security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Rule Tuning] Windows High Severity - 5 (#5096)

Browse Source 
* [Rule Tuning] Windows High Severity - 4

* Update privilege_escalation_windows_service_via_unusual_client.toml
This commit is contained in:
Jonhnathan
2025-09-15 09:29:37 -07:00
committed by GitHub
parent 76c73f84f6
commit 7bd9c52852
7 changed files with 35 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_spn_attribute_modified.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2022/02/22"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/11"
[rule]
author = ["Elastic"]
@@ -58,7 +58,7 @@ references = [
"https://adsecurity.org/?p=280",
"https://github.com/OTRF/Set-AuditRule",
]
risk_score = 73
risk_score = 47
rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289"
setup = """## Setup
@@ -83,7 +83,7 @@ As this specifies the servicePrincipalName Attribute GUID, it is expected to be
Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success
```
"""
severity = "high"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
rules/windows/discovery_high_number_ad_properties.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/29"
integration = ["windows", "system"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/11"
[rule]
author = ["Elastic"]
@@ -49,7 +49,7 @@ LDAP (Lightweight Directory Access Protocol) is crucial for querying and modifyi
- Implement additional monitoring on LDAP queries and Active Directory access to detect similar patterns of excessive attribute queries in the future.
- Review and tighten access controls and permissions within Active Directory to ensure that only necessary attributes are accessible to users based on their roles.
- Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence of similar threats."""
risk_score = 73
risk_score = 21
rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e"
setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
Steps to implement the logging policy with Advanced Audit Configuration:
@@ -63,7 +63,7 @@ Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
"""
severity = "high"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
rules/windows/impact_high_freq_file_renames_by_kernel.toml
+4 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/03"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/11"
[rule]
author = ["Elastic"]
@@ -59,9 +59,9 @@ note = """## Triage and analysis
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"]
risk_score = 73
risk_score = 21
rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a"
severity = "high"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
@@ -115,5 +115,5 @@ reference = "https://attack.mitre.org/tactics/TA0008/"
[rule.threshold]
field = ["host.id", "file.name"]
value = 20
value = 25
rules/windows/privilege_escalation_exploit_cve_202238028.toml
+12 -2
View File
@@ -2,11 +2,13 @@
creation_date = "2024/04/23"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/08/26"
updated_date = "2025/09/11"
[rule]
author = ["Elastic"]
description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n"
description = """
Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.
"""
from = "now-9m"
index = [
"logs-endpoint.events.file-*",
@@ -86,6 +88,14 @@ file where host.os.type == "windows" and event.type != "deletion" and
"?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js",
"\\Device\\HarddiskVolume*\\*\\Windows\\system32\\DriverStore\\FileRepository\\*\\MPDW-constraints.js",
"\\Device\\HarddiskVolume*\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js"
) and
not process.executable : (
"?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe",
"?:\\Windows\\System32\\taskhostw.exe"
) and
not file.path : (
"?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js",
"\\Device\\HarddiskVolume*\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js"
)
'''
rules/windows/privilege_escalation_rogue_windir_environment_var.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/26"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/08/26"
updated_date = "2025/09/11"
[rule]
author = ["Elastic"]
@@ -81,7 +81,7 @@ type = "eql"
query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.value : ("windir", "systemroot") and
registry.value : ("windir", "systemroot") and registry.data.strings != null and
registry.path : (
"*\\Environment\\windir",
"*\\Environment\\systemroot"
rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/17"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/09/01"
updated_date = "2025/09/11"
[transform]
[[transform.osquery]]
@@ -136,8 +136,8 @@ process where host.os.type == "windows" and event.type == "start" and
"?:\\Windows\\System32\\WerFault.exe",
/* Crowdstrike specific exclusion as it uses NT Object paths */
"?\\Device\\HarddiskVolume*\\Windows\\Sys?????\\mmc.exe",
"?\\Device\\HarddiskVolume*\\Windows\\Sys?????\\WerFault.exe"
"\\Device\\HarddiskVolume*\\Windows\\Sys?????\\mmc.exe",
"\\Device\\HarddiskVolume*\\Windows\\Sys?????\\WerFault.exe"
)
'''
rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
+8 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/02/07"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/06/19"
updated_date = "2025/09/11"
[rule]
author = ["Elastic"]
@@ -96,7 +96,13 @@ configuration where host.os.type == "windows" and
"?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
"?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
"%SystemRoot%\\system32\\Drivers\\Crowdstrike\\*-CsInstallerService.exe",
"\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" "
"\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" ",
"\"%windir%\\AdminArsenal\\PDQDeployRunner\\service-1\\PDQDeployRunner-1.exe\" ",
"\"%windir%\\AdminArsenal\\PDQInventoryWakeCommand\\service-1\\PDQInventoryWakeCommand-1.exe\" ",
"\"%SystemRoot%\\nsnetpush.exe\"",
"\"C:\\WINDOWS\\ccmsetup\\ccmsetup.exe\" /runservice /ignoreskipupgrade /config:MobileClient.tcf",
"\"?:\\SMS\\bin\\x64\\srvboot.exe\"",
"%SystemRoot%\\pbpsdeploy.exe"
)
'''