..9f04832e1 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -110,7 +110,7 @@ type = "eql" query = ''' sequence with maxspan=1m [file where host.os.type == "windows" and event.type in ("creation", "change") and - process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path + process.pid == 4 and (file.extension : ("exe", "scr", "pif", "com") or file.Ext.header_bytes : "4d5a*")] by host.id, file.path [process where host.os.type == "windows" and event.type == "start" and not ( ( diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 2c10b53bf..2458d4540 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/19" [transform] [[transform.osquery]] @@ -132,7 +132,7 @@ file where host.os.type == "windows" and event.type != "deletion" and /* Call attention to file extensions that may be used for malicious purposes */ /* Optionally, Windows scripting engine processes targeting shortcut files */ ( - file.extension : ("vbs", "vbe", "wsh", "wsf", "js") or + file.extension : ("vbs", "vbe", "wsh", "wsf", "js", "jse", "sct", "hta", "ps1", "bat", "cmd") or process.name : ("wscript.exe", "cscript.exe") ) and not (startsWith(user.domain, "NT") or endsWith(user.domain, "NT"))