Update windows rule from main

Author: shashank-elastic

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

@@ -2,9 +2,7 @@
 creation_date = "2020/11/24"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/02/21"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
+updated_date = "2025/03/20"
 
 [transform]
 [[transform.osquery]]

rules/windows/credential_access_iis_connectionstrings_dumping.toml

@@ -2,9 +2,7 @@
 creation_date = "2020/08/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/02/21"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
@@ -29,35 +27,6 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Microsoft IIS Connection Strings Decryption"
-references = [
-    "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
-    "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
-]
-risk_score = 73
-rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
-severity = "high"
-tags = [
-    "Domain: Endpoint",
-    "OS: Windows",
-    "Use Case: Threat Detection",
-    "Tactic: Credential Access",
-    "Data Source: Elastic Endgame",
-    "Data Source: Elastic Defend",
-    "Data Source: Windows Security Event Logs",
-    "Data Source: Microsoft Defender for Endpoint",
-    "Data Source: Sysmon",
-    "Data Source: SentinelOne",
-    "Data Source: Crowdstrike",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-
-query = '''
-process where host.os.type == "windows" and event.type == "start" and
-  (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and
-  process.args : "connectionStrings" and process.args : "-pdf"
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -93,6 +62,35 @@ Microsoft IIS often stores sensitive connection strings in encrypted form to sec
 - Restore the IIS server from a known good backup taken before the compromise, ensuring that any webshells or malicious scripts are removed.
 - Implement enhanced monitoring and alerting for any future unauthorized use of aspnet_regiis.exe, focusing on the specific arguments used in the detection query.
 - Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the broader impact on the organization."""
+references = [
+    "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
+    "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
+]
+risk_score = 73
+rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and
+  process.args : "connectionStrings" and process.args : "-pdf"
+'''
 
 
 [[rule.threat]]

rules/windows/defense_evasion_iis_httplogging_disabled.toml

@@ -2,9 +2,7 @@
 creation_date = "2020/04/14"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/02/21"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]