From 5a7b47f21cfd9e760bb86dbd2b200c036e96f75a Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 18 Sep 2025 13:41:06 -0300 Subject: [PATCH 1/2] [Rule Tuning] Mark some field optional for 3rd party compatibility --- rules/windows/command_and_control_dns_susp_tld.toml | 2 +- rules/windows/defense_evasion_regmod_remotemonologue.toml | 2 +- rules/windows/execution_windows_powershell_susp_args.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/command_and_control_dns_susp_tld.toml b/rules/windows/command_and_control_dns_susp_tld.toml index 1bb232b8efb..f6a3dcbdabc 100644 --- a/rules/windows/command_and_control_dns_susp_tld.toml +++ b/rules/windows/command_and_control_dns_susp_tld.toml @@ -79,7 +79,7 @@ network where host.os.type == "windows" and dns.question.name != null and "java.exe", "javaw.exe", "*.pif", "*.com", "*.scr") or (?process.code_signature.trusted == false or ?process.code_signature.exists == false) or ?process.code_signature.subject_name : ("AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or - process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe") + ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe") ) and dns.question.name regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host)""" ''' diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 47d0258a022..6bd9ca475be 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -111,7 +111,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*" ) or - (process.executable : "C:\\windows\\System32\\msiexec.exe" and user.id : "S-1-5-18") + (process.executable : "C:\\windows\\System32\\msiexec.exe" and ?user.id : "S-1-5-18") ) ''' diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 19fd0e9f861..cfaf7b3b79c 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -85,7 +85,7 @@ process where host.os.type == "windows" and event.type == "start" and process.name : "powershell.exe" and not ( - user.id == "S-1-5-18" and + ?user.id == "S-1-5-18" and /* Don't apply the user.id exclusion to Sysmon for compatibility */ not event.dataset : ("windows.sysmon_operational", "windows.sysmon") ) and From 407da9d8cb59dc3566e24c89ba2efae9ea7cebb6 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 18 Sep 2025 13:46:19 -0300 Subject: [PATCH 2/2] bump --- rules/windows/command_and_control_dns_susp_tld.toml | 2 +- rules/windows/defense_evasion_regmod_remotemonologue.toml | 2 +- rules/windows/execution_windows_powershell_susp_args.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/command_and_control_dns_susp_tld.toml b/rules/windows/command_and_control_dns_susp_tld.toml index f6a3dcbdabc..f4611ddfc9f 100644 --- a/rules/windows/command_and_control_dns_susp_tld.toml +++ b/rules/windows/command_and_control_dns_susp_tld.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/05" +updated_date = "2025/09/18" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 6bd9ca475be..7aba4b1f611 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/08/08" +updated_date = "2025/09/18" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index cfaf7b3b79c..aadb6c929a0 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2025/09/18" [rule] author = ["Elastic"]