Skip to content

[Rule Tuning] Windows Misc Tunings#6379

Merged
w0rk3r merged 8 commits into
mainfrom
rt_2
Jul 6, 2026
Merged

[Rule Tuning] Windows Misc Tunings#6379
w0rk3r merged 8 commits into
mainfrom
rt_2

Conversation

@w0rk3r

@w0rk3r w0rk3r commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Issues

Resolves #6228
Resolves #6016

Summary

Excludes FP Patterns, fix a typo.

@w0rk3r w0rk3r self-assigned this Jul 2, 2026
@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic

tradebot-elastic commented Jul 2, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Parent-Child Relationship (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Mikaayenson
Mikaayenson previously approved these changes Jul 2, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tunes multiple Windows detection rules to reduce false positives and correct minor issues, aligned to the linked tuning issues (#6228, #6016).

Changes:

  • Adjusted EQL logic in PPID spoofing and unusual parent/child relationship rules to suppress additional benign patterns.
  • Expanded allowlists in the Kerberos correlation rule and added a new benign driver hash exclusion.
  • Fixed a typo in the ScreenConnect child-process rule (bitsadmin).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
rules/windows/privilege_escalation_via_ppid_spoofing.toml Adds new allowlist logic for accessibility utilities and extends a Netwrix-related exclusion.
rules/windows/privilege_escalation_unusual_parentchild_relationship.toml Adds new false-positive suppressions (WER rundll32 pattern, 4688 SID-like parent name).
rules/windows/lateral_movement_credential_access_kerberos_correlation.toml Adds additional benign process paths to the Kerberos correlation allowlist.
rules/windows/defense_evasion_untrusted_driver_loaded.toml Adds a new SHA256 exception (test-signed driver) and adjusts comment placement.
rules/windows/command_and_control_screenconnect_childproc.toml Fixes bitsadmin.exe typo in the suspicious child process list.

Comment thread rules/windows/privilege_escalation_via_ppid_spoofing.toml Outdated
Comment thread rules/windows/privilege_escalation_via_ppid_spoofing.toml Outdated
Comment thread rules/windows/privilege_escalation_unusual_parentchild_relationship.toml Outdated
@tradebot-elastic

tradebot-elastic commented Jul 2, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Parent-Child Relationship (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Comment thread rules/windows/privilege_escalation_unusual_parentchild_relationship.toml Outdated
Comment thread rules/windows/privilege_escalation_via_ppid_spoofing.toml Outdated
Comment thread rules/windows/privilege_escalation_via_ppid_spoofing.toml Outdated
(process.name : "msiexec.exe" and process.args : ("/i", "-i") and
process.args : ("/q", "/quiet", "/qn", "-q", "-quiet", "-qn", "-Q+")) or
process.name : ("mshta.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe",
process.name : ("mshta.exe", "certutil.exe", "bitsadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any noisy FPs worth excluding for this rule?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see a high volume for C:\WINDOWS\SystemTemp\ScreenConnect\<version>\<random>run.cmd, but I need to validate whether this is for updates only or for script execution. Will do that as part of https://github.com/elastic/ia-trade-team/issues/984

@tradebot-elastic

tradebot-elastic commented Jul 3, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Parent-Child Relationship (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented Jul 3, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Parent-Child Relationship (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented Jul 3, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Parent-Child Relationship (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Mikaayenson Mikaayenson dismissed their stale review July 3, 2026 12:33

Will rereview

@w0rk3r w0rk3r requested a review from Samirbous July 3, 2026 13:20
@tradebot-elastic

tradebot-elastic commented Jul 6, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Parent-Child Relationship (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented Jul 6, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Parent-Child Relationship (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented Jul 6, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Parent-Child Relationship (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kerberos Authentication Ticket Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@w0rk3r w0rk3r merged commit 13192eb into main Jul 6, 2026
13 checks passed
@w0rk3r w0rk3r deleted the rt_2 branch July 6, 2026 15:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

8 participants