diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 8f794a534..7dc0c02f2 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-1-*") and not file.path : ( "?:\\*\\UPM_Profile\\NTUSER.DAT", - "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOOD.LOAD", + "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOODLOAD", "?:\\*\\UPM_Profile\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat*", "?:\\Windows\\Netwrix\\Temp\\????????.???.offreg", "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index d2011685a..ab0b32e27 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/07/02" [transform] [[transform.osquery]] @@ -127,7 +127,14 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and (process.name : "attrib.exe" or ?process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and - not (process.parent.name: "cmd.exe" and process.command_line: "attrib +R +H +S +A *.cui") + not (process.parent.name: "cmd.exe" and process.command_line: "attrib +R +H +S +A *.cui") and + + not ( + process.parent.name: "draw.io.exe" and + ( + process.command_line : ("*drawio.bkp*", "*drawio.dtmp*") + ) + ) ''' diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 7b4668fa8..47bf071a3 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -82,6 +82,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : ("esensor.exe", "elastic-endpoint.exe") and process.parent.executable != null and + process.args != null and /* add FPs here */ not process.parent.executable : ( "?:\\Program Files\\Elastic\\*", @@ -94,6 +95,7 @@ process where host.os.type == "windows" and event.type == "start" and process.parent.executable : ( "?:\\Windows\\System32\\cmd.exe", "?:\\Windows\\System32\\SecurityHealthHost.exe", + "?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe", "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ) and process.args : ( @@ -101,7 +103,7 @@ process where host.os.type == "windows" and event.type == "start" and "top", "run", "*help", "status", "upgrade", "/launch", - "/enable" + "/enable", "/av" ) ) ''' diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index eaf45cb6e..f4b7ac3f8 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/07/03" [rule] author = ["Elastic"] @@ -88,7 +88,12 @@ registry where host.os.type == "windows" and event.type == "change" and "HKLM\\*\\LocalAccountTokenFilterPolicy", "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy", "MACHINE\\*\\LocalAccountTokenFilterPolicy" - ) and registry.data.strings : ("1", "0x00000001") + ) and registry.data.strings : ("1", "0x00000001") and + not process.executable : ( + /* Intune */ + "C:\\Windows\\system32\\deviceenroller.exe", + "C:\\Windows\\system32\\omadmclient.exe" + ) ''' diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 3ac4b226c..8b224dcc5 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/08" +updated_date = "2025/07/02" [transform] [[transform.osquery]] @@ -125,7 +125,11 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "creation" and - file.path : "C:\\*:*" and + file.path : "C:\\*:*" and file.extension in~ ( + "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js", + "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso" + ) and + not file.path : ("C:\\*:zone.identifier*", "C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA", @@ -160,12 +164,12 @@ file where host.os.type == "windows" and event.type == "creation" and "?:\\windows\\System32\\svchost.exe", "?:\\Windows\\System32\\WFS.exe" ) and + + not ( + ?process.code_signature.trusted == true and + file.name : "*:sec.endpointdlp:$DATA" + ) - file.extension : - ( - "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js", - "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso" - ) ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 4c89a8aff..1883fddf8 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/07/02" [transform] [[transform.osquery]] @@ -124,10 +124,36 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and -not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211" + + not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211" ''' +[[rule.filters]] + +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."process.command_line"] +case_insensitive = true +value = "*SysVol*WindowsDefenderATPOnboardingScript.cmd*" + +[[rule.filters]] + +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."process.command_line"] +case_insensitive = true +value = "\"cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd" + +[[rule.filters]] + +[rule.filters.meta] +negate = true +[rule.filters.query.wildcard."process.command_line"] +case_insensitive = true +value = "\"C:\\\\???????\\\\system32\\\\cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd" + + [[rule.filters]] [rule.filters.meta] @@ -158,6 +184,7 @@ case_insensitive = true value = """ cmd /C ".\\inetsrv\\iissetup.exe /keygen " """ + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]]