Update credential_access_kerberoasting_unusual_process.toml (#2444)

rules/windows/credential_access_kerberoasting_unusual_process.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2022/11/04"
+updated_date = "2022/12/28"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -99,19 +99,42 @@ type = "eql"
 
 query = '''
 network where event.type == "start" and network.direction : ("outgoing", "egress") and
- destination.port == 88 and source.port >= 49152 and
+ destination.port == 88 and source.port >= 49152 and process.pid != 4 and 
  not process.executable :
             ("?:\\Windows\\System32\\lsass.exe",
              "System",
+             "?:\\Windows\\System32\\svchost.exe",
+             "?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe",
              "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe",
              "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe",
              "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe",
              "?:\\Program Files (x86)\\SuperScan\\scanner.exe",
              "?:\\Program Files (x86)\\Nmap\\nmap.exe",
-             "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe") and
- destination.address !="127.0.0.1" and destination.address !="::1" and
- /* insert false positives here */
- not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe")
+             "?:\\Program Files\\Tenable\\Nessus\\nessusd.exe",
+             "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe",
+             "?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe",
+             "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe",
+             "?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
+             "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe",
+             "\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe",
+             "?:\\Program Files (x86)\\Nmap OEM\\nmap.exe",
+             "?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe",
+             "?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe",
+             "?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe",
+             "?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe",
+             "?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe",
+             "?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe",
+             "?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
+             "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", 
+             "?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe",
+             "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", 
+             "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", 
+             "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", 
+             "?:\\Program Files\\Mozilla Firefox\\firefox.exe", 
+             "?:\\Program Files\\Internet Explorer\\iexplore.exe",
+             "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"
+             ) and
+ destination.address != "127.0.0.1" and destination.address != "::1"
 '''