[Rule Tuning] Persistence via a Windows Installer (#5386)

w0rk3r · web-flow · commit 6915e3956fe7 · 2025-12-01T07:54:23.000-08:00
diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/05"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -35,18 +35,55 @@ type = "eql"
 
 query = '''
 any where host.os.type == "windows" and
- (process.name : "msiexec.exe" or Effective_process.name : "msiexec.exe") and
- (
-  (event.category == "file" and event.action == "creation" and
-   file.path : ("?:\\Windows\\System32\\Tasks\\*",
-                "?:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\*",
-                "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*")) or
-
-  (event.category == "registry" and event.action == "modification" and
-   registry.path : ("H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
-                    "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
-                    "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
-                    "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*"))
+  (process.name : "msiexec.exe" or Effective_process.name : "msiexec.exe") and
+  (
+    (
+      event.category == "file" and event.action == "creation" and
+      file.path : (
+        "?:\\Windows\\System32\\Tasks\\*",
+        "?:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\*",
+        "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*"
+      ) and
+      not file.path : (
+        "?:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task",
+        "?:\\Windows\\System32\\Tasks\\HP\\Sure Click\\Sure Click ?.?.??.????",
+        "?:\\Windows\\System32\\Tasks\\HP\\Sure Click\\Sure Click UI ?.?.??.????",
+        "?:\\Windows\\System32\\Tasks\\HP\\Sure Click\\Upgrade Repair ?.?.??.????",
+        "?:\\Windows\\System32\\Tasks\\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132",
+        "?:\\Windows\\System32\\Tasks\\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132-Logon"
+      )
+    ) or
+    (
+      event.category == "registry" and event.action == "modification" and registry.data.strings != null and
+      registry.path : (
+        "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
+        "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
+        "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
+        "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*"
+      ) and
+      not registry.data.strings : (
+        "C:\\Program Files (x86)\\Common Files\\Acronis\\TibMounter\\tib_mounter_monitor.exe",
+        "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe",
+        "C:\\Program Files\\Citrix\\Secure Access Client\\CtxsDPS.exe --clean-user-installs",
+        "C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe",
+        "C:\\Program Files\\Veeam\\Endpoint Backup\\Veeam.EndPoint.Tray.exe -NoControlPanel -CheckNumberOfRunningAgents",
+        "\"C:\\Program Files (x86)\\Cisco\\Cisco Secure Client\\UI\\csc_ui.exe\" -minimized",
+        "\"C:\\Program Files (x86)\\Citrix\\ICA Client\\concentr.exe\" /startup",
+        "\"C:\\Program Files (x86)\\Citrix\\ICA Client\\Receiver\\AnalyticsSrv.exe\" /Startup",
+        "\"C:\\Program Files (x86)\\Citrix\\ICA Client\\redirector.exe\" /startup",
+        "\"C:\\Program Files (x86)\\EPSON Software\\Download Navigator\\EPSDNMON.EXE\"",
+        "\"C:\\Program Files (x86)\\Jabra\\Direct6\\jabra-direct.exe\" /minimized",
+        "\"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vmware-tray.exe\"",
+        "\"C:\\Program Files\\ESET\\ESET Security\\ecmds.exe\" /run /hide /proxy",
+        "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"",
+        "\"C:\\Program Files\\KeePassXC\\KeePassXC.exe\"",
+        "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPA.exe\"",
+        "\"C:\\Program Files\\PDF24\\pdf24.exe\"",
+        "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr",
+        "\"C:\\PROGRA~2\\Citrix\\DEVICE~1\\Bin64\\DTCLIE~1.EXE\"",
+        "\"%ProgramFiles%\\Teams Installer\\Teams.exe\" --checkInstall --source=default"
+      )
+    )
   )
 '''
 note = """## Triage and analysis
