[Rule Tuning] Component Object Model Hijacking (#2730)

rules/windows/persistence_suspicious_com_hijack_registry.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/03/06"
+updated_date = "2023/04/20"
 
 [rule]
 author = ["Elastic"]
@@ -75,40 +75,43 @@ type = "eql"
 
 query = '''
 registry where host.os.type == "windows" and
- /* not necessary but good for filtering privileged installations */
- user.domain != "NT AUTHORITY" and
+  /* not necessary but good for filtering privileged installations */
+  user.domain != "NT AUTHORITY" and
+  (
+    (
+      registry.path : ("HK*\\InprocServer32\\", "\\REGISTRY\\*\\InprocServer32\\") and
+      registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and
+      not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*"
+    ) or
 
-(
-  (registry.path : ("HK*\\InprocServer32\\", "\\REGISTRY\\*\\InprocServer32\\") and
-  registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and
-  not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or
-
-  /* in general COM Registry changes on Users Hive is less noisy and worth alerting */
-  (registry.path : (
-      "HKEY_USERS\\*\\InprocServer32\\*",
-      "HKEY_USERS\\*\\LocalServer32\\*",
-      "HKEY_USERS\\*\\DelegateExecute\\*",
-      "HKEY_USERS\\*\\TreatAs\\*",
-      "HKEY_USERS\\*\\ScriptletURL\\*",
-      "\\REGISTRY\\USER\\*\\InprocServer32\\*",
-      "\\REGISTRY\\USER\\*\\LocalServer32\\*",
-      "\\REGISTRY\\USER\\*\\DelegateExecute\\*",
-      "\\REGISTRY\\USER\\*\\TreatAs\\*",
-      "\\REGISTRY\\USER\\*\\ScriptletURL\\*"
-  ) and not 
-  (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and
-    registry.path : (
-      "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\",
-      "\\REGISTRY\\USER\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\"))
-  ) or
-
-  (registry.path : ("HKLM\\*\\InProcServer32\\*", "\\REGISTRY\\MACHINE\\*\\InProcServer32\\*") and
-   registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*"))
+    /* in general COM Registry changes on Users Hive is less noisy and worth alerting */
+    (registry.path : (
+        "HKEY_USERS\\*\\InprocServer32\\",
+        "HKEY_USERS\\*\\LocalServer32\\",
+        "HKEY_USERS\\*\\DelegateExecute*",
+        "HKEY_USERS\\*\\TreatAs*",
+        "HKEY_USERS\\*\\ScriptletURL*",
+        "\\REGISTRY\\USER\\*\\InprocServer32\\",
+        "\\REGISTRY\\USER\\*\\LocalServer32\\",
+        "\\REGISTRY\\USER\\*\\DelegateExecute*",
+        "\\REGISTRY\\USER\\*\\TreatAs*", 
+        "\\REGISTRY\\USER\\*\\ScriptletURL*"
+    ) and not 
+    (
+      process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and
+        registry.path : (
+          "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\",
+          "\\REGISTRY\\USER\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\"))
+    ) or
 
+    (
+      registry.path : ("HKLM\\*\\InProcServer32\\*", "\\REGISTRY\\MACHINE\\*\\InProcServer32\\*") and
+        registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*")
+    )
   ) and
 
   /* removes false-positives generated by OneDrive and Teams */
-  not process.name : ("OneDrive.exe","OneDriveSetup.exe","FileSyncConfig.exe","Teams.exe") and
+  not process.name: ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe") and
 
   /* Teams DLL loaded by regsvr */
   not (process.name: "regsvr32.exe" and registry.data.strings : "*Microsoft.Teams.*.dll")