From b6218e300a2f7a3be169baa5695bf465aef7064d Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 12 Sep 2025 08:35:58 -0300 Subject: [PATCH 1/3] [Rule Tuning] Windows High Severity - 2 --- ...sion_execution_windefend_unusual_path.toml | 12 +++---- ...ense_evasion_iis_httplogging_disabled.toml | 3 +- ...ense_evasion_proxy_execution_via_msdt.toml | 5 ++- ...asion_unusual_system_vp_child_program.toml | 4 +-- ...execution_initial_access_via_msc_file.toml | 31 +++++++++++++++++-- 5 files changed, 39 insertions(+), 16 deletions(-) diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 2722e230a33..e1eaae3f8de 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,14 +2,14 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2025/09/11" [rule] author = ["Elastic", "Dennis Perto"] description = """ -Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being -renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via -side-loading a malicious DLL within the memory space of one of those processes. +Identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or +renamed instances. This may indicate an attempt to evade defenses through DLL side-loading or by masquerading as the +antimalware process. """ false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."] from = "now-9m" @@ -23,13 +23,13 @@ index = [ ] language = "eql" license = "Elastic License v2" -name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable" +name = "Suspicious Microsoft Antimalware Service Execution" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Potential DLL Side-Loading via Microsoft Antimalware Service Executable +### Investigating Suspicious Microsoft Antimalware Service Execution The Microsoft Antimalware Service Executable, a core component of Windows Defender, is crucial for real-time protection against malware. Adversaries exploit its trust by renaming it or executing it from non-standard paths to load malicious DLLs, bypassing security measures. The detection rule identifies such anomalies by monitoring process names and paths, flagging deviations from expected behavior to uncover potential threats. diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 60048de8eac..1f7de5422de 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -24,7 +24,6 @@ index = [ ] language = "eql" license = "Elastic License v2" -max_signals = 33 name = "IIS HTTP Logging Disabled" note = """## Triage and analysis diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index aba8cb7d42e..0bb678f64c1 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -85,8 +85,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and (?process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and ( - process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or - + process.args : ("IT_RebrowseForFile=*", "*FromBase64*", "*/../../../*", "*PCWDiagnostic*") or ( process.args : "-af" and process.args : "/skip" and process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index a63865675de..1cba1345c81 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.pid == 4 and process.executable : "?*" and - not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") + not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe", "HotPatch") ''' diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 5a2423c2e83..b0fc6db6048 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -68,8 +68,33 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and - not process.parent.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc") + process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and + not ( + process.parent.args : ( + "?:\\Windows\\System32\\*.msc", + "?:\\Windows\\SysWOW64\\*.msc", + "?:\\Program files\\*.msc", + "?:\\Program Files (x86)\\*.msc" + ) or + ( + process.executable : "?:\\Windows\\System32\\mmc.exe" and + process.command_line : "\"C:\\WINDOWS\\system32\\mmc.exe\" \"C:\\Windows\\System32\\gpme.msc\" /s /gpobject:\"LDAP://*" + ) or + ( + process.executable : ( + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\internet explorer\\iexplore.exe" + ) and + process.args : "http*://go.microsoft.com/fwlink/*" + ) or + process.executable : ( + "?:\\Windows\\System32\\vmconnect.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\wermgr.exe" + ) + ) ''' From 32c8348072ab1629e2a164a3579d866b2682f234 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 12 Sep 2025 08:48:06 -0300 Subject: [PATCH 2/3] [Rule Tuning] Windows High Severity - 3 --- ...scovery_host_public_ip_address_lookup.toml | 6 ++-- rules/windows/execution_pdf_written_file.toml | 36 +++++++++---------- ...on_powershell_susp_args_via_winscript.toml | 8 +++-- ...ion_via_mmc_console_file_unusual_path.toml | 14 +++++--- .../windows/impact_mod_critical_os_files.toml | 4 +-- 5 files changed, 38 insertions(+), 30 deletions(-) diff --git a/rules/windows/discovery_host_public_ip_address_lookup.toml b/rules/windows/discovery_host_public_ip_address_lookup.toml index 8f23fa3e2ad..70ce393aac1 100644 --- a/rules/windows/discovery_host_public_ip_address_lookup.toml +++ b/rules/windows/discovery_host_public_ip_address_lookup.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/05" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where host.os.type == "windows" and dns.question.name != null and +network where host.os.type == "windows" and dns.question.name != null and process.name != null and ( process.name : ("MSBuild.exe", "mshta.