From 22cf1f0cedc6ef693a4262eac61df8f495ff71da Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 21 May 2025 06:25:16 +0100 Subject: [PATCH] [Tuning] Account Discovery Command via SYSTEM Account (#4734) * Update discovery_command_system_account.toml * Update discovery_command_system_account.toml * Update discovery_command_system_account.toml * Update discovery_command_system_account.toml * Update discovery_command_system_account.toml --- .../discovery_command_system_account.toml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 95fbfd10c..03d5ecdf5 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/20" [rule] author = ["Elastic"] @@ -77,7 +77,20 @@ process where host.os.type == "windows" and event.type == "start" and ( process.name : "net1.exe" and not process.parent.name : "net.exe" and not process.args : ("start", "stop", "/active:*") ) - ) + ) and +process.parent.executable != null and +not (process.name : "net1.exe" and process.working_directory : "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\") and +not process.parent.executable : + ("C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", + "C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe", + "C:\\Program Files\\Obkio Agent\\main.dist\\ObkioAgentSoftware.exe", + "C:\\Windows\\Temp\\WinGet\\defaultState\\PostgreSQL.PostgreSQL*\\postgresql-*-windows-x64.exe", + "C:\\Program Files\\Obkio Agent\\main.dist\\ObkioAgentSoftware.exe", + "C:\\Program Files (x86)\\SolarWinds\\Agent\\Plugins\\JobEngine\\SWJobEngineWorker2.exe") and +not (process.parent.executable : "C:\\Windows\\Sys?????\\WindowsPowerShell\\v1.0\\powershell.exe" and + process.parent.args : ("C:\\Program Files (x86)\\Microsoft Intune Management Extension\\*.ps1", + "Agent\\Modules\\AdHealthConfiguration\\AdHealthConfiguration.psd1'")) and +not (process.parent.name : "cmd.exe" and process.working_directory : "C:\\Program Files\\Infraon Corp\\SecuraAgent\\") '''