diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml index 67b1a2b8c..240595008 100644 --- a/rules/windows/persistence_msi_installer_task_startup.toml +++ b/rules/windows/persistence_msi_installer_task_startup.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -35,18 +35,55 @@ type = "eql" query = ''' any where host.os.type == "windows" and - (process.name : "msiexec.exe" or Effective_process.name : "msiexec.exe") and - ( - (event.category == "file" and event.action == "creation" and - file.path : ("?:\\Windows\\System32\\Tasks\\*", - "?:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\*", - "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*")) or - - (event.category == "registry" and event.action == "modification" and - registry.path : ("H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", - "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*", - "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", - "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*")) + (process.name : "msiexec.exe" or Effective_process.name : "msiexec.exe") and + ( + ( + event.category == "file" and event.action == "creation" and + file.path : ( + "?:\\Windows\\System32\\Tasks\\*", + "?:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\*", + "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" + ) and + not file.path : ( + "?:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task", + "?:\\Windows\\System32\\Tasks\\HP\\Sure Click\\Sure Click ?.?.??.????", + "?:\\Windows\\System32\\Tasks\\HP\\Sure Click\\Sure Click UI ?.?.??.????", + "?:\\Windows\\System32\\Tasks\\HP\\Sure Click\\Upgrade Repair ?.?.??.????", + "?:\\Windows\\System32\\Tasks\\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132", + "?:\\Windows\\System32\\Tasks\\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132-Logon" + ) + ) or + ( + event.category == "registry" and event.action == "modification" and registry.data.strings != null and + registry.path : ( + "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*" + ) and + not registry.data.strings : ( + "C:\\Program Files (x86)\\Common Files\\Acronis\\TibMounter\\tib_mounter_monitor.exe", + "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe", + "C:\\Program Files\\Citrix\\Secure Access Client\\CtxsDPS.exe --clean-user-installs", + "C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe", + "C:\\Program Files\\Veeam\\Endpoint Backup\\Veeam.EndPoint.Tray.exe -NoControlPanel -CheckNumberOfRunningAgents", + "\"C:\\Program Files (x86)\\Cisco\\Cisco Secure Client\\UI\\csc_ui.exe\" -minimized", + "\"C:\\Program Files (x86)\\Citrix\\ICA Client\\concentr.exe\" /startup", + "\"C:\\Program Files (x86)\\Citrix\\ICA Client\\Receiver\\AnalyticsSrv.exe\" /Startup", + "\"C:\\Program Files (x86)\\Citrix\\ICA Client\\redirector.exe\" /startup", + "\"C:\\Program Files (x86)\\EPSON Software\\Download Navigator\\EPSDNMON.EXE\"", + "\"C:\\Program Files (x86)\\Jabra\\Direct6\\jabra-direct.exe\" /minimized", + "\"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vmware-tray.exe\"", + "\"C:\\Program Files\\ESET\\ESET Security\\ecmds.exe\" /run /hide /proxy", + "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"", + "\"C:\\Program Files\\KeePassXC\\KeePassXC.exe\"", + "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPA.exe\"", + "\"C:\\Program Files\\PDF24\\pdf24.exe\"", + "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr", + "\"C:\\PROGRA~2\\Citrix\\DEVICE~1\\Bin64\\DTCLIE~1.EXE\"", + "\"%ProgramFiles%\\Teams Installer\\Teams.exe\" --checkInstall --source=default" + ) + ) ) ''' note = """## Triage and analysis