diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml index f965def16..e4fc7fc59 100644 --- a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: process.Ext.effective_parent.executable, process.Ext.effective_parent.name, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time" min_stack_version = "8.4.0" -updated_date = "2023/10/02" +updated_date = "2024/01/15" [rule] author = ["Elastic"] @@ -49,7 +49,12 @@ process where host.os.type == "windows" and event.action == "start" and process.command_line : ("*davclnt.dll,DavSetCookie*", "*?:\\Program Files*", "*\\Windows\\System32\\winethc.dll*", "*\\Windows\\SYSTEM32\\EDGEHTML.dll*", "*shell32.dll,SHCreateLocalServerRunDll*")) and - not startswith~(process.Ext.effective_parent.name, process.parent.name) + not startswith~(process.Ext.effective_parent.name, process.parent.name) and + not (process.name : "powershell.exe" and process.parent.name : "wmiprvse.exe" and process.Ext.effective_parent.executable : "?:\\Windows\\System32\\wsmprovhost.exe") and + not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\RuntimeBroker.exe" and process.parent.executable : "?:\\Windows\\System32\\sihost.exe") and + not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\sethc.exe" and process.parent.executable : "?:\\Windows\\System32\\svchost.exe") and + not (process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe" and + process.parent.executable : ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\twain_32\\*.exe")) ''' diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 51154ffc7..1d7c3bc6f 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/04" +updated_date = "2024/01/15" [rule] author = ["Elastic"] @@ -39,13 +39,16 @@ query = ''' authentication where host.os.type : "windows" and winlog.event_data.LogonProcessName : "Advapi*" and winlog.logon.type == "Interactive" and winlog.event_data.SubjectUserSid : ("S-1-5-21*", "S-1-12-*") and - winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*") and + winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*") and process.executable : "C:\\*" and not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and not process.executable : ("?:\\Windows\\System32\\winlogon.exe", "?:\\Windows\\System32\\wininit.exe", - "?:\\Program Files\\Okta\\Okta Verify\\OktaVerify.exe", - "?:\\Program Files (x86)\\Okta\\Okta Verify\\OktaVerify.exe") + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe") ''' diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index 7db1faf21..d8b013c2e 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/11/15" +updated_date = "2024/01/15" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") +event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files* '''