diff --git a/rules/windows/command_and_control_dns_susp_tld.toml b/rules/windows/command_and_control_dns_susp_tld.toml index 1bb232b8efb..f4611ddfc9f 100644 --- a/rules/windows/command_and_control_dns_susp_tld.toml +++ b/rules/windows/command_and_control_dns_susp_tld.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/05" +updated_date = "2025/09/18" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ network where host.os.type == "windows" and dns.question.name != null and "java.exe", "javaw.exe", "*.pif", "*.com", "*.scr") or (?process.code_signature.trusted == false or ?process.code_signature.exists == false) or ?process.code_signature.subject_name : ("AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or - process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe") + ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe") ) and dns.question.name regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host)""" ''' diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 47d0258a022..7aba4b1f611 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/08/08" +updated_date = "2025/09/18" [rule] author = ["Elastic"] @@ -111,7 +111,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*" ) or - (process.executable : "C:\\windows\\System32\\msiexec.exe" and user.id : "S-1-5-18") + (process.executable : "C:\\windows\\System32\\msiexec.exe" and ?user.id : "S-1-5-18") ) ''' diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 19fd0e9f861..aadb6c929a0 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2025/09/18" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ process where host.os.type == "windows" and event.type == "start" and process.name : "powershell.exe" and not ( - user.id == "S-1-5-18" and + ?user.id == "S-1-5-18" and /* Don't apply the user.id exclusion to Sysmon for compatibility */ not event.dataset : ("windows.sysmon_operational", "windows.sysmon") ) and