diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 0a7daa1af..28ff7ae52 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/30" [transform] [[transform.osquery]] @@ -130,10 +130,6 @@ sequence by process.entity_id with maxspan=30s /* Exclude domains that are known to be benign */ [network where host.os.type == "windows" and event.action: ("connection_attempted", "lookup_requested") and - ( - process.pe.original_file_name: "MSBuild.exe" or - process.name: "MSBuild.exe" - ) and not user.id == "S-1-5-18" and not cidrmatch(destination.ip, "127.0.0.1", "::1") and not dns.question.name : ( diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 3b8a83804..846d6f84e 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/27" [transform] [[transform.osquery]] @@ -124,18 +124,23 @@ sequence with maxspan=1m "ZOHO Corporation Private Limited", "BeyondTrust Corporation", "CyberArk Software Ltd.", - "Sophos Ltd" + "Sophos Ltd", + "AO Kaspersky Lab", + "Anthropic, PBC", + "Adobe Inc.", + "Netwrix Corporation" ) ) or ( process.executable : ( "?:\\Windows\\ccmsetup\\ccmsetup.exe", - "?:\\Windows\\SoftwareDistribution\\Download\\Install\\AM_Delta*.exe", - "?:\\Windows\\CAInvokerService.exe" + "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*.exe", + "?:\\Windows\\CAInvokerService.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\*\\OneDriveSetup.exe" ) and process.code_signature.trusted == true ) or ( - process.executable : "G:\\SMS_*\\srvboot.exe" and + process.executable : "?:\\SMS_*\\srvboot.exe" and process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Corporation" ) ) diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index e08f7fc16..fb2fb6d07 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/04/27" [rule] author = ["Elastic"] @@ -79,7 +79,15 @@ iam where host.os.type == "windows" and event.action == "scheduled-task-created" "\\Hewlett-Packard\\HP Web Products Detection", "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload", "\\OneDrive Standalone Update Task-S-1-5-21*", - "\\OneDrive Standalone Update Task-S-1-12-1-*" + "\\OneDrive Standalone Update Task-S-1-12-1-*", + "\\SoftLanding\\S-1-5-21-*\\SoftLanding*", + "\\SoftLanding\\S-1-12-*\\SoftLanding*", + "\\OneDrive Reporting Task-S-1-5-21-*", + "\\OneDrive Reporting Task-S-1-12-1-*", + "\\GoogleUserPEH\\RunPlatformExperienceHelper*", + "\\Mozilla\\Firefox Default Browser Agent*", + "\\Microsoft\\Office\\Office Background Push Maintenance", + "\\Microsoft\\Windows\\GroupPolicy\\GPUpdate" ) '''