From 1338f4a28ecf18d7e375f38280f87ec2e033f18e Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 12 Sep 2025 15:03:13 -0300 Subject: [PATCH 1/2] [Rule Tuning] Fix process.pe.original_file_name Conditions --- rules/windows/collection_winrar_encryption.toml | 14 +++----------- ...l_access_copy_ntds_sam_volshadowcp_cmdline.toml | 10 +++++++--- ...e_evasion_clearing_windows_console_history.toml | 4 ++-- ...efense_evasion_clearing_windows_event_logs.toml | 4 ++-- ..._evasion_defender_exclusion_via_powershell.toml | 4 ++-- ...sion_disabling_windows_defender_powershell.toml | 4 ++-- .../defense_evasion_disabling_windows_logs.toml | 4 ++-- ...asion_powershell_windows_firewall_disabled.toml | 4 ++-- ...uspicious_ms_exchange_worker_child_process.toml | 8 +++++--- ...itial_access_webshell_screenconnect_server.toml | 4 ++-- 10 files changed, 29 insertions(+), 31 deletions(-) diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 0cbdbc6a134..5c69812f65b 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -60,14 +60,6 @@ references = [ ] risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -89,8 +81,8 @@ process where host.os.type == "windows" and event.type == "start" and ( ( ( - process.name:"rar.exe" or ?process.code_signature.subject_name == "win.rar GmbH" or - ?process.pe.original_file_name == "Command line RAR" + process.name : ("rar.exe", "WinRAR.exe") or ?process.code_signature.subject_name == "win.rar GmbH" or + ?process.pe.original_file_name == "WinRAR.exe" ) and process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*") ) or diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 5057638d046..fd0b363effa 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [transform] [[transform.osquery]] @@ -137,8 +137,12 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") or process.name : ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE")) and - process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") + ( + ( + ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE", "pwsh.dll") or + process.name : ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE", "pwsh.exe") + ) and + process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") ) or ((?process.pe.original_file_name : "esentutl.exe" or process.name : "esentutl.exe") and process.args : ("*/y*", "*/vss*", "*/d*")) ) and diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 79cee43c602..f6901a2a127 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Austin Songer"] @@ -86,7 +86,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and ( process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and ( process.args : "*Clear-History*" or diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 35eb79556b9..c2f04f5a873 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and process.args : "Clear-EventLog" ) diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 6f3582fccc9..0666acac376 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -100,7 +100,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")) and process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and process.args : ("*-Exclusion*") ''' diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 01560dd1aeb..5d0fb532865 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and ( process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") ''' diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 73fa5e6be83..8a2c924a761 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -90,7 +90,7 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("pwsh.exe", "powershell.exe", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled" ) or diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 583d589cba8..772ec9c6030 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Austin Songer"] @@ -96,7 +96,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and ( process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and process.args : "*Set-NetFirewallProfile*" and process.args : "*-Enabled*" and process.args : "*False*" and diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index e28f18a8063..28e435a3737 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -85,8 +85,10 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and - (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + ( + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")) + ) ''' diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index 0c62157581f..fbe76f594f5 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "ScreenConnect.Service.exe" and (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or - ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")) ''' From b43f056066afada6a8f8db2ed861095343ee554d Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 12 Sep 2025 15:04:49 -0300 Subject: [PATCH 2/2] -- --- ...ntial_access_copy_ntds_sam_volshadowcp_cmdline.toml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index fd0b363effa..5057638d046 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2025/03/20" [transform] [[transform.osquery]] @@ -137,12 +137,8 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ( - ( - ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE", "pwsh.dll") or - process.name : ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE", "pwsh.exe") - ) and - process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") + ((?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") or process.name : ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE")) and + process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") ) or ((?process.pe.original_file_name : "esentutl.exe" or process.name : "esentutl.exe") and process.args : ("*/y*", "*/vss*", "*/d*")) ) and