From 8dc0963ae6f840448c54de2cf693a6d3d9a87d48 Mon Sep 17 00:00:00 2001 From: Joe Desimone <56411054+joe-desimone@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:45:46 -0400 Subject: [PATCH] [Rule Tuning] LSASS Process Access via Windows API (#3824) * Update credential_access_lsass_openprocess_api.toml * Update credential_access_lsass_openprocess_api.toml * Update credential_access_lsass_openprocess_api.toml * fix merge * newline * Update credential_access_lsass_openprocess_api.toml * Update credential_access_lsass_openprocess_api.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Mika Ayenson --- .../credential_access_lsass_openprocess_api.toml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index b4538934b..3533eded3 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/02" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/07/04" [transform] [[transform.osquery]] @@ -138,6 +138,7 @@ api where host.os.type == "windows" and "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe", "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe", @@ -156,9 +157,18 @@ api where host.os.type == "windows" and "?:\\Windows\\System32\\csrss.exe", "?:\\Windows\\System32\\MRT.exe", "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\taskhostw.exe", "?:\\Windows\\System32\\RtkAudUService64.exe", "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" + "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe", + "?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*\\pmfexe.exe", + "?:\\Program Files\\Goverlan Inc\\GoverlanAgent\\GovAgentx64.exe", + "?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe", + "?:\\Program Files (x86)\\CyberCNSAgent\\osqueryi.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\TMASutility.exe", + "?:\\Program Files (x86)\\Kaspersky Lab\\KES*\\avp.exe", + "?:\\Program Files\\Wise\\Wise Memory Optimizer\\WiseMemoryOptimzer.exe", + "?:\\Windows\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe" ) and not ?process.code_signature.trusted == false ) '''