From 7bd9c528522fd5cbfcdaa6e40e49e24bca71e1a4 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 15 Sep 2025 09:29:37 -0700 Subject: [PATCH] [Rule Tuning] Windows High Severity - 5 (#5096) * [Rule Tuning] Windows High Severity - 4 * Update privilege_escalation_windows_service_via_unusual_client.toml --- .../credential_access_spn_attribute_modified.toml | 6 +++--- .../discovery_high_number_ad_properties.toml | 6 +++--- .../impact_high_freq_file_renames_by_kernel.toml | 8 ++++---- ...privilege_escalation_exploit_cve_202238028.toml | 14 ++++++++++++-- ...ge_escalation_rogue_windir_environment_var.toml | 4 ++-- ...ivilege_escalation_uac_bypass_event_viewer.toml | 6 +++--- ...alation_windows_service_via_unusual_client.toml | 10 ++++++++-- 7 files changed, 35 insertions(+), 19 deletions(-) diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index a06b4dba8..3481887f4 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ references = [ "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule", ] -risk_score = 73 +risk_score = 47 rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289" setup = """## Setup @@ -83,7 +83,7 @@ As this specifies the servicePrincipalName Attribute GUID, it is expected to be Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success ``` """ -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index 52bb2e236..374301eb3 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -49,7 +49,7 @@ LDAP (Lightweight Directory Access Protocol) is crucial for querying and modifyi - Implement additional monitoring on LDAP queries and Active Directory access to detect similar patterns of excessive attribute queries in the future. - Review and tighten access controls and permissions within Active Directory to ensure that only necessary attributes are accessible to users based on their roles. - Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence of similar threats.""" -risk_score = 73 +risk_score = 21 rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e" setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -63,7 +63,7 @@ Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure) """ -severity = "high" +severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index 78cbf5a0c..2853cc93f 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -59,9 +59,9 @@ note = """## Triage and analysis - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"] -risk_score = 73 +risk_score = 21 rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a" -severity = "high" +severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", @@ -115,5 +115,5 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [rule.threshold] field = ["host.id", "file.name"] -value = 20 +value = 25 diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 663bda50a..7ce547320 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,11 +2,13 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/09/11" [rule] author = ["Elastic"] -description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n" +description = """ +Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. +""" from = "now-9m" index = [ "logs-endpoint.events.file-*", @@ -86,6 +88,14 @@ file where host.os.type == "windows" and event.type != "deletion" and "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js", "\\Device\\HarddiskVolume*\\*\\Windows\\system32\\DriverStore\\FileRepository\\*\\MPDW-constraints.js", "\\Device\\HarddiskVolume*\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js" + ) and + not process.executable : ( + "?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe", + "?:\\Windows\\System32\\taskhostw.exe" + ) and + not file.path : ( + "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js", + "\\Device\\HarddiskVolume*\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js" ) ''' diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 19317073d..e411a855b 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and -registry.value : ("windir", "systemroot") and +registry.value : ("windir", "systemroot") and registry.data.strings != null and registry.path : ( "*\\Environment\\windir", "*\\Environment\\systemroot" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index b5f0bffe2..c9cd1c4a1 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2025/09/11" [transform] [[transform.osquery]] @@ -136,8 +136,8 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Windows\\System32\\WerFault.exe", /* Crowdstrike specific exclusion as it uses NT Object paths */ - "?\\Device\\HarddiskVolume*\\Windows\\Sys?????\\mmc.exe", - "?\\Device\\HarddiskVolume*\\Windows\\Sys?????\\WerFault.exe" + "\\Device\\HarddiskVolume*\\Windows\\Sys?????\\mmc.exe", + "\\Device\\HarddiskVolume*\\Windows\\Sys?????\\WerFault.exe" ) ''' diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 67ad617f9..5bbc32c2c 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/06/19" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -96,7 +96,13 @@ configuration where host.os.type == "windows" and "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe", "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\*-CsInstallerService.exe", - "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" " + "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" ", + "\"%windir%\\AdminArsenal\\PDQDeployRunner\\service-1\\PDQDeployRunner-1.exe\" ", + "\"%windir%\\AdminArsenal\\PDQInventoryWakeCommand\\service-1\\PDQInventoryWakeCommand-1.exe\" ", + "\"%SystemRoot%\\nsnetpush.exe\"", + "\"C:\\WINDOWS\\ccmsetup\\ccmsetup.exe\" /runservice /ignoreskipupgrade /config:MobileClient.tcf", + "\"?:\\SMS\\bin\\x64\\srvboot.exe\"", + "%SystemRoot%\\pbpsdeploy.exe" ) '''