[Rule Tuning] Windows High Severity - 3 (#5094)

* [Rule Tuning] Windows High Severity - 3 * Update execution_pdf_written_file.toml * Update execution_pdf_written_file.toml * Update execution_pdf_written_file.toml
2025-09-15 08:34:43 -07:00
parent 567b82cb2f
commit d69ede2508
5 changed files with 26 additions and 16 deletions
@@ -2,7 +2,7 @@
 creation_date = "2025/08/20"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/05"
+updated_date = "2025/09/11"

 [rule]
 author = ["Elastic"]
@@ -72,7 +72,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-network where host.os.type == "windows" and dns.question.name != null and
+network where host.os.type == "windows" and dns.question.name != null and process.name != null and
 (
  process.name : ("MSBuild.exe", "mshta.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "msiexec.exe", "rundll32.exe",
  "bitsadmin.exe", "InstallUtil.exe", "RegAsm.exe", "vbc.exe", "RegSvcs.exe", "python.exe", "regsvr32.exe", "dllhost.exe",
@@ -82,7 +82,7 @@ network where host.os.type == "windows" and dns.question.name != null and

  ?process.code_signature.subject_name : ("AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or

-  ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "?\\Device\\HarddiskVolume?\\Users\\*.exe", "?\\Device\\HarddiskVolume?\\ProgramData\\*.exe")
+  ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe")
 ) and
 dns.question.name :
         (
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Elastic"]
@@ -21,10 +21,10 @@ index = [
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
-name = "Execution of File Written or Modified by PDF Reader"
+name = "Deprecated - Execution of File Written or Modified by PDF Reader"
 note = """## Triage and analysis

-### Investigating Execution of File Written or Modified by PDF Reader
+### Investigating Deprecated - Execution of File Written or Modified by PDF Reader

 PDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.

@@ -69,9 +69,9 @@ This rule searches for executable files written by PDF reader software and execu
    - Consider improvements to the security awareness program.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
-risk_score = 73
+risk_score = 21
 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b"
-severity = "high"
+severity = "low"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -2,7 +2,7 @@
 creation_date = "2024/09/09"
 integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/09/11"

 [rule]
 author = ["Elastic"]
@@ -76,7 +76,11 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.name : ("powershell.exe", "pwsh.exe", "cmd.exe") and
+  process.command_line != null and
+  (
+    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe", "cmd.exe") or
+    ?process.pe.original_file_name : ("powershell.exe", "pwsh.dll", "powershell_ise.exe", "Cmd.Exe")
+  ) and
  process.parent.name : ("wscript.exe", "mshta.exe")
 '''

@@ -2,7 +2,7 @@
 creation_date = "2024/06/19"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2025/09/11"

 [rule]
 author = ["Elastic"]
@@ -60,9 +60,9 @@ Microsoft Management Console (MMC) is a Windows utility that provides a framewor
 - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 references = ["https://www.elastic.co/security-labs/grimresource"]
-risk_score = 73
+risk_score = 47
 rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853"
-severity = "high"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Windows",
@@ -93,7 +93,13 @@ process where host.os.type == "windows" and event.type == "start" and
        "?:\\Windows\\System32\\*.msc",
        "?:\\Windows\\SysWOW64\\*.msc",
        "?:\\Program files\\*.msc",
-        "?:\\Program Files (x86)\\*.msc"
+        "?:\\Program Files (x86)\\*.msc",
+        "?:\\Windows\\ADFS\\Microsoft.IdentityServer.msc"
+  ) and
+  not process.command_line : (
+    "C:\\Windows\\system32\\mmc.exe eventvwr.msc /s",
+    "mmc.exe eventvwr.msc /s",
+    "\"C:\\Windows\\System32\\mmc.exe\" CompMgmt.msc*"
  )
 '''

@@ -2,7 +2,7 @@
 creation_date = "2025/09/01"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/01"
+updated_date = "2025/09/11"

 [rule]
 author = ["Elastic"]
@@ -77,7 +77,7 @@ query = '''
 file where host.os.type == "windows" and event.type in ("change", "deletion") and
 file.name : ("winload.exe", "winlod.efi", "ntoskrnl.exe", "bootmgr") and
 file.path : ("?:\\Windows\\*", "\\Device\\HarddiskVolume*\\Windows\\*") and
- not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "?\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe")
+ not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe")
 '''