[Rule Tuning] Windows Misc Tunings (#5740)

* [Rule Tuning] Windows Misc Tunings * ++ * Update defense_evasion_wsl_child_process.toml * Update execution_powershell_susp_args_via_winscript.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2026-02-20 14:11:35 -03:00
parent 8ae6c4fd23
commit 3d647feb8c
13 changed files with 77 additions and 44 deletions
@@ -2,7 +2,7 @@
 creation_date = "2021/11/22"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/12"
+updated_date = "2026/02/19"

 [rule]
 author = ["Austin Songer"]
@@ -89,9 +89,12 @@ process where host.os.type == "windows" and event.type == "start" and
    ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
  ) and
  (
-    process.args : "*Clear-History*" or
-    (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or
-    (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")
+    process.command_line : "*Clear-History*" or
+    (
+      process.command_line : ("*Remove-Item*", "* rm *") and
+      process.command_line : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")
+    ) or
+    (process.command_line : "*Set-PSReadlineOption*" and process.command_line : "*SaveNothing*")
  )
 '''

@@ -2,7 +2,7 @@
 creation_date = "2020/11/25"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -22,13 +22,13 @@ index = [
 ]
 language = "eql"
 license = "Elastic License v2"
-name = "Encoded Executable Stored in the Registry"
+name = "Deprecated - Encoded Executable Stored in the Registry"
 note = """## Triage and analysis

 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

-### Investigating Encoded Executable Stored in the Registry
+### Investigating Deprecated - Encoded Executable Stored in the Registry

 Windows Registry is a hierarchical database storing low-level settings for the OS and applications. Adversaries exploit it to hide encoded executables, evading detection by avoiding direct disk storage. The detection rule identifies suspicious registry modifications, specifically targeting encoded patterns indicative of hidden executables, thus flagging potential defense evasion tactics.

@@ -2,7 +2,7 @@
 creation_date = "2020/11/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -84,8 +84,8 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
  process.executable : (
-    "C:\\*Program*Files*\\*.exe",
-    "\\Device\\HarddiskVolume*\\*Program*Files*\\*.exe"
+    "C:\\*Program Files*\\*.exe",
+    "\\Device\\HarddiskVolume*\\*Program Files*\\*.exe"
  ) and
  not process.executable : (
        "?:\\Program Files\\*.exe",
@@ -94,20 +94,14 @@ process where host.os.type == "windows" and event.type == "start" and
        "?:\\ProgramData\\*.exe",
        "?:\\Windows\\Downloaded Program Files\\*.exe",
        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
-        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
-  ) and
-  not (
-    /* Crowdstrike specific exclusion as it uses NT Object paths */
-    event.dataset == "crowdstrike.fdr" and
-      process.executable : (
+        "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe",
+
+        /* NT Object Paths */
        "\\Device\\HarddiskVolume*\\Program Files\\*.exe",
        "\\Device\\HarddiskVolume*\\Program Files (x86)\\*.exe",
        "\\Device\\HarddiskVolume*\\Users\\*.exe",
        "\\Device\\HarddiskVolume*\\ProgramData\\*.exe",
-        "\\Device\\HarddiskVolume*\\Windows\\Downloaded Program Files\\*.exe",
-        "\\Device\\HarddiskVolume*\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
-        "\\Device\\HarddiskVolume*\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
-      )
+        "\\Device\\HarddiskVolume*\\Windows\\Downloaded Program Files\\*.exe"
  )
 '''

@@ -2,7 +2,7 @@
 creation_date = "2023/01/12"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "windows" and event.type : "start" and
+process where host.os.type == "windows" and event.type : "start" and process.command_line != null and
  process.parent.name : ("wsl.exe", "wslhost.exe") and
  not process.executable : (
        "?:\\Program Files (x86)\\*",
@@ -91,11 +91,12 @@ process where host.os.type == "windows" and event.type : "start" and
        "?:\\Windows\\System32\\conhost.exe",
        "?:\\Windows\\System32\\lxss\\wslhost.exe",
        "?:\\Windows\\System32\\WerFault.exe",
+        "?:\\Windows\\System32\\wsl.exe",
        "?:\\Windows\\Sys?????\\wslconfig.exe"
  ) and
  not (
    /* Crowdstrike specific exclusion as it uses NT Object paths */
-    event.dataset == "crowdstrike.fdr" and
+    (event.dataset == "crowdstrike.fdr" or event.action == "ProcessRollup2") and
      process.executable : (
        "\\Device\\HarddiskVolume*\\Program Files (x86)\\*",
        "\\Device\\HarddiskVolume*\\Program Files\\*",
@@ -103,8 +104,15 @@ process where host.os.type == "windows" and event.type : "start" and
        "\\Device\\HarddiskVolume*\\Windows\\System32\\conhost.exe",
        "\\Device\\HarddiskVolume*\\Windows\\System32\\lxss\\wslhost.exe",
        "\\Device\\HarddiskVolume*\\Windows\\System32\\WerFault.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\wsl.exe",
        "\\Device\\HarddiskVolume*\\Windows\\Sys?????\\wslconfig.exe"
      )
+  ) and
+  not (
+    (process.name : "cmd.exe" and process.command_line : "*echo*%USERPROFILE%*") or
+    (process.name : "git.exe" and process.command_line : "git.exe -c log.*") or
+    (process.name : "powershell.exe" and process.command_line : "powershell.exe -Command $env:USERPROFILE") or
+    (process.name : "Code.exe" and process.command_line : ("*cli.js --folder-uri=vscode-remote://wsl*", "ms-vscode-remote.remote-wsl"))
  )
 '''

