[Rule Tuning] Windows Misc Tuning (#5382)

* [Rule Tuning] Windows Misc Tuning * Update execution_suspicious_powershell_imgload.toml * I need some coffee
2025-12-01 12:28:25 -03:00
parent bcd1b5049a
commit 85a9c7180d
7 changed files with 83 additions and 31 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/11/04"
+updated_date = "2025/12/01"

 [transform]
 [[transform.investigate]]
@@ -291,8 +291,9 @@ network where host.os.type == "windows" and
       dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com")
      ) or

-      (process.code_signature.subject_name : "Python Software Foundation" and process.code_signature.trusted == true and
-       dns.question.name : "files.pythonhosted.org") or 
+      (process.code_signature.subject_name : ("Python Software Foundation", "Anaconda, Inc.") and
+       process.code_signature.trusted == true and dns.question.name : "files.pythonhosted.org"
+      ) or

      /* Zoom */
      (process.name : "Zoom.exe" and (process.code_signature.subject_name : "Zoom Video Communications, Inc." and
@@ -2,7 +2,7 @@
 creation_date = "2020/11/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/18"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -97,7 +97,7 @@ host.os.type:windows and event.category:library and
    process.code_signature.trusted:true
  ) and
  not (
-    process.executable: C\:\\Windows\\Temp\\\{*\}\\_is*.exe and
+    process.name: (_is*.exe or "DellInstaller_x64.exe") and
    process.code_signature.subject_name:("Dell Technologies Inc." or "Dell Inc" or "Dell Inc.") and
    process.code_signature.trusted:true
  ) and
@@ -106,6 +106,11 @@ host.os.type:windows and event.category:library and
    process.code_signature.subject_name:("Chocolatey Software, Inc." or "Chocolatey Software, Inc") and
    process.code_signature.trusted:true
  ) and
+  not (
+    process.name: "Docker Desktop Installer.exe" and
+    process.code_signature.subject_name:"Docker Inc" and
+    process.code_signature.trusted:true
+  ) and
  not process.executable : (
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or
    "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
@@ -2,7 +2,7 @@
 creation_date = "2023/08/22"
 integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -84,7 +84,24 @@ file where host.os.type == "windows" and event.type : "creation" and
    not
    (
      process.name : "firefox.exe" and
-      file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
+      file.name : (
+        "langpack-*@firefox.mozilla.org.xpi",
+        "*@dictionaries.addons.mozilla.org.xpi",
+        "newtab@mozilla.org.xpi",
+        "uBlock0@raymondhill.net.xpi",
+        /* AdBlockPlus */
+        "{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi",
+        /* Bitwarden */
+        "{446900e4-71c2-419f-a6a7-df9c091e268b}.xpi",
+        "addon@darkreader.org.xpi",
+        /* 1Password */
+        "{d634138d-c276-4fc8-924b-40a0ea21d284}.xpi",
+        "support@lastpass.com.xpi",
+        /* Grammarly */
+        "87677a2c52b84ad3a151a4a72f5bd3c4@jetpack.xpi",
+        "sentinelone_visibility@sentinelone.com.xpi",
+        "keepassxc-browser@keepassxc.org.xpi"
+      )
    )
  ) or
  /* Chromium-Based Browsers */
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -85,7 +85,17 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and
  process.args : "?*" and
  not (process.args : "-m" and process.args : "-bg") and
-  not process.args : "-mm"
+  not process.args : (
+    "-mm",
+    "?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\sysMergeInboxStoreApp.sdb",
+    "\"?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\sysMergeInboxStoreApp.sdb\"",
+    "?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\msiMergeInboxStoreApp.sdb",
+    "\"?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\msiMergeInboxStoreApp.sdb\"",
+    "?:\\Program Files (x86)\\Citrix\\ICA Client\\CitrixWorkspaceLegacySWDA.sdb",
+    "Citrix Workspace",
+    "C:\\Program Files\\IIS Express\\iisexpressshim.sdb",
+    "C:\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb"
+  )
 '''


