From a5d9d6400a78d20ab3f2fce315b09a2e15eca879 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 7 Apr 2025 14:29:08 -0300 Subject: [PATCH] [Rule Tuning] Suspicious Execution via Scheduled Task (#4599) --- ...tence_suspicious_scheduled_task_runtime.toml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 4744d64ba..1fed06e31 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/04/07" [rule] author = ["Elastic"] @@ -101,10 +101,17 @@ process where host.os.type == "windows" and event.type == "start" and "C:\\Windows\\Debug\\*", "C:\\HP\\*") and - not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and - not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and - not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and - not (process.name : "msiexec.exe" and user.id : "S-1-5-18") + not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and + not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and + not ( + process.name : "powershell.exe" and + process.args : ( + "-File", "-PSConsoleFile", + "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientV2Package.ps1", + "C:\\ProgramData\\Microsoft\\AutopatchSetupScheduled\\SetupAutopatchClientPackage.ps1" + ) and user.id : "S-1-5-18" + ) and + not (process.name : "msiexec.exe" and user.id : "S-1-5-18") '''