From 36b33e2c1322d28a29da72328512391e47841d95 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 18 Aug 2025 14:05:25 +0100 Subject: [PATCH] Update persistence_services_registry.toml (#4989) --- rules/windows/persistence_services_registry.toml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 6543ddd85..b183d949e 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/18" [rule] author = ["Elastic"] @@ -92,7 +92,13 @@ registry where host.os.type == "windows" and event.type == "change" and "\\SystemRoot\\System32\\drivers\\*.sys", "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS", "\\??\\?:\\Windows\\syswow64\\*.sys", - "system32\\DRIVERS\\USBSTOR") and + "system32\\DRIVERS\\USBSTOR", + "system32\\drivers\\*.sys", + "C:\\WindowsAzure\\GuestAgent*.exe", + "\"C:\\Program Files\\Common Files\\McAfee\\*", + "C:\\Program Files (x86)\\VERITAS\\VxPBX\\bin\\pbx_exchange.exe", + "\"C:\\Program Files (x86)\\VERITAS\\VxPBX\\bin\\pbx_exchange.exe\"", + "\"C:\\ProgramData\\McAfee\\Agent\\Current\\*") and not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and not process.executable : ( "?:\\Program Files\\*.exe", @@ -103,7 +109,8 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Windows\\System32\\services.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\System32\\regsvr32.exe", - "?:\\Windows\\System32\\WaaSMedicAgent.exe" + "?:\\Windows\\System32\\WaaSMedicAgent.exe", + "?:\\Windows\\UUS\\amd64\\WaaSMedicAgent.exe" ) '''