[Rule Tuning] Windows High Severity - 4 (#5095)

w0rk3r · web-flow · commit 76c73f84f63d · 2025-09-15T09:18:55.000-07:00
* [Rule Tuning] Windows High Severity - 4

* Update initial_access_execution_from_inetcache.toml
diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/02/14"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -88,13 +88,25 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and
   (
-    process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
+    process.args : "*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
     process.executable : (
       "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*",
 
-      /* Crowdstrike specific exclusion as it uses NT Object paths */
+      /* Crowdstrike specific condition as it uses NT Object paths */
       "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"
     )
+  ) and
+  not process.executable : (
+        "?:\\Program Files\\*.exe",
+        "?:\\Program Files (x86)\\*.exe",
+        "?:\\Windows\\System32\\mspaint.exe",
+        "?:\\Windows\\System32\\notepad.exe",
+
+        /* Crowdstrike specific exclusion as it uses NT Object paths */
+        "\\Device\\HarddiskVolume*\\Program Files\\*.exe",
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\*.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\mspaint.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\notepad.exe"
   )
 '''
 
diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/04/12"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -59,7 +59,7 @@ Remote Desktop Shadowing allows administrators to view or control active RDP ses
 - Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more quickly in the future.
 - Review and update RDP access policies and configurations to ensure they align with best practices, such as enforcing multi-factor authentication and limiting RDP access to only necessary users and systems."""
 references = [
-    "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
+    "https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing",
     "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/",
 ]
 risk_score = 73
@@ -86,12 +86,13 @@ query = '''
 
 any where host.os.type == "windows" and
 (
-  (event.category == "registry" and
-     registry.path : (
-      "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
-      "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
-      "MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
-    )
+  (event.category == "registry" and event.type == "change" and
+    registry.value : "Shadow" and
+    registry.path : (
+      "*\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
+    ) and
+    registry.data.strings : ("1", "0x00000001", "2", "0x00000002", "3", "0x00000003", "4", "0x00000004")
+
   ) or
   (event.category == "process" and event.type == "start" and
      (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or
diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/16"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -96,8 +96,16 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and
-  not process.name : "conhost.exe"
+process where host.os.type == "windows" and event.type == "start" and
+  process.parent.name : "dns.exe" and
+  not process.executable : (
+    "?:\\Windows\\System32\\conhost.exe",
+
+    /* Crowdstrike specific exclusion as it uses NT Object paths */
+    "\\Device\\HarddiskVolume*\\Windows\\System32\\conhost.exe",
+    "\\Device\\HarddiskVolume*\\Program Files\\ReasonLabs\\*"
+  ) and
+  not ?process.parent.executable : "?:\\Program Files\\ReasonLabs\\DNS\\ui\\DNS.exe"
 '''
 
 
diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/03/15"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/09/11"
 
 [transform]
 [[transform.osquery]]
@@ -152,7 +152,9 @@ registry where host.os.type == "windows" and event.type == "change" and
            "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
            "%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
            "%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
-           "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
+           "%%USERPROFILE%%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
+           "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
+           "\\\\*"
            )
 '''
 
diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "m365_defender"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [transform]
 [[transform.osquery]]
@@ -141,16 +141,14 @@ process where host.os.type == "windows" and event.type == "start" and
     "sethc.exe",
     "utilman2.exe",
     "DisplaySwitch.exe",
+    "atbroker.exe",
     "ATBroker.exe",
     "ScreenMagnifier.exe",
     "SR.exe",
     "Narrator.exe",
     "magnify.exe",
     "MAGNIFY.EXE"
     )
-
-/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */
-/* and process.code_signature.subject_name == "Microsoft Windows" and process.code_signature.status == "trusted" */
 '''
 
 
