[Rule Tuning] Communication App Rules (#5487)

* [Rule Tuning] Communication App Rules * Update defense_evasion_masquerading_business_apps_installer.toml * Update defense_evasion_masquerading_business_apps_installer.toml * Update defense_evasion_masquerading_communication_apps.toml * Update defense_evasion_masquerading_business_apps_installer.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2025-12-18 07:38:18 -03:00
parent f43bf99698
commit 5ec8e3e500
4 changed files with 54 additions and 45 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/17"

 [transform]
 [[transform.investigate]]
@@ -296,7 +296,8 @@ network where host.os.type == "windows" and
      ) or

      /* Zoom */
-      (process.name : "Zoom.exe" and (process.code_signature.subject_name : "Zoom Video Communications, Inc." and
+      (process.name : "Zoom.exe" and (
+       process.code_signature.subject_name : ("Zoom Video Communications, Inc.", "Zoom Communications, Inc.") and
       process.code_signature.trusted == true) and dns.question.name : ("www.googleapis.com", "graph.microsoft.com")
      ) or

@@ -2,7 +2,7 @@
 creation_date = "2023/08/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -33,25 +33,36 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "windows" and event.type == "start" and 
- not process.executable : 
-             ("?:\\Program Files\\*.exe", 
+process where host.os.type == "windows" and event.type == "start" and
+  process.parent.name : (
+    "slack.exe", "CiscoCollabHost.exe", "WebexHost.exe", "Teams.exe",
+    "Discord.exe", "Whatsapp.exe", "Zoom.exe", "thunderbird.exe"
+  ) and
+  not process.executable : (
+              "?:\\Program Files\\*.exe", 
              "?:\\Program Files (x86)\\*.exe", 
              "?:\\Windows\\System32\\WerFault.exe", 
-              "?:\\Windows\\SysWOW64\\WerFault.exe") and 
+              "?:\\Windows\\SysWOW64\\WerFault.exe"
+  ) and
+
+  /* Common Signed Browser Processes */
+  not (
+    process.executable : (
+        "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
+        "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
+        "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
+        "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
+    ) and process.code_signature.trusted == true
+  ) and
  (
    /* Slack */
    (process.parent.name : "slack.exe" and not
      (
        (
          process.executable : (
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-            "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
            "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin*\\Zoom.exe",
            "?:\\Windows\\System32\\rundll32.exe",
-            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
-            "?:\\Windows\\System32\\notepad.exe",
-            "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
+            "?:\\Windows\\System32\\notepad.exe"
          ) and process.code_signature.trusted == true
        ) or
        (
@@ -70,20 +81,11 @@ process where host.os.type == "windows" and event.type == "start" and
    /* WebEx */
    (process.parent.name : ("CiscoCollabHost.exe", "WebexHost.exe") and not
      (
-        (
-          process.executable : (
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
-            "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
-          ) and process.code_signature.trusted == true
-        ) or
-        (
-          process.code_signature.subject_name : (
-            "Cisco Systems, Inc.",
-            "Cisco WebEx LLC",
-            "Cisco Systems Inc."
-          ) and process.code_signature.trusted == true
-        )
+        process.code_signature.subject_name : (
+          "Cisco Systems, Inc.",
+          "Cisco WebEx LLC",
+          "Cisco Systems Inc."
+        ) and process.code_signature.trusted == true
      )
    ) or

@@ -93,8 +95,6 @@ process where host.os.type == "windows" and event.type == "start" and
        (
          process.executable : (
            "?:\\Windows\\BrowserCore\\BrowserCore.exe",
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", 
            "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"
          ) and process.code_signature.trusted == true
        ) or
@@ -115,7 +115,6 @@ process where host.os.type == "windows" and event.type == "start" and
      (
        (
          process.executable : (
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
            "?:\\Windows\\System32\\reg.exe",
            "?:\\Windows\\SysWOW64\\reg.exe"
          ) and process.code_signature.trusted == true
@@ -169,14 +168,13 @@ process where host.os.type == "windows" and event.type == "start" and
      (
        (
          process.executable : (
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-            "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
-            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe"
+            "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\brave.exe"
          ) and process.code_signature.trusted == true
        ) or
        (
          process.code_signature.subject_name : (
-            "Zoom Video Communications, Inc."
+            "Zoom Video Communications, Inc.",
+            "Zoom Communications, Inc."
          ) and process.code_signature.trusted == true
        )
      )
@@ -2,7 +2,7 @@
 creation_date = "2023/09/01"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -25,21 +25,21 @@ severity = "low"
 tags = [
    "Domain: Endpoint",
    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Defense Evasion",
    "Tactic: Initial Access",
    "Tactic: Execution",
-    "Resources: Investigation Guide",
-    "Data Source: Elastic Endgame",
+    "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "windows" and
+process where host.os.type == "windows" and 
  event.type == "start" and process.executable : "?:\\Users\\*\\Downloads\\*" and
-  not process.code_signature.status : ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and
+  not process.code_signature.status like ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and process.hash.sha256 != null and 
  (
    /* Slack */
    (process.name : "*slack*.exe" and not
@@ -69,13 +69,17 @@ process where host.os.type == "windows" and
      (process.code_signature.subject_name in (
        "WhatsApp LLC",
        "WhatsApp, Inc",
-        "24803D75-212C-471A-BC57-9EF86AB91435"
+        "24803D75-212C-471A-BC57-9EF86AB91435",
+        /* WhatsApp Installer - MS Store */
+        "Microsoft Corporation"
       ) and process.code_signature.trusted == true)
    ) or

    /* Zoom */
    (process.name : ("*zoom*installer*.exe", "*zoom*setup*.exe", "zoom.exe")  and not
-      (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
+      (process.code_signature.subject_name in (
+        "Zoom Video Communications, Inc.", "Zoom Communications, Inc."
+       ) and process.code_signature.trusted == true)
    ) or

    /* Outlook */
@@ -2,7 +2,7 @@
 creation_date = "2023/05/05"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,8 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and
-  event.type == "start" and
+  event.type == "start" and 
+  not process.code_signature.status like "errorCode_endpoint*" and process.hash.sha256 != null and 
  (
    /* Slack */
    (process.name : "slack.exe" and not
@@ -50,7 +51,8 @@ process where host.os.type == "windows" and

    /* Teams */
    (process.name : "Teams.exe" and not
-      (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
+      (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) and 
+      process.executable != "C:\\Program Files (x86)\\Teams Installer\\Teams.exe"
    ) or

    /* Discord */
@@ -60,7 +62,8 @@ process where host.os.type == "windows" and

    /* RocketChat */
    (process.name : "Rocket.Chat.exe" and not
-      (process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
+      (process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true) and 
+      process.executable != "C:\\Program Files\\rocketchat\\Rocket.Chat.exe"
    ) or

    /* Mattermost */
@@ -79,7 +82,10 @@ process where host.os.type == "windows" and

    /* Zoom */
    (process.name : "Zoom.exe" and not
-      (process.code_signature.subject_name : "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
+      (process.code_signature.subject_name : (
+        "Zoom Video Communications, Inc.",
+        "Zoom Communications, Inc."
+       ) and process.code_signature.trusted == true)
    ) or

    /* Outlook */