@@ -2,7 +2,7 @@
 creation_date = "2024/09/09"
 integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/11"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -81,7 +81,25 @@ process where host.os.type == "windows" and event.type == "start" and
    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe", "cmd.exe") or
    ?process.pe.original_file_name : ("powershell.exe", "pwsh.dll", "powershell_ise.exe", "Cmd.Exe")
  ) and
-  process.parent.name : ("wscript.exe", "mshta.exe")
+  process.parent.name : ("wscript.exe", "mshta.exe") and
+  not (
+    process.args : (
+      "C:\\Program Files\\Intel\\SUR\\QUEENCREEK\\x64\\task.bat",
+      "\"C:\\Program Files\\Intel\\SUR\\QUEENCREEK\\x64\\task.bat\""
+    ) or
+    process.command_line : (
+      "\"C:\\Windows\\system32\\cmd.exe\" /c auditpol.exe /set /SUBCATEGORY:*",
+      "\"C:\\Windows\\system32\\cmd.exe\" /c auditpol.exe /get*",
+      "\"C:\\Windows\\system32\\cmd.exe\" /c exit\""
+    ) or
+    (process.args == "-File" and process.args == "-ExecutionPolicy")
+  )
+  and 
+  not (
+    ?user.id == "S-1-5-18" and
+    /* Don't apply the user.id exclusion to Sysmon for compatibility */
+    not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
+  ) 
 '''


@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -90,6 +90,11 @@ process where host.os.type == "windows" and event.type == "start" and
    not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
  ) and

+  not process.parent.executable : (
+        "?:\\Program Files\\*.exe",
+        "?:\\Program Files (x86)\\*.exe"
+  ) and
+
  (
    process.command_line : (
          "*^*^*^*^*^*^*^*^*^*",
@@ -171,6 +176,10 @@ process where host.os.type == "windows" and event.type == "start" and
    (
      process.parent.name : ("explorer.exe", "cmd.exe") and
      process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))
+    ) and
+    not process.command_line : (
+      "*Use-Icinga -Minimal*",
+      "*& {$j = sajb {Add-Type -AssemblyName*"
    )
 '''

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2026/02/19"

 [transform]
 [[transform.osquery]]
@@ -45,10 +45,10 @@ index = [
 ]
 language = "eql"
 license = "Elastic License v2"
-name = "Adobe Hijack Persistence"
+name = "Deprecated - Adobe Hijack Persistence"
 note = """## Triage and analysis

-### Investigating Adobe Hijack Persistence
+### Investigating Deprecated - Adobe Hijack Persistence

 Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.

@@ -2,7 +2,7 @@
 creation_date = "2025/05/23"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -88,4 +88,4 @@ field = "new_terms_fields"
 value = ["winlog.event_data.SubjectUserName"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-7d"
@@ -2,7 +2,7 @@
 creation_date = "2025/05/23"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -87,4 +87,4 @@ field = "new_terms_fields"
 value = ["winlog.event_data.SubjectUserName"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-7d"
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/01/15"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -22,13 +22,13 @@ index = [
 ]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious PrintSpooler Service Executable File Creation"
+name = "Deprecated - Suspicious PrintSpooler Service Executable File Creation"
 note = """## Triage and analysis

 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

-### Investigating Suspicious PrintSpooler Service Executable File Creation
+### Investigating Deprecated - Suspicious PrintSpooler Service Executable File Creation

 The Print Spooler service in Windows manages print jobs, but vulnerabilities like CVE-2020-1048 can be exploited for privilege escalation. Adversaries may create malicious DLL files executed by the spooler to gain elevated privileges. The detection rule identifies such threats by monitoring file creation events linked to the spooler process, focusing on DLL files, which are common vectors for exploitation.

@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2023/07/12"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -35,7 +35,8 @@ type = "new_terms"
 query = '''
 host.os.type:windows and event.category:process and event.type:start and 
 process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and
-not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "::1")
+not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "::1" or 192.168.*) and
+process.command_line:*.*
 '''


@@ -62,6 +63,6 @@ field = "new_terms_fields"
 value = ["host.id", "user.id", "process.command_line"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-7d"


@@ -2,7 +2,7 @@
 bypass_bbr_timing = true
 creation_date = "2023/10/10"
 maturity = "production"
-updated_date = "2024/09/01"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ from = "now-9m"
 index = [".alerts-security.*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Unusual Discovery Activity by User"
+name = "Deprecated - Unusual Discovery Activity by User"
 risk_score = 21
 rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3"
 severity = "low"
@@ -54,6 +54,6 @@ field = "new_terms_fields"
 value = ["host.id", "user.id"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-7d"


@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2023/07/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2026/02/19"

 [rule]
 author = ["Elastic"]
@@ -80,6 +80,6 @@ field = "new_terms_fields"
 value = ["host.id", "process.executable", "user.id"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-5d"