diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 39c42b1c4..9f27f9612 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/20" [rule] author = ["Elastic"] @@ -64,9 +64,9 @@ references = [ "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", "https://www.elastic.co/security-labs/operation-bleeding-bear", ] -risk_score = 47 +risk_score = 73 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", @@ -86,8 +86,9 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and - process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") + process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and process.args : "/c" and process.args:"/Q" and + process.args : "2>&1" and process.args: "1>" and + process.args : ("C:\\windows\\temp\\*.txt", "\\Windows\\Temp\\*", "-encodehex", "\\\\127.0.0.1\\C$\\Windows\\Temp\\*", "\\\\127.0.0.1\\ADMIN$\\__*.*") ''' diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 441b22f62..fe6449c22 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/20" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=30s [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and - destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + destination.port in (5985, 5986) and source.ip != "127.0.0.1" and source.ip != "::1"] [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] ''' diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index d46baf95e..8dbb6d82a 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/20" [rule] author = ["Elastic"] @@ -69,13 +69,12 @@ tags = [ type = "eql" query = ''' -sequence by host.id with maxspan = 2s +sequence by host.id with maxspan = 20s /* Accepted Incoming RPC connection by Winmgmt service */ [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and - source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152 - ] + source.ip != "127.0.0.1" and source.ip != "::1" and destination.port == 135] /* Excluding Common FPs Nessus and SCCM */ diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index f6227044c..d5d097426 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/20" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ type = "eql" query = ''' sequence by host.id with maxspan = 30s [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and - network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + source.ip != "127.0.0.1" and source.ip != "::1"] [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] '''