Skip to content

[Rule Tuning] Fix process.pe.original_file_name Conditions #5101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 15, 2025
Merged

[Rule Tuning] Fix process.pe.original_file_name Conditions #5101

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1338f4a
[Rule Tuning] Fix process.pe.original_file_name Conditions
w0rk3r Sep 12, 2025
b43f056
--
w0rk3r Sep 12, 2025
2117d56
Merge branch 'main' into rt_original_file_name
w0rk3r Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 3 additions & 11 deletions rules/windows/collection_winrar_encryption.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/12/04"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/12"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -60,14 +60,6 @@ references = [
]
risk_score = 47
rule_id = "45d273fb-1dca-457d-9855-bcb302180c21"
setup = """## Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
Expand All @@ -89,8 +81,8 @@ process where host.os.type == "windows" and event.type == "start" and
(
(
(
process.name:"rar.exe" or ?process.code_signature.subject_name == "win.rar GmbH" or
?process.pe.original_file_name == "Command line RAR"
process.name : ("rar.exe", "WinRAR.exe") or ?process.code_signature.subject_name == "win.rar GmbH" or
?process.pe.original_file_name == "WinRAR.exe"
) and
process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*")
) or
Expand Down
4 changes: 2 additions & 2 deletions rules/windows/defense_evasion_clearing_windows_console_history.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/11/22"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/12"

[rule]
author = ["Austin Songer"]
Expand Down Expand Up @@ -86,7 +86,7 @@ query = '''
process where host.os.type == "windows" and event.type == "start" and
(
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these original names OS-version independent?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so, I've looked up them in telemetry, and these are the expected ones

) and
(
process.args : "*Clear-History*" or
Expand Down
4 changes: 2 additions & 2 deletions rules/windows/defense_evasion_clearing_windows_event_logs.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/12"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -88,7 +88,7 @@ process where host.os.type == "windows" and event.type == "start" and
(
(
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
) and
process.args : "Clear-EventLog"
)
Expand Down
4 changes: 2 additions & 2 deletions rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/07/20"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/12"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -100,7 +100,7 @@ type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
(process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and
(process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")) and
process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and
process.args : ("*-Exclusion*")
'''
Expand Down
4 changes: 2 additions & 2 deletions rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/07/07"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/12"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -90,7 +90,7 @@ query = '''
process where host.os.type == "windows" and event.type == "start" and
(
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
) and
process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
'''
Expand Down
4 changes: 2 additions & 2 deletions rules/windows/defense_evasion_disabling_windows_logs.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/05/06"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/12"

[rule]
author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
Expand Down Expand Up @@ -90,7 +90,7 @@ process where host.os.type == "windows" and event.type == "start" and
(
(
process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or
?process.pe.original_file_name in ("pwsh.exe", "powershell.exe", "powershell_ise.exe")
?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
) and
process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled"
) or
Expand Down
4 changes: 2 additions & 2 deletions rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/10/15"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/12"

[rule]
author = ["Austin Songer"]
Expand Down Expand Up @@ -96,7 +96,7 @@ query = '''
process where host.os.type == "windows" and event.type == "start" and
(
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
) and
process.args : "*Set-NetFirewallProfile*" and
process.args : "*-Enabled*" and process.args : "*False*" and
Expand Down
8 changes: 5 additions & 3 deletions rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2021/03/08"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/12"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -85,8 +85,10 @@ type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and
(process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
(
(process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE"))
)
'''


Expand Down
4 changes: 2 additions & 2 deletions rules/windows/initial_access_webshell_screenconnect_server.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/03/26"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/09/12"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -86,7 +86,7 @@ query = '''
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "ScreenConnect.Service.exe" and
(process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or
?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE"))
'''


Expand Down
Loading