diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 72634c8b5..078583b84 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -51,9 +51,9 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for MSBuild and script interpreter activities across the network to detect and respond to similar threats in the future.""" -risk_score = 21 +risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -71,7 +71,17 @@ query = ''' host.os.type:windows and event.category:process and event.type:start and ( process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or - "wscript.exe" or "mshta.exe") + "wscript.exe" or "mshta.exe") and + not process.executable : ( + "C:\\Program Files\\Microsoft Visual Studio\\2022\\Professional\\MSBuild\\Current\\Bin\\MSBuild.exe" or + "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe" or + "C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\BuildTools\\MSBuild\\Current\\Bin\\MSBuild.exe" or + "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe" or + "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe" or + "C:\\Program Files (x86)\\MSBuild\\14.0\\Bin\\amd64\\MSBuild.exe" or + "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\MSBuild\\Current\\Bin\\MSBuild.exe" or + "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\MSBuild\\Current\\Bin\\MSBuild.exe" or + "C:\\Program Files\\Microsoft Visual Studio\\2022\\Professional\\MSBuild\\Current\\Bin\\amd64\\MSBuild.exe") ''' @@ -122,9 +132,9 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.name", "process.command_line"] +value = ["host.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 1ca07de5e..ba363f8f5 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -116,9 +116,9 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.name"] +value = ["host.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 8b224dcc5..b1847ea15 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/01/15" [transform] [[transform.osquery]] @@ -33,8 +33,8 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu [rule] author = ["Elastic"] description = """ -Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files -and sometimes done by adversaries to hide malware. +Identifies suspicious creation of Alternate Data Streams on highly targeted files using a script or command interpreter. +This is uncommon for legitimate files and sometimes done by adversaries to hide malware. """ from = "now-9m" index = [ @@ -104,9 +104,9 @@ Attackers can abuse these alternate data streams to hide malicious files, string - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -risk_score = 21 +risk_score = 73 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", @@ -124,52 +124,13 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "creation" and - - file.path : "C:\\*:*" and file.extension in~ ( + process.name : ("cmd.exe", "powershell.exe", "mshta.exe", "wscript.exe", "node.exe", "python*.exe") and + file.extension in~ ( "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js", "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso" ) and - - not file.path : - ("C:\\*:zone.identifier*", - "C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA", - "C:\\Windows\\CSC\\*:CscBitmapStream") and - - not process.executable : ( - "?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", - "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\EXCEL.EXE", - "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE", - "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE", - "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE", - "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", - "?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe", - "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE", - "?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE", - "?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE", - "?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE", - "?:\\Program Files\\Mozilla Firefox\\firefox.exe", - "?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe", - "?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe", - "?:\\Windows\\explorer.exe", - "?:\\Windows\\System32\\DataExchangeHost.exe", - "?:\\Windows\\System32\\drivers\\Intel\\ICPS\\IntelConnectivityNetworkService.exe", - "?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\KillerNetworkService.exe", - "?:\\Windows\\System32\\inetsrv\\w3wp.exe", - "?:\\Windows\\System32\\PickerHost.exe", - "?:\\Windows\\System32\\RuntimeBroker.exe", - "?:\\Windows\\System32\\SearchProtocolHost.exe", - "?:\\Windows\\System32\\sihost.exe", - "?:\\windows\\System32\\svchost.exe", - "?:\\Windows\\System32\\WFS.exe" - ) and - - not ( - ?process.code_signature.trusted == true and - file.name : "*:sec.endpointdlp:$DATA" - ) - + file.path : "C:\\*:*" and + not file.name :("*:$DATA", "*PG$Secure", "*Zone.Identifier", "*com.apple.lastuseddate#PS", "*com.apple.provenance") ''' diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 06b50368e..dc0c01868 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/01/15" [transform] [[transform.osquery]] @@ -199,9 +199,9 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"] +value = ["winlog.event_data.CallerProcessName"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml index 28a0333b8..09f526f2d 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -86,6 +86,6 @@ field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml index 59c713295..b2c13ef3d 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -81,6 +81,6 @@ field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 1883fddf8..cbe06a592 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/01/15" [transform] [[transform.osquery]] @@ -200,9 +200,9 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.command_line", "user.id"] +value = ["process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index e0c4768eb..5c5700cf0 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -138,9 +138,9 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable", "user.id"] +value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index c9a5d47a7..ae97d620a 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ type = "new_terms" query = ''' event.category: "iam" and host.os.type:"windows" and event.code: "4702" and - not winlog.event_data.SubjectUserSid: ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and + not winlog.event_data.SubjectUserSid : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and not user.name : *$ ''' @@ -91,8 +91,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "winlog.event_data.TaskName"] +value = ["winlog.event_data.TaskName"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 5843a3e27..9581d5192 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/13" +updated_date = "2026/01/15" [rule] author = ["Elastic"] @@ -151,9 +151,9 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "file.path"] +value = ["host.id", "file.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d"