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "msiexec.exe", "rundll32.exe", "bitsadmin.exe", "InstallUtil.exe", "RegAsm.exe", "vbc.exe", "RegSvcs.exe", "python.exe", "regsvr32.exe", "dllhost.exe", @@ -82,7 +82,7 @@ network where host.os.type == "windows" and dns.question.name != null and ?process.code_signature.subject_name : ("AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or - ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "?\\Device\\HarddiskVolume?\\Users\\*.exe", "?\\Device\\HarddiskVolume?\\ProgramData\\*.exe") + ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe") ) and dns.question.name : ( diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 5d19bbcc94d..4a3e9a7152d 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/02" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -15,7 +15,6 @@ index = [ "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", - "logs-windows.sysmon_operational-*", "endgame-*", ] interval = "60m" @@ -69,9 +68,9 @@ This rule searches for executable files written by PDF reader software and execu - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -risk_score = 73 +risk_score = 47 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -80,25 +79,24 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", ] type = "eql" query = ''' sequence with maxspan=2h - [file where host.os.type == "windows" and event.type != "deletion" and file.extension : "exe" and - (process.name : "AcroRd32.exe" or - process.name : "rdrcef.exe" or - process.name : "FoxitPhantomPDF.exe" or - process.name : "FoxitReader.exe") and - not (file.name : "FoxitPhantomPDF.exe" or - file.name : "FoxitPhantomPDFUpdater.exe" or - file.name : "FoxitReader.exe" or - file.name : "FoxitReaderUpdater.exe" or - file.name : "AcroRd32.exe" or - file.name : "rdrcef.exe") - ] by host.id, file.path - [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable + [file where host.os.type == "windows" and event.type != "deletion" and + process.name : ("AcroRd32.exe", "rdrcef.exe", "FoxitPhantomPDF.exe", "FoxitReader.exe", "FoxitPDFEditor.exe") and + (file.extension : "exe" or ?file.Ext.header_bytes : "4d5a*")] by host.id, file.path + [process where host.os.type == "windows" and event.type == "start" and + not ( + process.code_signature.subject_name in ( + "Adobe Inc.", + "Adobe Systems, Incorporated", + "FOXIT SOFTWARE INC.", + "Foxit Software Incorporated" + ) and + process.code_signature.trusted == true + )] by host.id, process.executable ''' diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index 1302cc1f319..41cd1eecb02 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -76,7 +76,11 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.name : ("powershell.exe", "pwsh.exe", "cmd.exe") and + process.command_line != null and + ( + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe", "cmd.exe") or + ?process.pe.original_file_name : ("powershell.exe", "pwsh.dll", "powershell_ise.exe", "Cmd.Exe") + ) and process.parent.name : ("wscript.exe", "mshta.exe") ''' diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 24ca28869bd..52678af5806 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -60,9 +60,9 @@ Microsoft Management Console (MMC) is a Windows utility that provides a framewor - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://www.elastic.co/security-labs/grimresource"] -risk_score = 73 +risk_score = 47 rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853" -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -93,7 +93,13 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", - "?:\\Program Files (x86)\\*.msc" + "?:\\Program Files (x86)\\*.msc", + "?:\\Windows\\ADFS\\Microsoft.IdentityServer.msc" + ) and + not process.command_line : ( + "C:\\Windows\\system32\\mmc.exe eventvwr.msc /s", + "mmc.exe eventvwr.msc /s", + "\"C:\\Windows\\System32\\mmc.exe\" CompMgmt.msc*" ) ''' diff --git a/rules/windows/impact_mod_critical_os_files.toml b/rules/windows/impact_mod_critical_os_files.toml index bb89ced89b0..b8d92366336 100644 --- a/rules/windows/impact_mod_critical_os_files.toml +++ b/rules/windows/impact_mod_critical_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2025/09/11" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ query = ''' file where host.os.type == "windows" and event.type in ("change", "deletion") and file.name : ("winload.exe", "winlod.efi", "ntoskrnl.exe", "bootmgr") and file.path : ("?:\\Windows\\*", "\\Device\\HarddiskVolume*\\Windows\\*") and - not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "?\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe") + not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe") ''' From 9e88589a54dd3cbdf5510883f62deca21b546673 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 12 Sep 2025 08:48:25 -0300 Subject: [PATCH 3/3] Revert "[Rule Tuning] Windows High Severity - 3" This reverts commit 32c8348072ab1629e2a164a3579d866b2682f234. --- ...scovery_host_public_ip_address_lookup.toml | 6 ++-- rules/windows/execution_pdf_written_file.toml | 36 ++++++++++--------- ...on_powershell_susp_args_via_winscript.toml | 8 ++--- ...ion_via_mmc_console_file_unusual_path.toml | 14 +++----- .../windows/impact_mod_critical_os_files.toml | 4 +-- 5 files changed, 30 insertions(+), 38 deletions(-) diff --git a/rules/windows/discovery_host_public_ip_address_lookup.toml b/rules/windows/discovery_host_public_ip_address_lookup.toml index 70ce393aac1..8f23fa3e2ad 100644 --- a/rules/windows/discovery_host_public_ip_address_lookup.toml +++ b/rules/windows/discovery_host_public_ip_address_lookup.