|
2 | 2 | creation_date = "2020/09/03" |
3 | 3 | integration = ["endpoint", "windows", "m365_defender"] |
4 | 4 | maturity = "production" |
5 | | -updated_date = "2025/01/15" |
| 5 | +updated_date = "2025/03/12" |
6 | 6 | min_stack_version = "8.14.0" |
7 | 7 | min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." |
8 | 8 |
|
@@ -46,15 +46,16 @@ type = "eql" |
46 | 46 |
|
47 | 47 | query = ''' |
48 | 48 | process where host.os.type == "windows" and event.type == "start" and |
49 | | - process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and |
50 | | - not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") or |
51 | | - process.executable : ("?:\\Windows\\explorer.exe", |
52 | | - "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", |
53 | | - "?:\\Program Files?(x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", |
54 | | - "?:\\Windows\\System32\\Dism.exe", |
55 | | - "?:\\Windows\\SysWOW64\\Dism.exe", |
56 | | - "?:\\Windows\\System32\\inetsrv\\w3wp.exe") |
57 | | - ) |
| 49 | + process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and |
| 50 | + not process.executable : ("?:\\Windows\\explorer.exe", |
| 51 | + "?:\\Windows\\SyWOW64\\explorer.exe", |
| 52 | + "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", |
| 53 | + "?:\\Program Files?(x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", |
| 54 | + "?:\\Windows\\System32\\Dism.exe", |
| 55 | + "?:\\Windows\\SysWOW64\\Dism.exe", |
| 56 | + "?:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe", |
| 57 | + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", |
| 58 | + "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe") |
58 | 59 | ''' |
59 | 60 | note = """## Triage and analysis |
60 | 61 |
|
|
0 commit comments