diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index f73f22305..829f3f98a 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/07/29" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "CVE-2020-1313"] timestamp_override = "event.ingested" type = "eql" @@ -31,14 +31,18 @@ process where event.type == "start" and process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and process.parent.args : "UsoSvc" and not process.executable : - ( - "C:\\Windows\\System32\\UsoClient.exe", - "C:\\Windows\\System32\\MusNotification.exe", - "C:\\Windows\\System32\\MusNotificationUx.exe", - "C:\\Windows\\System32\\MusNotifyIcon.exe", - "C:\\Windows\\System32\\WerFault.exe", - "C:\\Windows\\System32\\WerMgr.exe" - ) + ("?:\\ProgramData\\Microsoft\\Windows\\UUS\\Packages\\*\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoClient.exe", + "?:\\Windows\\System32\\MusNotification.exe", + "?:\\Windows\\System32\\MusNotificationUx.exe", + "?:\\Windows\\System32\\MusNotifyIcon.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\WerMgr.exe", + "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\MoUsoCoreWorker.exe", + "?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoCoreWorker.exe", + "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") '''