diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 81f47da29..c0ea0753b 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/04/07" [rule] author = ["Elastic"] @@ -24,17 +24,19 @@ type = "eql" query = ''' registry where registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath") and - not registry.data.strings : ("C:\\windows\\system32\\Drivers\\*.sys", - "\\SystemRoot\\System32\\drivers\\*.sys", + not registry.data.strings : ("?:\\windows\\system32\\Drivers\\*.sys", + "\\SystemRoot\\System32\\drivers\\*.sys", + "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS", "system32\\DRIVERS\\USBSTOR") and - not (process.name : "procexp??.exe" and registry.data.strings : "C:\\*\\procexp*.sys") and - not process.executable : ("C:\\Program Files*\\*.exe", - "C:\\Windows\\System32\\svchost.exe", - "C:\\Windows\\winsxs\\*\\TiWorker.exe", - "C:\\Windows\\System32\\drvinst.exe", - "C:\\Windows\\System32\\services.exe", - "C:\\Windows\\System32\\msiexec.exe", - "C:\\Windows\\System32\\regsvr32.exe") + not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and + not process.executable : ("?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\winsxs\\*\\TiWorker.exe", + "?:\\Windows\\System32\\drvinst.exe", + "?:\\Windows\\System32\\services.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\regsvr32.exe") '''