security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Web Server Rules (#5581)

Browse Source
This commit is contained in:
Jonhnathan
2026-01-20 15:30:57 -03:00
committed by GitHub
parent e459d8c25a
commit 9055d564f5
2 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_web_config_file_access.toml
+9 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/07/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/08/04"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -52,9 +52,9 @@ Web.config files are crucial in Windows environments, storing sensitive data lik
references = [
"https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/",
]
risk_score = 47
risk_score = 73
rule_id = "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4"
severity = "medium"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Windows",
@@ -68,7 +68,12 @@ type = "new_terms"
query = '''
event.category:file and host.os.type:windows and event.action:open and
file.name:"web.config" and file.path : *VirtualDirectories*
file.name:"web.config" and file.path : *VirtualDirectories* and
not process.executable: (
"C:\Program Files\Microsoft Security Client\MsMpEng.exe" or
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" or
"C:\Windows\System32\MRT.exe"
)
'''
rules/windows/persistence_web_shell_aspx_write.toml
+7 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/07/24"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2025/08/18"
updated_date = "2026/01/19"
[rule]
author = ["Elastic"]
@@ -63,9 +63,9 @@ references = [
"https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/",
"https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/",
]
risk_score = 21
risk_score = 47
rule_id = "32144184-7bfa-4541-9c3f-b65f16d24df9"
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
@@ -86,7 +86,10 @@ query = '''
file where host.os.type == "windows" and event.type != "deletion" and
file.extension : "aspx" and
file.path : "?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*" and
not process.executable: "?:\\Windows\\System32\\msiexec.exe"
not process.executable: (
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\16\\BIN\\psconfigui.exe"
)
'''
[[rule.threat]]