From 7910f465cc8a06b50efc9bcced68366f89706c0c Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 15 Sep 2025 07:44:20 -0700 Subject: [PATCH] [Rule Tuning] Windows High Severity - 1 (#5092) * [Rule Tuning] Windows High Severity - 1 * Update command_and_control_headless_browser.toml * Update defense_evasion_execution_suspicious_explorer_winword.toml * Update command_and_control_outlook_home_page.toml --- .../command_and_control_headless_browser.toml | 13 +++-- ...command_and_control_outlook_home_page.toml | 4 +- .../credential_access_cmdline_dump_tool.toml | 6 +- ..._access_mod_wdigest_security_provider.toml | 19 ++----- ...execution_suspicious_explorer_winword.toml | 55 ++++++++++++------- 5 files changed, 53 insertions(+), 44 deletions(-) diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 58a321831..a13d1cc52 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -73,12 +73,17 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe") and - (process.args : "--headless*" or process.args : "data:text/html;base64,*") and + process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe") and + process.args : "--headless*" and + process.args : ("--disable-gpu", "--dump-dom", "*http*", "data:text/html;base64,*") and process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "conhost.exe", "msiexec.exe", "explorer.exe", "rundll32.exe", "winword.exe", "excel.exe", "onenote.exe", "hh.exe", "powerpnt.exe", "forfiles.exe", - "pcalua.exe", "wmiprvse.exe") + "pcalua.exe", "wmiprvse.exe") and + not process.executable : ( + "?:\\inetpub\\wwwroot\\*\\ext\\modules\\html2pdf\\bin\\chrome\\*\\chrome-win64\\chrome.exe", + "\\Device\\HarddiskVolume*\\inetpub\\wwwroot\\*\\ext\\modules\\html2pdf\\bin\\chrome\\*\\chrome-win64\\chrome.exe" + ) ''' diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index 953275b97..e584f93e7 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi registry.path : ( "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\*", "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Today\\*" - ) and registry.data.strings : ("*://*", "*http*") + ) and registry.data.strings : ("*://*", "*:\\*") ''' diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 70779e976..1c55bf1c6 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ process where host.os.type == "windows" and event.type == "start" and ) or ( (?process.pe.original_file_name : "RUNDLL32.EXE" or process.name : "RUNDLL32.exe") and - (process.args : "MiniDump*" or process.command_line : "*comsvcs.dll*#24*") + (process.args : "*MiniDump*" or process.command_line : "*comsvcs*#*24*") ) or ( (?process.pe.original_file_name : "RdrLeakDiag.exe" or process.name : "RdrLeakDiag.exe") and @@ -111,7 +111,7 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "-dumpFull" and process.args : "-attach") or ( (?process.pe.original_file_name : "ntdsutil.exe" or process.name : "ntdsutil.exe") and - process.args : "create*full*") or + process.args : "cr*fu*") or ( (?process.pe.original_file_name : "diskshadow.exe" or process.name : "diskshadow.exe") and process.args : "/s") ) diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 00f419dbb..d54be2d33 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -74,14 +74,6 @@ references = [ ] risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -98,11 +90,10 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where host.os.type == "windows" and event.type == "creation" and - registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" - ) and registry.data.strings : ("1", "0x00000001") and +registry where host.os.type == "windows" and event.type in ("creation", "change") and + registry.value : "UseLogonCredential" and + registry.path : "*\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and + registry.data.strings : ("1", "0x00000001") and not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18") ''' diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 9724eb9f0..4b5e879dc 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" -integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] +integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -58,9 +59,9 @@ DLL side-loading exploits the DLL search order to load malicious code into trust - Update and patch all software on the affected system, focusing on the trusted Microsoft programs identified in the alert, to mitigate vulnerabilities exploited by DLL side-loading. - Monitor the network for any signs of lateral movement or additional compromised systems, using the indicators of compromise identified during the investigation. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or data have been affected.""" -risk_score = 73 +risk_score = 47 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -73,35 +74,47 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide", "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and - not process.executable : ("?:\\Windows\\explorer.exe", - "?:\\Windows\\SysWOW64\\explorer.exe", - "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", - "?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", - "?:\\Windows\\System32\\Dism.exe", - "?:\\Windows\\SysWOW64\\Dism.exe", - "?:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe", - "?:\\Windows\\System32\\inetsrv\\w3wp.exe", - "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe") and + ( + process.name : ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") or + ?process.pe.original_file_name : ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") + ) and + not process.executable : ( + "\\\\?\\Volume{????????-????-????-????-????????????}\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\PROGRA~?\\MICROS~?\\Office??\\winword.exe", + "?:\\Program Files\\Microsoft Office\\*\\winword.exe", + "?:\\Program Files\\Microsoft Office ??\\*\\winword.exe", + "?:\\Program Files\\WindowsApps\\Microsoft.Office.Desktop.*\\Office??\\winword.exe", + "?:\\Program Files (x86)\\Microsoft Office\\*\\winword.exe", + "?:\\Program Files (x86)\\Windows Kits\\*Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe", + "?:\\Windows\\explorer.exe", + "?:\\Windows\\System32\\Dism.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\Windows\\SysWOW64\\Dism.exe", + "?:\\Windows\\SysWOW64\\explorer.exe", + "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe" + ) and /* Crowdstrike specific exclusion as it uses NT Object paths */ not ( data_stream.dataset == "crowdstrike.fdr" and process.executable : ( - "\\Device\\HarddiskVolume*\\Windows\\explorer.exe", - "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\explorer.exe", - "\\Device\\HarddiskVolume*\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", - "\\Device\\HarddiskVolume*\\Program Files (x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", - "\\Device\\HarddiskVolume*\\Windows\\System32\\Dism.exe", - "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\Dism.exe", + "\\Device\\HarddiskVolume*\\Program Files\\Microsoft Office\\*\\winword.exe", + "\\Device\\HarddiskVolume*\\Program Files\\Microsoft Office ??\\*\\winword.exe", + "\\Device\\HarddiskVolume*\\Program Files\\WindowsApps\\Microsoft.Office.Desktop.*\\Office??\\winword.exe", + "\\Device\\HarddiskVolume*\\Program Files (x86)\\Microsoft Office\\*\\winword.exe", "\\Device\\HarddiskVolume*\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe", - "\\Device\\HarddiskVolume*\\Windows\\System32\\inetsrv\\w3wp.exe", + "\\Device\\HarddiskVolume*\\Windows\\explorer.exe", + "\\Device\\HarddiskVolume*\\Windows\\System32\\Dism.exe", + "\\Device\\HarddiskVolume*\\Windows\\System32\\inetsrv\\w3wp.exe", + "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\Dism.exe", + "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\explorer.exe", "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\inetsrv\\w3wp.exe" ) )