[Rule Tuning] Windows Misc Tuning (#4870)

* [Rule Tuning] Windows Misc Tuning

* Update execution_command_shell_started_by_svchost.toml

* bump

* Update rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_persistence_account_tokenfilterpolicy.toml

rules/windows/credential_access_moving_registry_hive_via_smb.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/02/16"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/06"
+updated_date = "2025/07/02"
 
 [rule]
 author = ["Elastic"]
@@ -73,7 +73,7 @@ file where host.os.type == "windows" and event.type == "creation" and
  process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-1-*") and
  not file.path : (
     "?:\\*\\UPM_Profile\\NTUSER.DAT",
-    "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOOD.LOAD",
+    "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOODLOAD",
     "?:\\*\\UPM_Profile\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat*",
     "?:\\Windows\\Netwrix\\Temp\\????????.???.offreg",
     "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*"

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/02"
 
 [transform]
 [[transform.osquery]]
@@ -127,7 +127,14 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
   (process.name : "attrib.exe" or ?process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and
-  not (process.parent.name: "cmd.exe" and process.command_line: "attrib  +R +H +S +A *.cui")
+  not (process.parent.name: "cmd.exe" and process.command_line: "attrib  +R +H +S +A *.cui") and
+
+  not (
+    process.parent.name: "draw.io.exe" and
+    (
+      process.command_line : ("*drawio.bkp*", "*drawio.dtmp*")
+    )
+  )
 '''
 
 

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/24"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/07/02"
 
 [rule]
 author = ["Elastic"]
@@ -82,6 +82,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.name : ("esensor.exe", "elastic-endpoint.exe") and
   process.parent.executable != null and
+  process.args != null and
   /* add FPs here */
   not process.parent.executable : (
         "?:\\Program Files\\Elastic\\*",
@@ -94,6 +95,7 @@ process where host.os.type == "windows" and event.type == "start" and
     process.parent.executable : (
         "?:\\Windows\\System32\\cmd.exe",
         "?:\\Windows\\System32\\SecurityHealthHost.exe",
+        "?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe",
         "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
     ) and
     process.args : (
@@ -101,7 +103,7 @@ process where host.os.type == "windows" and event.type == "start" and
         "top", "run",
         "*help", "status",
         "upgrade", "/launch",
-        "/enable"
+        "/enable", "/av"
     )
   )
 '''

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/11/01"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/03"
 
 [rule]
 author = ["Elastic"]
@@ -88,7 +88,12 @@ registry where host.os.type == "windows" and event.type == "change" and
     "HKLM\\*\\LocalAccountTokenFilterPolicy",
     "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy",
     "MACHINE\\*\\LocalAccountTokenFilterPolicy"
-  ) and registry.data.strings : ("1", "0x00000001")
+  ) and registry.data.strings : ("1", "0x00000001") and
+  not process.executable : (
+    /* Intune */
+    "C:\\Windows\\system32\\deviceenroller.exe",
+    "C:\\Windows\\system32\\omadmclient.exe"
+  )
 '''
 
 

rules/windows/defense_evasion_unusual_ads_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/21"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/05/08"
+updated_date = "2025/07/02"
 
 [transform]
 [[transform.osquery]]
@@ -125,7 +125,11 @@ type = "eql"
 query = '''
 file where host.os.type == "windows" and event.type == "creation" and
 
-  file.path : "C:\\*:*" and
+  file.path : "C:\\*:*" and file.extension in~ (
+    "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js",
+    "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso"
+  ) and
+
   not file.path : 
           ("C:\\*:zone.identifier*",
            "C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA",
@@ -160,12 +164,12 @@ file where host.os.type == "windows" and event.type == "creation" and
           "?:\\windows\\System32\\svchost.exe",
           "?:\\Windows\\System32\\WFS.exe"
   ) and
+  
+  not (
+    ?process.code_signature.trusted == true and
+    file.name : "*:sec.endpointdlp:$DATA"
+  )
 
-  file.extension :
-    (
-      "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js",
-      "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso"
-    )
 '''
 
 

rules/windows/execution_command_shell_started_by_svchost.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/02"
 
 [transform]
 [[transform.osquery]]
@@ -124,10 +124,36 @@ type = "new_terms"
 query = '''
 host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and
 process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and
-not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211"
+
+  not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211"
 '''
 
 
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "*SysVol*WindowsDefenderATPOnboardingScript.cmd*"
+
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "\"cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd"
+
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "\"C:\\\\???????\\\\system32\\\\cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd"
+
+
 [[rule.filters]]
 
 [rule.filters.meta]
@@ -158,6 +184,7 @@ case_insensitive = true
 value = """
 cmd /C ".\\inetsrv\\iissetup.exe /keygen "
 """
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]