[Tuning] Lateral Movement Rules (#4736)

* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update execution_suspicious_cmd_wmi.toml

* Update lateral_movement_incoming_wmi.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update lateral_movement_incoming_wmi.toml

* Update execution_suspicious_cmd_wmi.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

Author: Samirbous

rules/windows/execution_suspicious_cmd_wmi.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/10/19"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/05/20"
 
 [rule]
 author = ["Elastic"]
@@ -64,9 +64,9 @@ references = [
     "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
     "https://www.elastic.co/security-labs/operation-bleeding-bear",
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a"
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -86,8 +86,9 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and
- process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>")
+ process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and process.args : "/c" and process.args:"/Q" and 
+ process.args : "2>&1" and process.args: "1>"  and 
+ process.args : ("C:\\windows\\temp\\*.txt", "\\Windows\\Temp\\*", "-encodehex", "\\\\127.0.0.1\\C$\\Windows\\Temp\\*", "\\\\127.0.0.1\\ADMIN$\\__*.*")
 '''
 
 

rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/24"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/05/20"
 
 [rule]
 author = ["Elastic"]
@@ -78,7 +78,7 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan=30s
    [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and
-    destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"]
+    destination.port in (5985, 5986) and source.ip != "127.0.0.1" and source.ip != "::1"]
    [process where host.os.type == "windows" and
     event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"]
 '''

rules/windows/lateral_movement_incoming_wmi.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/15"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/05/20"
 
 [rule]
 author = ["Elastic"]
@@ -69,13 +69,12 @@ tags = [
 type = "eql"
 
 query = '''
-sequence by host.id with maxspan = 2s
+sequence by host.id with maxspan = 20s
 
  /* Accepted Incoming RPC connection by Winmgmt service */
 
   [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and
-   source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152
-  ]
+   source.ip != "127.0.0.1" and source.ip != "::1" and destination.port == 135]
 
   /* Excluding Common FPs Nessus and SCCM */
 

rules/windows/lateral_movement_powershell_remoting_target.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/24"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/05/20"
 
 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan = 30s
    [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and
-    network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"]
+    source.ip != "127.0.0.1" and source.ip != "::1"]
    [process where host.os.type == "windows" and
     event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"]
 '''