[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)

* [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths

* ++

* Update defense_evasion_workfolders_control_execution.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

(cherry picked from commit b2bc602)

Author: w0rk3r

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/07/24"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -85,8 +85,10 @@ process where host.os.type == "windows" and event.type == "start" and
   not process.executable : (
         "?:\\Program Files (x86)\\*\\cdb.exe",
         "?:\\Program Files\\*\\cdb.exe",
-        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*\\cdb.exe",
-        "\\Device\\HarddiskVolume?\\Program Files\\*\\cdb.exe"
+
+        /* Crowdstrike specific exclusion as it uses NT Object paths */
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\*\\cdb.exe",
+        "\\Device\\HarddiskVolume*\\Program Files\\*\\cdb.exe"
   )
 '''
 

rules/windows/defense_evasion_masquerading_trusted_directory.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.executable : (
     "C:\\*Program*Files*\\*.exe",
-    "\\Device\\HarddiskVolume?\\*Program*Files*\\*.exe"
+    "\\Device\\HarddiskVolume*\\*Program*Files*\\*.exe"
   ) and
   not process.executable : (
         "?:\\Program Files\\*.exe",
@@ -97,15 +97,16 @@ process where host.os.type == "windows" and event.type == "start" and
         "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
   ) and
   not (
+    /* Crowdstrike specific exclusion as it uses NT Object paths */
     event.dataset == "crowdstrike.fdr" and
       process.executable : (
-        "\\Device\\HarddiskVolume?\\Program Files\\*.exe",
-        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*.exe",
-        "\\Device\\HarddiskVolume?\\Users\\*.exe",
-        "\\Device\\HarddiskVolume?\\ProgramData\\*.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\Downloaded Program Files\\*.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
+        "\\Device\\HarddiskVolume*\\Program Files\\*.exe",
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\*.exe",
+        "\\Device\\HarddiskVolume*\\Users\\*.exe",
+        "\\Device\\HarddiskVolume*\\ProgramData\\*.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\Downloaded Program Files\\*.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe"
       )
   )
 '''

rules/windows/defense_evasion_workfolders_control_execution.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/03/02"
 integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -85,8 +85,10 @@ process where host.os.type == "windows" and event.type == "start" and
   not process.executable : (
     "?:\\Windows\\System32\\control.exe",
     "?:\\Windows\\SysWOW64\\control.exe",
-    "\\Device\\HarddiskVolume?\\Windows\\System32\\control.exe",
-    "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\control.exe"
+
+    /* Crowdstrike specific condition as it uses NT Object paths */
+    "\\Device\\HarddiskVolume*\\Windows\\System32\\control.exe",
+    "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\control.exe"
   )
 '''
 

rules/windows/defense_evasion_wsl_child_process.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/12"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -94,15 +94,16 @@ process where host.os.type == "windows" and event.type : "start" and
         "?:\\Windows\\Sys?????\\wslconfig.exe"
   ) and
   not (
+    /* Crowdstrike specific exclusion as it uses NT Object paths */
     event.dataset == "crowdstrike.fdr" and
       process.executable : (
-        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*",
-        "\\Device\\HarddiskVolume?\\Program Files\\*",
-        "\\Device\\HarddiskVolume?\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\System32\\conhost.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\System32\\lxss\\wslhost.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\System32\\WerFault.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\Sys?????\\wslconfig.exe"
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\*",
+        "\\Device\\HarddiskVolume*\\Program Files\\*",
+        "\\Device\\HarddiskVolume*\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\conhost.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\lxss\\wslhost.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\WerFault.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\Sys?????\\wslconfig.exe"
       )
   )
 '''

rules/windows/defense_evasion_wsl_kalilinux.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/01/12"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -88,9 +88,11 @@ process where host.os.type == "windows" and event.type == "start" and
     "?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*",
     "?:\\Users\\*\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe",
     "?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe",
-    "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\packages\\kalilinux*",
-    "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe",
-    "\\Device\\HarddiskVolume?\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe"
+
+    /* Crowdstrike specific exclusion as it uses NT Object paths */
+    "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Local\\packages\\kalilinux*",
+    "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe",
+    "\\Device\\HarddiskVolume*\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe"
   )
 )
 '''

rules/windows/execution_com_object_xwizard.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/20"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -93,8 +93,10 @@ process where host.os.type == "windows" and event.type == "start" and
      not process.executable : (
         "C:\\Windows\\SysWOW64\\xwizard.exe",
         "C:\\Windows\\System32\\xwizard.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\xwizard.exe",
-        "\\Device\\HarddiskVolume?\\Windows\\System32\\xwizard.exe"
+
+        /* Crowdstrike specific exclusion as it uses NT Object paths */
+        "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\xwizard.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\System32\\xwizard.exe"
      )
    )
  )

rules/windows/execution_via_mmc_console_file_unusual_path.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/19"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -84,7 +84,9 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.executable : (
     "?:\\Windows\\System32\\mmc.exe",
-    "\\Device\\HarddiskVolume?\\Windows\\System32\\mmc.exe"
+
+    /* Crowdstrike specific condition as it uses NT Object paths */
+    "\\Device\\HarddiskVolume*\\Windows\\System32\\mmc.exe"
   ) and
   process.args : "*.msc" and
   not process.args : (

rules/windows/initial_access_execution_from_inetcache.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/02/14"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -91,7 +91,9 @@ process where host.os.type == "windows" and event.type == "start" and
     process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or
     process.executable : (
       "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*",
-      "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"
+
+      /* Crowdstrike specific exclusion as it uses NT Object paths */
+      "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*"
     )
   )
 '''

rules/windows/initial_access_suspicious_ms_exchange_process.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/03/04"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -105,15 +105,17 @@ process where host.os.type == "windows" and event.type == "start" and
           "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
           "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
           "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe",
-          "\\Device\\HarddiskVolume?\\Windows\\System32\\werfault.exe",
-          "\\Device\\HarddiskVolume?\\Windows\\System32\\wermgr.exe",
-          "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
-          "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
-          "\\Device\\HarddiskVolume?\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
-          "\\Device\\HarddiskVolume?\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
-          "\\Device\\HarddiskVolume?\\Exchange\\Bin\\UMWorkerProcess.exe",
-          "\\Device\\HarddiskVolume?\\Exchange Server\\Bin\\UMWorkerProcess.exe",
-          "\\Device\\HarddiskVolume?\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe"
+
+          /* Crowdstrike specific exclusion as it uses NT Object paths */
+          "\\Device\\HarddiskVolume*\\Windows\\System32\\werfault.exe",
+          "\\Device\\HarddiskVolume*\\Windows\\System32\\wermgr.exe",
+          "\\Device\\HarddiskVolume*\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume*\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume*\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume*\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume*\\Exchange\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume*\\Exchange Server\\Bin\\UMWorkerProcess.exe",
+          "\\Device\\HarddiskVolume*\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe"
     )
 '''
 

rules/windows/persistence_adobe_hijack_persistence.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/08/28"
 
 [transform]
 [[transform.osquery]]
@@ -122,8 +122,8 @@ file where host.os.type == "windows" and event.type == "creation" and
     "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe",
 
     /* Crowdstrike specific condition as it uses NT Object paths */
-    "\\Device\\HarddiskVolume?\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe",
-    "\\Device\\HarddiskVolume?\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe"
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe",
+    "\\Device\\HarddiskVolume*\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe"
   ) and
   not process.name : ("msiexec.exe", "AdobeARM.exe")
 '''