|
2 | 2 | creation_date = "2020/09/02" |
3 | 3 | integration = ["endpoint", "windows"] |
4 | 4 | maturity = "production" |
5 | | -updated_date = "2025/08/19" |
| 5 | +updated_date = "2025/09/01" |
6 | 6 |
|
7 | 7 | [transform] |
8 | 8 | [[transform.osquery]] |
@@ -40,8 +40,8 @@ from = "now-9m" |
40 | 40 | index = [ |
41 | 41 | "logs-endpoint.events.process-*", |
42 | 42 | "logs-endpoint.events.network-*", |
43 | | - "winlogbeat-*", |
44 | 43 | "logs-windows.sysmon_operational-*", |
| 44 | + "winlogbeat-*" |
45 | 45 | ] |
46 | 46 | language = "eql" |
47 | 47 | license = "Elastic License v2" |
@@ -115,7 +115,7 @@ tags = [ |
115 | 115 | type = "eql" |
116 | 116 |
|
117 | 117 | query = ''' |
118 | | -sequence by process.entity_id with maxspan=5m |
| 118 | +sequence by process.entity_id with maxspan=1m |
119 | 119 | [process where host.os.type == "windows" and event.type == "start" and |
120 | 120 |
|
121 | 121 | /* known applocker bypasses */ |
@@ -147,45 +147,13 @@ sequence by process.entity_id with maxspan=5m |
147 | 147 | "C:\\Program Files (x86)\\Amazon\\Amazon Assistant\\amazonAssistantService.exe", |
148 | 148 | "C:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\TeamViewer.exe")) |
149 | 149 | ] |
150 | | - [network where |
151 | | - (process.name : "bginfo.exe" or |
152 | | - process.name : "cdb.exe" or |
153 | | - process.name : "control.exe" or |
154 | | - process.name : "cmstp.exe" or |
155 | | - process.name : "csi.exe" or |
156 | | - process.name : "dnx.exe" or |
157 | | - process.name : "fsi.exe" or |
158 | | - process.name : "ieexec.exe" or |
159 | | - process.name : "iexpress.exe" or |
160 | | - process.name : "installutil.exe" or |
161 | | - process.name : "Microsoft.Workflow.Compiler.exe" or |
162 | | - ( |
163 | | - process.name : "msbuild.exe" and |
164 | | - destination.ip != "127.0.0.1" |
165 | | - ) or |
166 | | - process.name : "msdt.exe" or |
167 | | - process.name : "mshta.exe" or |
168 | | - ( |
169 | | - process.name : "msiexec.exe" and not |
170 | | - dns.question.name : ( |
171 | | - "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com", |
172 | | - "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local" |
173 | | - ) and |
174 | | - /* Localhost, DigiCert and Comodo CA IP addresses */ |
175 | | - not cidrmatch(destination.ip, "127.0.0.1", "192.229.211.108/32", "192.229.221.95/32", |
176 | | - "152.195.38.76/32", "104.18.14.101/32") |
177 | | - ) or |
178 | | - process.name : "msxsl.exe" or |
179 | | - process.name : "odbcconf.exe" or |
180 | | - process.name : "rcsi.exe" or |
181 | | - process.name : "regsvr32.exe" or |
182 | | - process.name : "xwizard.exe") and |
183 | | - |
| 150 | + [network where dns.question.name != null and |
184 | 151 | not dns.question.name : ("localhost", "setup.officetimeline.com", "us.deployment.endpoint.ingress.rapid7.com", |
185 | 152 | "ctldl.windowsupdate.com", "crl?.digicert.com", "ocsp.digicert.com", "addon-cms-asl.eu.goskope.com", "crls.ssl.com", |
186 | 153 | "evcs-ocsp.ws.symantec.com", "s.symcd.com", "s?.symcb.com", "crl.verisign.com", "oneocsp.microsoft.com", "crl.verisign.com", |
187 | 154 | "aka.ms", "crl.comodoca.com", "acroipm2.adobe.com", "sv.symcd.com", "_ldap._tcp.*", "..localmachine", "secure.globalsign.com", |
188 | | - "acroipm2.adobe.com", "www.ssl.com") and |
| 155 | + "acroipm2.adobe.com", "www.ssl.com", "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com", |
| 156 | + "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local") and |
189 | 157 |
|
190 | 158 | not (process.name : "mshta.exe" and |
191 | 159 | dns.question.name : ("client.teamviewer.com", "www.teamviewer.com", "images-na.ssl-images-amazon.com", "searcherbar.tilda.ws")) and |
|
0 commit comments