From 85a9c7180d65c54152feb891897a9ff96f326d96 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 1 Dec 2025 12:28:25 -0300 Subject: [PATCH] [Rule Tuning] Windows Misc Tuning (#5382) * [Rule Tuning] Windows Misc Tuning * Update execution_suspicious_powershell_imgload.toml * I need some coffee --- ...ommand_and_control_common_webservices.toml | 7 ++-- ...ecution_suspicious_powershell_imgload.toml | 9 +++- ...persistence_browser_extension_install.toml | 21 +++++++++- .../persistence_via_application_shimming.toml | 14 ++++++- ...lation_tokenmanip_sedebugpriv_enabled.toml | 42 +++++++++++-------- ...ion_unusual_printspooler_childprocess.toml | 16 ++++++- ...rivilege_escalation_via_ppid_spoofing.toml | 5 ++- 7 files changed, 83 insertions(+), 31 deletions(-) diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 89cc18353..a7c4d44ff 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/11/04" +updated_date = "2025/12/01" [transform] [[transform.investigate]] @@ -291,8 +291,9 @@ network where host.os.type == "windows" and dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com") ) or - (process.code_signature.subject_name : "Python Software Foundation" and process.code_signature.trusted == true and - dns.question.name : "files.pythonhosted.org") or + (process.code_signature.subject_name : ("Python Software Foundation", "Anaconda, Inc.") and + process.code_signature.trusted == true and dns.question.name : "files.pythonhosted.org" + ) or /* Zoom */ (process.name : "Zoom.exe" and (process.code_signature.subject_name : "Zoom Video Communications, Inc." and diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index c3caef814..e0c4768eb 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ host.os.type:windows and event.category:library and process.code_signature.trusted:true ) and not ( - process.executable: C\:\\Windows\\Temp\\\{*\}\\_is*.exe and + process.name: (_is*.exe or "DellInstaller_x64.exe") and process.code_signature.subject_name:("Dell Technologies Inc." or "Dell Inc" or "Dell Inc.") and process.code_signature.trusted:true ) and @@ -106,6 +106,11 @@ host.os.type:windows and event.category:library and process.code_signature.subject_name:("Chocolatey Software, Inc." or "Chocolatey Software, Inc") and process.code_signature.trusted:true ) and + not ( + process.name: "Docker Desktop Installer.exe" and + process.code_signature.subject_name:"Docker Inc" and + process.code_signature.trusted:true + ) and not process.executable : ( "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 5f3a422b4..2141ad620 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -84,7 +84,24 @@ file where host.os.type == "windows" and event.type : "creation" and not ( process.name : "firefox.exe" and - file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi") + file.name : ( + "langpack-*@firefox.mozilla.org.xpi", + "*@dictionaries.addons.mozilla.org.xpi", + "newtab@mozilla.org.xpi", + "uBlock0@raymondhill.net.xpi", + /* AdBlockPlus */ + "{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi", + /* Bitwarden */ + "{446900e4-71c2-419f-a6a7-df9c091e268b}.xpi", + "addon@darkreader.org.xpi", + /* 1Password */ + "{d634138d-c276-4fc8-924b-40a0ea21d284}.xpi", + "support@lastpass.com.xpi", + /* Grammarly */ + "87677a2c52b84ad3a151a4a72f5bd3c4@jetpack.xpi", + "sentinelone_visibility@sentinelone.com.xpi", + "keepassxc-browser@keepassxc.org.xpi" + ) ) ) or /* Chromium-Based Browsers */ diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 1bfaa32f6..1fb717e1a 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -85,7 +85,17 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and process.args : "?*" and not (process.args : "-m" and process.args : "-bg") and - not process.args : "-mm" + not process.args : ( + "-mm", + "?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\sysMergeInboxStoreApp.sdb", + "\"?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\sysMergeInboxStoreApp.sdb\"", + "?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\msiMergeInboxStoreApp.sdb", + "\"?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\msiMergeInboxStoreApp.sdb\"", + "?:\\Program Files (x86)\\Citrix\\ICA Client\\CitrixWorkspaceLegacySWDA.sdb", + "Citrix Workspace", + "C:\\Program Files\\IIS Express\\iisexpressshim.sdb", + "C:\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb" + ) ''' diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index a6208c452..1ca881499 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,13 +2,14 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/01" [rule] author = ["Elastic"] description = """ -Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries -may create a new process with a different token to escalate privileges and bypass access controls. +Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may +enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate +privileges and bypass access controls. """ from = "now-9m" index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] @@ -94,21 +95,26 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur /* exclude processes with System Integrity */ not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and - not winlog.event_data.ProcessName : - ("?:\\Windows\\System32\\msiexec.exe", - "?:\\Windows\\SysWOW64\\msiexec.exe", - "?:\\Windows\\System32\\lsass.exe", - "?:\\Windows\\WinSxS\\*", - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\MRT.exe", - "?:\\Windows\\System32\\cleanmgr.exe", - "?:\\Windows\\System32\\taskhostw.exe", - "?:\\Windows\\System32\\mmc.exe", - "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe", - "?:\\Windows\\System32\\auditpol.exe", - "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe", - "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe") + not winlog.event_data.ProcessName : ( + "?:\\Program Files (x86)\\*", + "?:\\Program Files\\*", + "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe", + "?:\\Windows\\System32\\auditpol.exe", + "?:\\Windows\\System32\\cleanmgr.exe", + "?:\\Windows\\System32\\lsass.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\System32\\MRT.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\sdiagnhost.exe", + "?:\\Windows\\System32\\ServerManager.exe", + "?:\\Windows\\System32\\taskhostw.exe", + "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\WinSxS\\*" + ) ''' diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index c0568c400..ed49a3830 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -105,10 +105,22 @@ process where host.os.type == "windows" and event.type == "start" and not process.executable : ( "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe", + "?:\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWSave.exe", + "?:\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWriter2.exe", + "?:\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe", + "?:\\Program Files (x86)\\TSplus\\UniversalPrinter\\CPWriter2.exe", + "?:\\Program Files\\Seagull\\Printer Drivers\\Packages\\*\\DriverEnvironmentSetup.exe", + "?:\\Windows\\system32\\CNAB4RPD.EXE", /* Crowdstrike specific condition as it uses NT Object paths */ "\\Device\\HarddiskVolume*\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", - "\\Device\\HarddiskVolume*\\Program Files (x86)\\GPLGS\\gswin32c.exe" + "\\Device\\HarddiskVolume*\\Program Files (x86)\\GPLGS\\gswin32c.exe", + "\\Device\\HarddiskVolume*\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWSave.exe", + "\\Device\\HarddiskVolume*\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWriter2.exe", + "\\Device\\HarddiskVolume*\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe", + "\\Device\\HarddiskVolume*\\Program Files (x86)\\TSplus\\UniversalPrinter\\CPWriter2.exe", + "\\Device\\HarddiskVolume*\\Program Files\\Seagull\\Printer Drivers\\Packages\\*\\DriverEnvironmentSetup.exe", + "\\Device\\HarddiskVolume*\\Windows\\system32\\CNAB4RPD.EXE" ) ''' diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index c46205436..35699123c 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/01" [rule] author = ["Elastic"] @@ -58,7 +58,8 @@ process where host.os.type == "windows" and event.action == "start" and not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.executable : ("?:\\Windows\\System32\\osk.exe", "?:\\Windows\\System32\\Narrator.exe", - "?:\\Windows\\System32\\Magnify.exe")) and + "?:\\Windows\\System32\\Magnify.exe", + "?:\\Windows\\System32\\VoiceAccess.exe")) and not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and