Skip to content

Commit 13192eb

Browse files
authored
[Rule Tuning] Windows Misc Tunings (#6379)
* [Rule Tuning] Windows Misc Tunings * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_via_ppid_spoofing.toml * Update privilege_escalation_via_ppid_spoofing.toml * Update privilege_escalation_unusual_parentchild_relationship.toml
1 parent 53d753c commit 13192eb

5 files changed

Lines changed: 20 additions & 16 deletions

rules/windows/command_and_control_screenconnect_childproc.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2024/03/27"
33
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
44
maturity = "production"
5-
updated_date = "2026/05/04"
5+
updated_date = "2026/07/02"
66

77
[rule]
88
author = ["Elastic"]
@@ -99,7 +99,7 @@ process where host.os.type == "windows" and event.type == "start" and
9999
(process.name : "rundll32.exe" and not process.args : "url.dll,FileProtocolHandler") or
100100
(process.name : "msiexec.exe" and process.args : ("/i", "-i") and
101101
process.args : ("/q", "/quiet", "/qn", "-q", "-quiet", "-qn", "-Q+")) or
102-
process.name : ("mshta.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe",
102+
process.name : ("mshta.exe", "certutil.exe", "bitsadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe",
103103
"ssh.exe", "scp.exe", "wevtutil.exe", "wget.exe", "wmic.exe")
104104
)
105105
'''

rules/windows/defense_evasion_untrusted_driver_loaded.toml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2023/01/27"
33
integration = ["endpoint"]
44
maturity = "production"
5-
updated_date = "2026/05/01"
5+
updated_date = "2026/07/02"
66

77
[rule]
88
author = ["Elastic"]
@@ -39,12 +39,14 @@ driver where host.os.type == "windows" and process.pid == 4 and
3939
/* errorExpired and errorRevoked are handled by d12bac54-ab2a-4159-933f-d7bcefa7b61d */
4040
not dll.code_signature.status : ("errorExpired", "errorRevoked", "errorCode_endpoint:*") and
4141
42-
/* HP DOT4 printer driver family FPs (Dot4.sys, Dot4Prt.sys, Dot4usb.sys, Dot4Scan.sys) */
4342
not dll.hash.sha256 : (
43+
/* HP DOT4 printer driver family FPs (Dot4.sys, Dot4Prt.sys, Dot4usb.sys, Dot4Scan.sys) */
4444
"f21c1d478180bc5e932bb2c2e4618e3ed463ca87acedeb139682d218435f82f1",
4545
"7e2f2a139e897eae56038b920bda9381094bc0ae9e626f6634e6b444b8b0c91f",
4646
"12ffdf5f48a79b1b4adbb88ba2cb6c59dd6719554e8ea6beefe99b3e3c66f1ac",
47-
"dbc6afaf80141e2480e19878f581edfe9c2b018da2ec527c4025ff04d5587afd"
47+
"dbc6afaf80141e2480e19878f581edfe9c2b018da2ec527c4025ff04d5587afd",
48+
/* (dc3d.sys, test-signed) */
49+
"ca8f9564733ded4c3895cf7150bb254995d66889e6be08d6654e4f897e4ff7a4"
4850
)
4951
'''
5052

rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2025/10/28"
33
integration = ["endpoint", "windows", "system"]
44
maturity = "production"
5-
updated_date = "2026/05/03"
5+
updated_date = "2026/07/02"
66

77
[rule]
88
author = ["Elastic"]
@@ -59,10 +59,12 @@ sequence by source.port, source.ip with maxspan=3s
5959
"C:\\Windows\\System32\\svchost.exe",
6060
"C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
6161
"C:\\Program Files\\Omnissa\\Horizon\\Server\\bin\\ws_TomcatService.exe",
62+
"C:\\Program Files\\SysAidServer\\root\\WEB-INF\\domains\\NetworkDiscovery.exe",
63+
"C:\\Program Files (x86)\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe",
6264
"F:\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe"
6365
) and
6466
user.id in ("S-1-5-20", "S-1-5-18")
65-
) and
67+
) and
6668
source.ip != "127.0.0.1" and destination.ip != "::1" and destination.ip != "127.0.0.1"]
6769
[authentication where host.os.type == "windows" and event.code in ("4768", "4769")]
6870
'''

rules/windows/privilege_escalation_unusual_parentchild_relationship.toml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2020/02/18"
33
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
44
maturity = "production"
5-
updated_date = "2026/05/04"
5+
updated_date = "2026/07/06"
66

77
[transform]
88
[[transform.osquery]]
@@ -146,7 +146,7 @@ type = "eql"
146146

147147
query = '''
148148
process where host.os.type == "windows" and event.type == "start" and
149-
process.parent.name != null and
149+
process.parent.name != null and process.parent.executable like ("?:\\*", "\\Device\\*") and
150150
(
151151
/* suspicious parent processes */
152152
(process.name:"autochk.exe" and not process.parent.name:"smss.exe") or
@@ -169,11 +169,12 @@ process.parent.name != null and
169169
(process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe", "KUsrInit.exe")) or
170170
(process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or
171171
/* suspicious child processes */
172-
(process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe", "conhost.exe", "ngentask.exe")) or
172+
(process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe", "conhost.exe", "ngentask.exe", "SearchProtocolHost.exe")) or
173173
(process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or
174174
(process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe", "wpbbin.exe", "PvsVmBoot.exe", "SophosNA.exe", "omnissa-ic-nga.exe", "icarus_rvrt.exe", "poqexec.exe")) or
175-
(process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or
176-
(process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe"))
175+
(process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe") and
176+
not (process.name:"rundll32.exe" and process.command_line : "*WerConCpl.dll*LaunchErcApp*")) or
177+
(process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe", "conhost.exe"))
177178
)
178179
'''
179180

rules/windows/privilege_escalation_via_ppid_spoofing.toml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2022/10/20"
33
integration = ["endpoint"]
44
maturity = "production"
5-
updated_date = "2026/05/03"
5+
updated_date = "2026/07/03"
66

77
[rule]
88
author = ["Elastic"]
@@ -41,7 +41,7 @@ query = '''
4141
process where host.os.type == "windows" and event.action == "start" and
4242
4343
/* process creation via seclogon */
44-
process.parent.Ext.real.pid > 0 and
44+
process.parent.Ext.real.pid > 0 and process.parent.executable != null and
4545
4646
/* PrivEsc to SYSTEM */
4747
user.id : "S-1-5-18" and
@@ -75,7 +75,6 @@ process where host.os.type == "windows" and event.action == "start" and
7575
"?:\\Windows\\UUS\\amd64\\wuauclt.exe",
7676
"?:\\Windows\\UUS\\amd64\\wuaucltcore.exe",
7777
"?:\\ProgramData\\Microsoft\\Windows\\UUS\\*\\wuaucltcore.exe")) and
78-
not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and process.parent.executable == null) and
7978
8079
/* Other third party SW */
8180
not process.parent.executable :
@@ -90,7 +89,7 @@ process where host.os.type == "windows" and event.action == "start" and
9089
"?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe") and
9190
not (
9291
process.code_signature.trusted == true and process.code_signature.subject_name == "Netwrix Corporation" and
93-
process.name : "adcrcpy.exe" and process.parent.name : (
92+
process.name : ("adcrcpy.exe", "addumpcaller.exe") and process.parent.name : (
9493
"Netwrix.ADA.EventCollector.exe",
9594
"Netwrix.ADA.Analyzer.exe"
9695
)

0 commit comments

Comments
 (0)