[Rule Tuning] Windows High Severity - 1 (#5092)

* [Rule Tuning] Windows High Severity - 1

* Update command_and_control_headless_browser.toml

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Update command_and_control_outlook_home_page.toml

(cherry picked from commit 7910f46)

Author: w0rk3r

rules/windows/command_and_control_headless_browser.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/05/10"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -73,12 +73,17 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe") and
-  (process.args : "--headless*" or process.args : "data:text/html;base64,*") and
+  process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe") and
+  process.args : "--headless*" and
+  process.args : ("--disable-gpu", "--dump-dom", "*http*", "data:text/html;base64,*") and
   process.parent.name :
      ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "conhost.exe", "msiexec.exe",
       "explorer.exe", "rundll32.exe", "winword.exe", "excel.exe", "onenote.exe", "hh.exe", "powerpnt.exe", "forfiles.exe",
-      "pcalua.exe", "wmiprvse.exe")
+      "pcalua.exe", "wmiprvse.exe") and
+  not process.executable : (
+        "?:\\inetpub\\wwwroot\\*\\ext\\modules\\html2pdf\\bin\\chrome\\*\\chrome-win64\\chrome.exe",
+        "\\Device\\HarddiskVolume*\\inetpub\\wwwroot\\*\\ext\\modules\\html2pdf\\bin\\chrome\\*\\chrome-win64\\chrome.exe"
+  )
 '''
 
 

rules/windows/command_and_control_outlook_home_page.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/08/01"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -86,7 +86,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi
     registry.path : (
         "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\*",
         "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Today\\*"
-    ) and registry.data.strings : ("*://*", "*http*")
+    ) and registry.data.strings : ("*://*", "*:\\*")
 '''
 
 

rules/windows/credential_access_cmdline_dump_tool.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/24"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -97,7 +97,7 @@ process where host.os.type == "windows" and event.type == "start" and
   ) or
   (
     (?process.pe.original_file_name : "RUNDLL32.EXE" or process.name : "RUNDLL32.exe") and
-      (process.args : "MiniDump*" or process.command_line : "*comsvcs.dll*#24*")
+      (process.args : "*MiniDump*" or process.command_line : "*comsvcs*#*24*")
   ) or
   (
     (?process.pe.original_file_name : "RdrLeakDiag.exe" or process.name : "RdrLeakDiag.exe") and
@@ -111,7 +111,7 @@ process where host.os.type == "windows" and event.type == "start" and
       process.args : "-dumpFull" and process.args : "-attach") or
   (
     (?process.pe.original_file_name : "ntdsutil.exe" or process.name : "ntdsutil.exe") and
-      process.args : "create*full*") or
+      process.args : "cr*fu*") or
   (
     (?process.pe.original_file_name : "diskshadow.exe" or process.name : "diskshadow.exe") and process.args : "/s")
 )

rules/windows/credential_access_mod_wdigest_security_provider.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/19"
 integration = ["endpoint", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -74,14 +74,6 @@ references = [
 ]
 risk_score = 73
 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "high"
 tags = [
     "Domain: Endpoint",
@@ -98,11 +90,10 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-registry where host.os.type == "windows" and event.type == "creation" and
-    registry.path : (
-        "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential",
-        "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential"
-    ) and registry.data.strings : ("1", "0x00000001") and
+registry where host.os.type == "windows" and event.type in ("creation", "change") and
+    registry.value : "UseLogonCredential" and
+    registry.path : "*\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and
+    registry.data.strings : ("1", "0x00000001") and
     not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18")
 '''
 

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/09/03"
-integration = ["endpoint", "windows", "m365_defender", "crowdstrike"]
+integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/09/01"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
     "endgame-*",
     "logs-m365_defender.event-*",
     "logs-crowdstrike.fdr*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -58,9 +59,9 @@ DLL side-loading exploits the DLL search order to load malicious code into trust
 - Update and patch all software on the affected system, focusing on the trusted Microsoft programs identified in the alert, to mitigate vulnerabilities exploited by DLL side-loading.
 - Monitor the network for any signs of lateral movement or additional compromised systems, using the indicators of compromise identified during the investigation.
 - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or data have been affected."""
-risk_score = 73
+risk_score = 47
 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd"
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -73,35 +74,47 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Resources: Investigation Guide",
     "Data Source: Crowdstrike",
+    "Data Source: SentinelOne",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and 
-  not process.executable : ("?:\\Windows\\explorer.exe", 
-                            "?:\\Windows\\SysWOW64\\explorer.exe",
-                            "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", 
-                            "?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", 
-                            "?:\\Windows\\System32\\Dism.exe", 
-                            "?:\\Windows\\SysWOW64\\Dism.exe",  
-                            "?:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe",
-                            "?:\\Windows\\System32\\inetsrv\\w3wp.exe", 
-                            "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe") and
+  (
+    process.name : ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") or
+    ?process.pe.original_file_name : ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE")
+  ) and
+  not process.executable : (
+          "\\\\?\\Volume{????????-????-????-????-????????????}\\Windows\\System32\\inetsrv\\w3wp.exe",
+          "?:\\PROGRA~?\\MICROS~?\\Office??\\winword.exe",
+          "?:\\Program Files\\Microsoft Office\\*\\winword.exe",
+          "?:\\Program Files\\Microsoft Office ??\\*\\winword.exe",
+          "?:\\Program Files\\WindowsApps\\Microsoft.Office.Desktop.*\\Office??\\winword.exe",
+          "?:\\Program Files (x86)\\Microsoft Office\\*\\winword.exe",
+          "?:\\Program Files (x86)\\Windows Kits\\*Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe",
+          "?:\\Windows\\explorer.exe",
+          "?:\\Windows\\System32\\Dism.exe",
+          "?:\\Windows\\System32\\inetsrv\\w3wp.exe",
+          "?:\\Windows\\SysWOW64\\Dism.exe",
+          "?:\\Windows\\SysWOW64\\explorer.exe",
+          "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe"
+  ) and
   /* Crowdstrike specific exclusion as it uses NT Object paths */
   not
   (
     data_stream.dataset == "crowdstrike.fdr" and
     process.executable : (
-        "\\Device\\HarddiskVolume*\\Windows\\explorer.exe", 
-        "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\explorer.exe",
-        "\\Device\\HarddiskVolume*\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", 
-        "\\Device\\HarddiskVolume*\\Program Files (x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", 
-        "\\Device\\HarddiskVolume*\\Windows\\System32\\Dism.exe", 
-        "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\Dism.exe",  
+        "\\Device\\HarddiskVolume*\\Program Files\\Microsoft Office\\*\\winword.exe",
+        "\\Device\\HarddiskVolume*\\Program Files\\Microsoft Office ??\\*\\winword.exe",
+        "\\Device\\HarddiskVolume*\\Program Files\\WindowsApps\\Microsoft.Office.Desktop.*\\Office??\\winword.exe",
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\Microsoft Office\\*\\winword.exe",
         "\\Device\\HarddiskVolume*\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe",
-        "\\Device\\HarddiskVolume*\\Windows\\System32\\inetsrv\\w3wp.exe", 
+        "\\Device\\HarddiskVolume*\\Windows\\explorer.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\Dism.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\inetsrv\\w3wp.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\Dism.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\explorer.exe",
         "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\inetsrv\\w3wp.exe"
     )
   )