@@ -2,13 +2,14 @@
 creation_date = "2022/10/20"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
-may create a new process with a different token to escalate privileges and bypass access controls.
+Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may
+enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate
+privileges and bypass access controls.
 """
 from = "now-9m"
 index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
@@ -94,21 +95,26 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur
 /* exclude processes with System Integrity  */
 not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and

- not winlog.event_data.ProcessName :
-         ("?:\\Windows\\System32\\msiexec.exe",
-          "?:\\Windows\\SysWOW64\\msiexec.exe",
-          "?:\\Windows\\System32\\lsass.exe",
-          "?:\\Windows\\WinSxS\\*",
-          "?:\\Program Files\\*",
-          "?:\\Program Files (x86)\\*",
-          "?:\\Windows\\System32\\MRT.exe",
-          "?:\\Windows\\System32\\cleanmgr.exe",
-          "?:\\Windows\\System32\\taskhostw.exe",
-          "?:\\Windows\\System32\\mmc.exe",
-          "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe",
-          "?:\\Windows\\System32\\auditpol.exe",
-          "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe",
-          "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe")
+ not winlog.event_data.ProcessName : (
+        "?:\\Program Files (x86)\\*",
+        "?:\\Program Files\\*",
+        "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe",
+        "?:\\Windows\\System32\\auditpol.exe",
+        "?:\\Windows\\System32\\cleanmgr.exe",
+        "?:\\Windows\\System32\\lsass.exe",
+        "?:\\Windows\\System32\\mmc.exe",
+        "?:\\Windows\\System32\\MRT.exe",
+        "?:\\Windows\\System32\\msiexec.exe",
+        "?:\\Windows\\System32\\sdiagnhost.exe",
+        "?:\\Windows\\System32\\ServerManager.exe",
+        "?:\\Windows\\System32\\taskhostw.exe",
+        "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe",
+        "?:\\Windows\\System32\\WerFault.exe",
+        "?:\\Windows\\SysWOW64\\msiexec.exe",
+        "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe",
+        "?:\\Windows\\SysWOW64\\WerFault.exe",
+        "?:\\Windows\\WinSxS\\*"
+    )
 '''


@@ -2,7 +2,7 @@
 creation_date = "2021/07/06"
 integration = ["endpoint", "windows", "system", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -105,10 +105,22 @@ process where host.os.type == "windows" and event.type == "start" and
 not process.executable : (
    "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
    "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe",
+    "?:\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWSave.exe",
+    "?:\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWriter2.exe",
+    "?:\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe",
+    "?:\\Program Files (x86)\\TSplus\\UniversalPrinter\\CPWriter2.exe",
+    "?:\\Program Files\\Seagull\\Printer Drivers\\Packages\\*\\DriverEnvironmentSetup.exe",
+    "?:\\Windows\\system32\\CNAB4RPD.EXE",

    /* Crowdstrike specific condition as it uses NT Object paths */
    "\\Device\\HarddiskVolume*\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
-    "\\Device\\HarddiskVolume*\\Program Files (x86)\\GPLGS\\gswin32c.exe"
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\GPLGS\\gswin32c.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWSave.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWriter2.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\TSplus\\UniversalPrinter\\CPWriter2.exe",
+    "\\Device\\HarddiskVolume*\\Program Files\\Seagull\\Printer Drivers\\Packages\\*\\DriverEnvironmentSetup.exe",
+    "\\Device\\HarddiskVolume*\\Windows\\system32\\CNAB4RPD.EXE"
 )
 '''

@@ -2,7 +2,7 @@
 creation_date = "2022/10/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -58,7 +58,8 @@ process where host.os.type == "windows" and event.action == "start" and
 not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
     process.executable : ("?:\\Windows\\System32\\osk.exe",
                           "?:\\Windows\\System32\\Narrator.exe",
-                           "?:\\Windows\\System32\\Magnify.exe")) and
+                           "?:\\Windows\\System32\\Magnify.exe",
+                           "?:\\Windows\\System32\\VoiceAccess.exe")) and

 not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and