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2025/09/05" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where host.os.type == "windows" and dns.question.name != null and process.name != null and +network where host.os.type == "windows" and dns.question.name != null and ( process.name : ("MSBuild.exe", "mshta.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "msiexec.exe", "rundll32.exe", "bitsadmin.exe", "InstallUtil.exe", "RegAsm.exe", "vbc.exe", "RegSvcs.exe", "python.exe", "regsvr32.exe", "dllhost.exe", @@ -82,7 +82,7 @@ network where host.os.type == "windows" and dns.question.name != null and proces ?process.code_signature.subject_name : ("AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or - ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe") + ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "?\\Device\\HarddiskVolume?\\Users\\*.exe", "?\\Device\\HarddiskVolume?\\ProgramData\\*.exe") ) and dns.question.name : ( diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 4a3e9a7152d..5d19bbcc94d 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/02" -integration = ["endpoint"] +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2025/03/20" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = [ "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", + "logs-windows.sysmon_operational-*", "endgame-*", ] interval = "60m" @@ -68,9 +69,9 @@ This rule searches for executable files written by PDF reader software and execu - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -risk_score = 47 +risk_score = 73 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", @@ -79,24 +80,25 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Sysmon", ] type = "eql" query = ''' sequence with maxspan=2h - [file where host.os.type == "windows" and event.type != "deletion" and - process.name : ("AcroRd32.exe", "rdrcef.exe", "FoxitPhantomPDF.exe", "FoxitReader.exe", "FoxitPDFEditor.exe") and - (file.extension : "exe" or ?file.Ext.header_bytes : "4d5a*")] by host.id, file.path - [process where host.os.type == "windows" and event.type == "start" and - not ( - process.code_signature.subject_name in ( - "Adobe Inc.", - "Adobe Systems, Incorporated", - "FOXIT SOFTWARE INC.", - "Foxit Software Incorporated" - ) and - process.code_signature.trusted == true - )] by host.id, process.executable + [file where host.os.type == "windows" and event.type != "deletion" and file.extension : "exe" and + (process.name : "AcroRd32.exe" or + process.name : "rdrcef.exe" or + process.name : "FoxitPhantomPDF.exe" or + process.name : "FoxitReader.exe") and + not (file.name : "FoxitPhantomPDF.exe" or + file.name : "FoxitPhantomPDFUpdater.exe" or + file.name : "FoxitReader.exe" or + file.name : "FoxitReaderUpdater.exe" or + file.name : "AcroRd32.exe" or + file.name : "rdrcef.exe") + ] by host.id, file.path + [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable ''' diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index 41cd1eecb02..1302cc1f319 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -76,11 +76,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.command_line != null and - ( - process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe", "cmd.exe") or - ?process.pe.original_file_name : ("powershell.exe", "pwsh.dll", "powershell_ise.exe", "Cmd.Exe") - ) and + process.name : ("powershell.exe", "pwsh.exe", "cmd.exe") and process.parent.name : ("wscript.exe", "mshta.exe") ''' diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 52678af5806..24ca28869bd 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -60,9 +60,9 @@ Microsoft Management Console (MMC) is a Windows utility that provides a framewor - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://www.elastic.co/security-labs/grimresource"] -risk_score = 47 +risk_score = 73 rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853" -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", @@ -93,13 +93,7 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", - "?:\\Program Files (x86)\\*.msc", - "?:\\Windows\\ADFS\\Microsoft.IdentityServer.msc" - ) and - not process.command_line : ( - "C:\\Windows\\system32\\mmc.exe eventvwr.msc /s", - "mmc.exe eventvwr.msc /s", - "\"C:\\Windows\\System32\\mmc.exe\" CompMgmt.msc*" + "?:\\Program Files (x86)\\*.msc" ) ''' diff --git a/rules/windows/impact_mod_critical_os_files.toml b/rules/windows/impact_mod_critical_os_files.toml index b8d92366336..bb89ced89b0 100644 --- a/rules/windows/impact_mod_critical_os_files.toml +++ b/rules/windows/impact_mod_critical_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2025/09/01" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ query = ''' file where host.os.type == "windows" and event.type in ("change", "deletion") and file.name : ("winload.exe", "winlod.efi", "ntoskrnl.exe", "bootmgr") and file.path : ("?:\\Windows\\*", "\\Device\\HarddiskVolume*\\Windows\\*") and - not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe") + not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "?\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe") '''