[Tuning] Component Object Model Hijacking (#3655)

* [Tuning] Component Object Model Hijacking

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 7a61070e08)

rules/windows/persistence_suspicious_com_hijack_registry.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/28"
+updated_date = "2024/05/08"
 
 [rule]
 author = ["Elastic"]
@@ -79,7 +79,7 @@ type = "eql"
 query = '''
 registry where host.os.type == "windows" and
   /* not necessary but good for filtering privileged installations */
-  user.domain != "NT AUTHORITY" and
+  user.domain != "NT AUTHORITY" and process.executable != null and 
   (
     (
       registry.path : "HK*\\InprocServer32\\" and
@@ -100,95 +100,34 @@ registry where host.os.type == "windows" and
         "HKEY_USERS\\*\\DelegateExecute",
         "HKEY_USERS\\*\\TreatAs\\",
         "HKEY_USERS\\*\\ScriptletURL*"
-      ) and
-      not 
-      (
-        (
-          process.name : "svchost.exe" and
-            process.code_signature.trusted == true and process.code_signature.subject_name == "Microsoft Windows Publisher" and
-            registry.value : "DelegateExecute" and
-            registry.data.strings : (
-              /* https://strontic.github.io/xcyclopedia/library/clsid_4ED3A719-CEA8-4BD9-910D-E252F997AFC2.html */
-              "{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}",
-
-              /* https://strontic.github.io/xcyclopedia/library/clsid_A56A841F-E974-45C1-8001-7E3F8A085917.html */
-              "{A56A841F-E974-45C1-8001-7E3F8A085917}",
-
-              /* https://strontic.github.io/xcyclopedia/library/clsid_BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78.html */
-              "{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}",
-              "%SystemRoot%\\system32\\shdocvw.dll"
-            )
-        ) or
-        (
-          process.name : "veeam.backup.shell.exe" and
-            registry.path : "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\" and
-            process.code_signature.trusted == true and process.code_signature.subject_name == "Veeam Software Group GmbH"
-        ) or 
-        (
-          process.name : ("ADNotificationManager.exe", "Creative Cloud.exe") and
-            process.code_signature.trusted == true and process.code_signature.subject_name == "Adobe Inc." and
-            registry.data.strings : (
-              "\"?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\ADNotificationManager.exe\" -ToastActivated",
-              "\"?:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\ADNotificationManager.exe\" -ToastActivated",
-              "\"?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\ADNotificationManager.exe\" -ToastActivated",
-              "\"?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\ADNotificationManager.exe\" -ToastActivated",
-              "\"?:\\Program Files\\Adobe\\Adobe Creative Cloud\\ACC\\Creative Cloud.exe\" -ToastActivated"
-            )
-        ) or 
-        (
-          process.name : ("IslandUpdateComRegisterShell64.exe", "IslandUpdate.exe", "GoogleUpdateComRegisterShell64.exe") and
-            process.code_signature.trusted == true and
-            process.code_signature.subject_name in ("Island Technology Inc.", "Google LLC") and
-            registry.data.strings : (
-              "*?:\\Users\\*\\AppData\\Local\\Island\\Update\\*",
-              "*?:\\Users\\*\\AppData\\Local\\Google\\Update\\*"
-            )
-        ) or 
-        (
-          process.name : ("SelfService.exe", "WfShell.exe") and
-            process.code_signature.trusted == true and process.code_signature.subject_name == "Citrix Systems, Inc." and
-            registry.data.strings : (
-              "\"?:\\Program Files (x86)\\Citrix\\ICA Client\\SelfServicePlugin\\SelfService.exe\" -ToastActivated",
-              "%SystemRoot%\\system32\\shdocvw.dll",
-              "%SystemRoot%\\sysWOW64\\shdocvw.dll"
-            )
-        ) or 
-        (
-          process.name : ("msrdcw.exe") and
-            process.code_signature.trusted == true and process.code_signature.subject_name == "Microsoft Corporation" and
-            registry.data.strings : (
-              "\"?:\\Program Files\\Remote Desktop\\msrdcw.exe\" -ToastActivated",
-              "\"?:\\Users\\*\\AppData\\Local\\Apps\\Remote Desktop\\msrdcw.exe\" -ToastActivated"
-            )
-        ) or 
-        (
-          process.name : ("ssvagent.exe") and
-            process.code_signature.trusted == true and process.code_signature.subject_name == "Oracle America, Inc." and
-            registry.data.strings : (
-              "?:\\Program Files\\Java\\jre*\\bin\\jp2iexp.dll",
-              "?:\\Program Files (x86)\\Java\\jre*\\bin\\jp2iexp.dll"
-            )
-        ) or 
-        (
-          process.name : ("hpnotifications.exe") and
-            process.code_signature.trusted == true and process.code_signature.subject_name == "HP Inc." and
-            registry.data.strings : (
-              "\"?:\\Windows\\System32\\DriverStore\\FileRepository\\hpsvcsscancomp.inf_amd64_*\\x64\\hpnotifications.exe\" -ToastActivated"
-            )
-        )
-      )
+      )  
     )
-  ) and
+  ) and 
 
-  /* removes false-positives generated by OneDrive and Teams */
+      not  (
+            process.code_signature.trusted == true and
+            process.code_signature.subject_name in 
+                         ("Island Technology Inc.", "Google LLC", "Grammarly, Inc.", "Dropbox, Inc", "REFINITIV US LLC", "HP Inc.",
+                          "Citrix Systems, Inc.", "Adobe Inc.", "Veeam Software Group GmbH", "Zhuhai Kingsoft Office Software Co., Ltd.",
+                          "Oracle America, Inc.")
+        ) and 
+
+  /* excludes Microsoft signed noisy processes */
   not
   (
-    process.name: ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe") and
+    process.name : ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe", "MicrosoftEdgeUpdate.exe", "msrdcw.exe", "MicrosoftEdgeUpdateComRegisterShell64.exe") and
     process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation")
   ) and
-
-  /* Teams DLL loaded by regsvr */
-  not (process.name: "regsvr32.exe" and registry.data.strings : "*Microsoft.Teams.*.dll")
+  
+  not process.executable : 
+                  ("?:\\Program Files (x86)\\*.exe", 
+                   "?:\\Program Files\\*.exe",
+                   "?:\\Windows\\System32\\svchost.exe", 
+                   "?:\\Windows\\System32\\msiexec.exe", 
+                   "?:\\Windows\\SysWOW64\\regsvr32.exe",
+                   "?:\\Windows\\System32\\regsvr32.exe",
+                   "?:\\Windows\\System32\\DriverStore\\FileRepository\\*.exe", 
+                   "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe")
 '''