From b5e011a8925050bf0cf0974ddc078e62cb4d172a Mon Sep 17 00:00:00 2001
From: Joe Desimone <56411054+joe-desimone@users.noreply.github.com>
Date: Thu, 17 Aug 2023 12:52:26 -0400
Subject: [PATCH] [Rule Tuning] Privileges Elevation via Parent Process PID
 Spoofing (#2873)

* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

* bump date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
---
 rules/windows/privilege_escalation_via_ppid_spoofing.toml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml
index 1adc09548..9cebb791d 100644
--- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml
+++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/06/23"
 
 [rule]
 author = ["Elastic"]
@@ -49,6 +49,11 @@ process where host.os.type == "windows" and event.action == "start" and
                            "?:\\Windows\\System32\\Wermgr.exe",
                            "?:\\Windows\\SysWOW64\\Wermgr.exe",
                            "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
+ /* Logon Utilities */
+ not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
+     process.executable : ("?:\\Windows\\System32\\osk.exe", 
+                           "?:\\Windows\\System32\\Narrator.exe", 
+                           "?:\\Windows\\System32\\Magnify.exe")) and
 
  not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and