From 1dd1bb8f1e91d4d09c950c538d6613d57afd2e30 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 13 Aug 2025 08:46:46 -0300 Subject: [PATCH] [Rule Tuning] Fixes FPs related to a process.args_count bug (#4971) --- .../windows/defense_evasion_masquerading_werfault.toml | 7 +++++-- .../windows/defense_evasion_rundll32_no_arguments.toml | 6 ++++-- rules/windows/defense_evasion_unusual_dir_ads.toml | 10 ++++++++-- ...vasion_unusual_network_connection_via_rundll32.toml | 10 ++++++++-- 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 3c3739992..3f056e547 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/08/12" [transform] [[transform.osquery]] @@ -120,7 +120,10 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan = 5s - [process where host.os.type == "windows" and event.type:"start" and process.name : ("wermgr.exe", "WerFault.exe") and process.args_count == 1] + [process where host.os.type == "windows" and event.type:"start" and process.name : ("wermgr.exe", "WerFault.exe") and + (process.args_count == 1 and + /* Excludes bug where a missing closing quote sets args_count to 1 despite extra args */ + not process.command_line regex~ """\".*\.exe[^\"].*""")] [network where host.os.type == "windows" and process.name : ("wermgr.exe", "WerFault.exe") and network.protocol != "dns" and network.direction : ("outgoing", "egress") and destination.ip !="::1" and destination.ip !="127.0.0.1" ] diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 03fa7fb9c..350f90971 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/12" [transform] [[transform.osquery]] @@ -116,7 +116,9 @@ query = ''' sequence with maxspan=1h [process where host.os.type == "windows" and event.type == "start" and (process.name : "rundll32.exe" or process.pe.original_file_name == "RUNDLL32.EXE") and - process.args_count == 1 + (process.args_count == 1 and + /* Excludes bug where a missing closing quote sets args_count to 1 despite extra args */ + not process.command_line regex~ """\".*\.exe[^\"].*""") ] by process.entity_id [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "rundll32.exe" ] by process.parent.entity_id diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 4624bd373..2ad97e219 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/12" [rule] author = ["Elastic"] @@ -79,7 +79,13 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.args : "?:\\*:*" and process.args_count == 1 + process.args : "?:\\*:*" and + ( + process.args_count == 1 and + + /* Excludes bug where a missing closing quote sets args_count to 1 despite extra args */ + not process.command_line regex~ """\".*\.exe[^\"].*""" + ) ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 537786d54..d8f7da300 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/12" [rule] author = ["Elastic"] @@ -73,7 +73,13 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1m - [process where host.os.type == "windows" and event.type == "start" and process.name : "rundll32.exe" and process.args_count == 1] + [process where host.os.type == "windows" and event.type == "start" and process.name : "rundll32.exe" and + ( + process.args_count == 1 and + + /* Excludes bug where a missing closing quote sets args_count to 1 despite extra args */ + not process.command_line regex~ """\".*\.exe[^\"].*""" + )] [network where host.os.type == "windows" and process.name : "rundll32.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",