security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)

Browse Source 
* [Tuning] Reduce NewTerm history_window_start for Windows Rules

Reduce Windows NewTerm rules history_window_start from 14d to 5d.

* Update execution_command_shell_started_by_svchost.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update persistence_scheduled_task_updated.toml
This commit is contained in:
Samirbous
2026-01-16 12:46:45 +00:00
committed by GitHub
parent 4cb9a1775d
commit 31de1789c4
10 changed files with 48 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
+16 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/01/15"
[rule]
author = ["Elastic"]
@@ -51,9 +51,9 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty
- Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for MSBuild and script interpreter activities across the network to detect and respond to similar threats in the future."""
risk_score = 21
risk_score = 47
rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2"
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
@@ -71,7 +71,17 @@ query = '''
host.os.type:windows and event.category:process and event.type:start and (
process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and
process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or
"wscript.exe" or "mshta.exe")
"wscript.exe" or "mshta.exe") and
not process.executable : (
"C:\\Program Files\\Microsoft Visual Studio\\2022\\Professional\\MSBuild\\Current\\Bin\\MSBuild.exe" or
"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe" or
"C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\BuildTools\\MSBuild\\Current\\Bin\\MSBuild.exe" or
"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe" or
"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe" or
"C:\\Program Files (x86)\\MSBuild\\14.0\\Bin\\amd64\\MSBuild.exe" or
"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\MSBuild\\Current\\Bin\\MSBuild.exe" or
"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\MSBuild\\Current\\Bin\\MSBuild.exe" or
"C:\\Program Files\\Microsoft Visual Studio\\2022\\Professional\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe")
'''
@@ -122,9 +132,9 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.name", "process.command_line"]
value = ["host.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/01/15"
[rule]
author = ["Elastic"]
@@ -116,9 +116,9 @@ reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.name"]
value = ["host.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/windows/defense_evasion_unusual_ads_file_creation.toml
+9 -48
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/21"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/07/02"
updated_date = "2026/01/15"
[transform]
[[transform.osquery]]
@@ -33,8 +33,8 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
[rule]
author = ["Elastic"]
description = """
Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files
and sometimes done by adversaries to hide malware.
Identifies suspicious creation of Alternate Data Streams on highly targeted files using a script or command interpreter.
This is uncommon for legitimate files and sometimes done by adversaries to hide malware.
"""
from = "now-9m"
index = [
@@ -104,9 +104,9 @@ Attackers can abuse these alternate data streams to hide malicious files, string
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
risk_score = 21
risk_score = 73
rule_id = "71bccb61-e19b-452f-b104-79a60e546a95"
severity = "low"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Windows",
@@ -124,52 +124,13 @@ type = "eql"
query = '''
file where host.os.type == "windows" and event.type == "creation" and
file.path : "C:\\*:*" and file.extension in~ (
process.name : ("cmd.exe", "powershell.exe", "mshta.exe", "wscript.exe", "node.exe", "python*.exe") and
file.extension in~ (
"pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js",
"wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso"
) and
not file.path :
("C:\\*:zone.identifier*",
"C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA",
"C:\\Windows\\CSC\\*:CscBitmapStream") and
not process.executable : (
"?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe",
"?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\EXCEL.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE",
"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe",
"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE",
"?:\\Program Files\\Mozilla Firefox\\firefox.exe",
"?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe",
"?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe",
"?:\\Windows\\explorer.exe",
"?:\\Windows\\System32\\DataExchangeHost.exe",
"?:\\Windows\\System32\\drivers\\Intel\\ICPS\\IntelConnectivityNetworkService.exe",
"?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\KillerNetworkService.exe",
"?:\\Windows\\System32\\inetsrv\\w3wp.exe",
"?:\\Windows\\System32\\PickerHost.exe",
"?:\\Windows\\System32\\RuntimeBroker.exe",
"?:\\Windows\\System32\\SearchProtocolHost.exe",
"?:\\Windows\\System32\\sihost.exe",
"?:\\windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\WFS.exe"
) and
not (
?process.code_signature.trusted == true and
file.name : "*:sec.endpointdlp:$DATA"
)
file.path : "C:\\*:*" and
not file.name :("*:$DATA", "*PG$Secure", "*Zone.Identifier", "*com.apple.lastuseddate#PS", "*com.apple.provenance")
'''
rules/windows/discovery_privileged_localgroup_membership.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/10/15"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2026/01/15"
[transform]
[[transform.osquery]]
@@ -199,9 +199,9 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"]
value = ["winlog.event_data.CallerProcessName"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/09/22"
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2026/01/15"
[rule]
author = ["Elastic"]
@@ -86,6 +86,6 @@ field = "new_terms_fields"
value = ["host.id", "user.id", "process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/09/22"
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2026/01/15"
[rule]
author = ["Elastic"]
@@ -81,6 +81,6 @@ field = "new_terms_fields"
value = ["host.id", "user.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/windows/execution_command_shell_started_by_svchost.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/07/02"
updated_date = "2026/01/15"
[transform]
[[transform.osquery]]
@@ -200,9 +200,9 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.command_line", "user.id"]
value = ["process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/windows/execution_suspicious_powershell_imgload.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/12/01"
updated_date = "2026/01/15"
[rule]
author = ["Elastic"]
@@ -138,9 +138,9 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "user.id"]
value = ["process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/windows/persistence_scheduled_task_updated.toml
+4 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2022/08/29"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/11/14"
updated_date = "2026/01/15"
[rule]
author = ["Elastic"]
@@ -66,7 +66,7 @@ type = "new_terms"
query = '''
event.category: "iam" and host.os.type:"windows" and event.code: "4702" and
not winlog.event_data.SubjectUserSid: ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
not winlog.event_data.SubjectUserSid : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
not user.name : *$
'''
@@ -91,8 +91,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "winlog.event_data.TaskName"]
value = ["winlog.event_data.TaskName"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/14"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/08/13"
updated_date = "2026/01/15"
[rule]
author = ["Elastic"]
@@ -151,9 +151,9 @@ reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "file.path"]
value = ["host.id", "file.name"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"