From 5ec8e3e500df466e50aff7082986a2c46a00f3cc Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 18 Dec 2025 07:38:18 -0300 Subject: [PATCH] [Rule Tuning] Communication App Rules (#5487) * [Rule Tuning] Communication App Rules * Update defense_evasion_masquerading_business_apps_installer.toml * Update defense_evasion_masquerading_business_apps_installer.toml * Update defense_evasion_masquerading_communication_apps.toml * Update defense_evasion_masquerading_business_apps_installer.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...ommand_and_control_common_webservices.toml | 5 +- ...ication_apps_suspicious_child_process.toml | 60 +++++++++---------- ..._masquerading_business_apps_installer.toml | 18 +++--- ...asion_masquerading_communication_apps.toml | 16 +++-- 4 files changed, 54 insertions(+), 45 deletions(-) diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index a7c4d44ff..f3d0ab94a 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/17" [transform] [[transform.investigate]] @@ -296,7 +296,8 @@ network where host.os.type == "windows" and ) or /* Zoom */ - (process.name : "Zoom.exe" and (process.code_signature.subject_name : "Zoom Video Communications, Inc." and + (process.name : "Zoom.exe" and ( + process.code_signature.subject_name : ("Zoom Video Communications, Inc.", "Zoom Communications, Inc.") and process.code_signature.trusted == true) and dns.question.name : ("www.googleapis.com", "graph.microsoft.com") ) or diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index 326f67485..bbf8c289d 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -33,25 +33,36 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "windows" and event.type == "start" and - not process.executable : - ("?:\\Program Files\\*.exe", +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ( + "slack.exe", "CiscoCollabHost.exe", "WebexHost.exe", "Teams.exe", + "Discord.exe", "Whatsapp.exe", "Zoom.exe", "thunderbird.exe" + ) and + not process.executable : ( + "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe") and + "?:\\Windows\\SysWOW64\\WerFault.exe" + ) and + + /* Common Signed Browser Processes */ + not ( + process.executable : ( + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe", + "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe" + ) and process.code_signature.trusted == true + ) and ( /* Slack */ (process.parent.name : "slack.exe" and not ( ( process.executable : ( - "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe", "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin*\\Zoom.exe", "?:\\Windows\\System32\\rundll32.exe", - "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", - "?:\\Windows\\System32\\notepad.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe" + "?:\\Windows\\System32\\notepad.exe" ) and process.code_signature.trusted == true ) or ( @@ -70,20 +81,11 @@ process where host.os.type == "windows" and event.type == "start" and /* WebEx */ (process.parent.name : ("CiscoCollabHost.exe", "WebexHost.exe") and not ( - ( - process.executable : ( - "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe" - ) and process.code_signature.trusted == true - ) or - ( - process.code_signature.subject_name : ( - "Cisco Systems, Inc.", - "Cisco WebEx LLC", - "Cisco Systems Inc." - ) and process.code_signature.trusted == true - ) + process.code_signature.subject_name : ( + "Cisco Systems, Inc.", + "Cisco WebEx LLC", + "Cisco Systems Inc." + ) and process.code_signature.trusted == true ) ) or @@ -93,8 +95,6 @@ process where host.os.type == "windows" and event.type == "start" and ( process.executable : ( "?:\\Windows\\BrowserCore\\BrowserCore.exe", - "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" ) and process.code_signature.trusted == true ) or @@ -115,7 +115,6 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.executable : ( - "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", "?:\\Windows\\System32\\reg.exe", "?:\\Windows\\SysWOW64\\reg.exe" ) and process.code_signature.trusted == true @@ -169,14 +168,13 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.executable : ( - "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe", - "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe" + "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\brave.exe" ) and process.code_signature.trusted == true ) or ( process.code_signature.subject_name : ( - "Zoom Video Communications, Inc." + "Zoom Video Communications, Inc.", + "Zoom Communications, Inc." ) and process.code_signature.trusted == true ) ) diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index 25d4e19b8..6b6d840df 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -25,21 +25,21 @@ severity = "low" tags = [ "Domain: Endpoint", "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "windows" and +process where host.os.type == "windows" and event.type == "start" and process.executable : "?:\\Users\\*\\Downloads\\*" and - not process.code_signature.status : ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and + not process.code_signature.status like ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and process.hash.sha256 != null and ( /* Slack */ (process.name : "*slack*.exe" and not @@ -69,13 +69,17 @@ process where host.os.type == "windows" and (process.code_signature.subject_name in ( "WhatsApp LLC", "WhatsApp, Inc", - "24803D75-212C-471A-BC57-9EF86AB91435" + "24803D75-212C-471A-BC57-9EF86AB91435", + /* WhatsApp Installer - MS Store */ + "Microsoft Corporation" ) and process.code_signature.trusted == true) ) or /* Zoom */ (process.name : ("*zoom*installer*.exe", "*zoom*setup*.exe", "zoom.exe") and not - (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true) + (process.code_signature.subject_name in ( + "Zoom Video Communications, Inc.", "Zoom Communications, Inc." + ) and process.code_signature.trusted == true) ) or /* Outlook */ diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index 69c4511ab..e280b7fae 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/05" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -33,7 +33,8 @@ type = "eql" query = ''' process where host.os.type == "windows" and - event.type == "start" and + event.type == "start" and + not process.code_signature.status like "errorCode_endpoint*" and process.hash.sha256 != null and ( /* Slack */ (process.name : "slack.exe" and not @@ -50,7 +51,8 @@ process where host.os.type == "windows" and /* Teams */ (process.name : "Teams.exe" and not - (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) and + process.executable != "C:\\Program Files (x86)\\Teams Installer\\Teams.exe" ) or /* Discord */ @@ -60,7 +62,8 @@ process where host.os.type == "windows" and /* RocketChat */ (process.name : "Rocket.Chat.exe" and not - (process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true) + (process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true) and + process.executable != "C:\\Program Files\\rocketchat\\Rocket.Chat.exe" ) or /* Mattermost */ @@ -79,7 +82,10 @@ process where host.os.type == "windows" and /* Zoom */ (process.name : "Zoom.exe" and not - (process.code_signature.subject_name : "Zoom Video Communications, Inc." and process.code_signature.trusted == true) + (process.code_signature.subject_name : ( + "Zoom Video Communications, Inc.", + "Zoom Communications, Inc." + ) and process.code_signature.trusted == true) ) or /* Outlook */