diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index cbe06a592..6424adbe5 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/01/29" [transform] [[transform.osquery]] @@ -122,68 +122,13 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and -process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and - - not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211" +host.os.type:windows and event.category:process and event.type:start and process.parent.name:svchost.exe and +process.name:(CMD.EXE or Cmd.exe or cmd.exe) and +process.command_line:(* and not "\"cmd.exe\" /C sc control hptpsmarthealthservice 211") and +not process.args:(".\inetsrv\iissetup.exe /keygen " or "C:\Program" or "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klmover.exe" or "C:\Program Files (x86)\Sentry\SA\adluminupdater.exe" or "C:\Program Files\WinRAR" or "C:\Program Files\WinRAR\uninstall.exe" or "hpdiags://BatteryStatusTest" or hptpsmarthealthservice or icacls or taskkill or w32tm or *.BAT* or *.CMD* or *.bat* or *.cmd*) ''' -[[rule.filters]] - -[rule.filters.meta] -negate = true -[rule.filters.query.wildcard."process.command_line"] -case_insensitive = true -value = "*SysVol*WindowsDefenderATPOnboardingScript.cmd*" - -[[rule.filters]] - -[rule.filters.meta] -negate = true -[rule.filters.query.wildcard."process.command_line"] -case_insensitive = true -value = "\"cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd" - -[[rule.filters]] - -[rule.filters.meta] -negate = true -[rule.filters.query.wildcard."process.command_line"] -case_insensitive = true -value = "\"C:\\\\???????\\\\system32\\\\cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd" - - -[[rule.filters]] - -[rule.filters.meta] -negate = true -[rule.filters.query.wildcard."process.args"] -case_insensitive = true -value = "?:\\\\Windows\\\\system32\\\\silcollector.cmd" -[[rule.filters]] - -[rule.filters.meta] -negate = true -[rule.filters.query.wildcard."process.command_line"] -case_insensitive = true -value = "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*" -[[rule.filters]] - -[rule.filters.meta] -negate = true -[rule.filters.query.wildcard."process.command_line"] -case_insensitive = true -value = "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*" -[[rule.filters]] - -[rule.filters.meta] -negate = true -[rule.filters.query.wildcard."process.command_line"] -case_insensitive = true -value = """ -cmd /C ".\\inetsrv\\iissetup.exe /keygen " -""" [[rule.threat]] framework = "MITRE ATT&CK"