[Rule Tuning] Windows High Severity - 2 (#5093)

w0rk3r · tradebot-elastic · commit 852944e746a2 · 2025-09-15T14:57:44.000Z
* [Rule Tuning] Windows High Severity - 2 * [Rule Tuning] Windows High Severity - 3 * Revert "[Rule Tuning] Windows High Severity - 3" This reverts commit 32c8348. (cherry picked from commit 567b82c)
diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml
@@ -2,14 +2,14 @@
 creation_date = "2021/07/07"
 integration = ["endpoint", "windows", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/01"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic", "Dennis Perto"]
 description = """
-Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being
-renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via
-side-loading a malicious DLL within the memory space of one of those processes.
+Identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or
+renamed instances. This may indicate an attempt to evade defenses through DLL side-loading or by masquerading as the
+antimalware process.
 """
 false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."]
 from = "now-9m"
@@ -23,13 +23,13 @@ index = [
 ]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable"
+name = "Suspicious Microsoft Antimalware Service Execution"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Potential DLL Side-Loading via Microsoft Antimalware Service Executable
+### Investigating Suspicious Microsoft Antimalware Service Execution
 
 The Microsoft Antimalware Service Executable, a core component of Windows Defender, is crucial for real-time protection against malware. Adversaries exploit its trust by renaming it or executing it from non-standard paths to load malicious DLLs, bypassing security measures. The detection rule identifies such anomalies by monitoring process names and paths, flagging deviations from expected behavior to uncover potential threats.
 
diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/04/14"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,6 @@ index = [
 ]
 language = "eql"
 license = "Elastic License v2"
-max_signals = 33
 name = "IIS HTTP Logging Disabled"
 note = """## Triage and analysis
 
diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/05/31"
 integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -85,8 +85,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   (?process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and
   (
-    process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or
-
+    process.args : ("IT_RebrowseForFile=*", "*FromBase64*", "*/../../../*", "*PCWDiagnostic*") or
     (
       process.args : "-af" and process.args : "/skip" and
       process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and
diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/19"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -79,7 +79,7 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.parent.pid == 4 and process.executable : "?*" and
-  not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe")
+  not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe", "HotPatch")
 '''
 
 
diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/12"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -68,8 +68,33 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and
- not process.parent.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc")
+  process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and
+  not (
+    process.parent.args : (
+      "?:\\Windows\\System32\\*.msc",
+      "?:\\Windows\\SysWOW64\\*.msc",
+      "?:\\Program files\\*.msc",
+      "?:\\Program Files (x86)\\*.msc"
+    ) or
+    (
+      process.executable : "?:\\Windows\\System32\\mmc.exe" and
+      process.command_line : "\"C:\\WINDOWS\\system32\\mmc.exe\" \"C:\\Windows\\System32\\gpme.msc\" /s /gpobject:\"LDAP://*"
+    ) or
+    (
+      process.executable : (
+        "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
+        "?:\\Program Files\\Mozilla Firefox\\firefox.exe",
+        "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
+        "?:\\Program Files\\internet explorer\\iexplore.exe"
+      ) and
+      process.args : "http*://go.microsoft.com/fwlink/*"
+    ) or
+    process.executable : (
+      "?:\\Windows\\System32\\vmconnect.exe",
+      "?:\\Windows\\System32\\WerFault.exe",
+      "?:\\Windows\\System32\\wermgr.exe"
+    )
+  )
 '''
 
 
