Skip to content

[Rule Tuning] Windows High Severity - 2 #5093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Sep 15, 2025
Merged

[Rule Tuning] Windows High Severity - 2 #5093

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b6218e3
[Rule Tuning] Windows High Severity - 2
w0rk3r Sep 12, 2025
32c8348
[Rule Tuning] Windows High Severity - 3
w0rk3r Sep 12, 2025
9e88589
Revert "[Rule Tuning] Windows High Severity - 3"
w0rk3r Sep 12, 2025
fff5cef
Merge branch 'main' into rule_review_3
w0rk3r Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions rules/windows/defense_evasion_execution_windefend_unusual_path.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@
creation_date = "2021/07/07"
integration = ["endpoint", "windows", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2025/09/01"
updated_date = "2025/09/11"

[rule]
author = ["Elastic", "Dennis Perto"]
description = """
Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being
renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via
side-loading a malicious DLL within the memory space of one of those processes.
Identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or
renamed instances. This may indicate an attempt to evade defenses through DLL side-loading or by masquerading as the
antimalware process.
"""
false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."]
from = "now-9m"
Expand All @@ -23,13 +23,13 @@ index = [
]
language = "eql"
license = "Elastic License v2"
name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable"
name = "Suspicious Microsoft Antimalware Service Execution"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Potential DLL Side-Loading via Microsoft Antimalware Service Executable
### Investigating Suspicious Microsoft Antimalware Service Execution

The Microsoft Antimalware Service Executable, a core component of Windows Defender, is crucial for real-time protection against malware. Adversaries exploit its trust by renaming it or executing it from non-standard paths to load malicious DLLs, bypassing security measures. The detection rule identifies such anomalies by monitoring process names and paths, flagging deviations from expected behavior to uncover potential threats.

Expand Down
3 changes: 1 addition & 2 deletions rules/windows/defense_evasion_iis_httplogging_disabled.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/04/14"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/11"

[rule]
author = ["Elastic"]
Expand All @@ -24,7 +24,6 @@ index = [
]
language = "eql"
license = "Elastic License v2"
max_signals = 33
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one has ~100 hits last 90d, shouldn't need max_signals

name = "IIS HTTP Logging Disabled"
note = """## Triage and analysis

Expand Down
5 changes: 2 additions & 3 deletions rules/windows/defense_evasion_proxy_execution_via_msdt.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2022/05/31"
integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/08/26"
updated_date = "2025/09/11"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -85,8 +85,7 @@ query = '''
process where host.os.type == "windows" and event.type == "start" and
(?process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and
(
process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or

process.args : ("IT_RebrowseForFile=*", "*FromBase64*", "*/../../../*", "*PCWDiagnostic*") or
(
process.args : "-af" and process.args : "/skip" and
process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and
Expand Down
4 changes: 2 additions & 2 deletions rules/windows/defense_evasion_unusual_system_vp_child_program.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/08/19"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/11"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -79,7 +79,7 @@ type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.parent.pid == 4 and process.executable : "?*" and
not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe")
not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe", "HotPatch")
'''


Expand Down
31 changes: 28 additions & 3 deletions rules/windows/execution_initial_access_via_msc_file.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/05/12"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/11"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -68,8 +68,33 @@ type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and
not process.parent.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc")
process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and
not (
process.parent.args : (
"?:\\Windows\\System32\\*.msc",
"?:\\Windows\\SysWOW64\\*.msc",
"?:\\Program files\\*.msc",
"?:\\Program Files (x86)\\*.msc"
) or
(
process.executable : "?:\\Windows\\System32\\mmc.exe" and
process.command_line : "\"C:\\WINDOWS\\system32\\mmc.exe\" \"C:\\Windows\\System32\\gpme.msc\" /s /gpobject:\"LDAP://*"
) or
(
process.executable : (
"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"?:\\Program Files\\Mozilla Firefox\\firefox.exe",
"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files\\internet explorer\\iexplore.exe"
) and
process.args : "http*://go.microsoft.com/fwlink/*"
) or
process.executable : (
"?:\\Windows\\System32\\vmconnect.exe",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\System32\\wermgr.exe"
)
)
'''


Expand Down
Loading