[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)

w0rk3r · web-flow · commit 8d9822e8becc · 2025-09-15T09:06:23.000-07:00
* [Rule Tuning] Fix process.pe.original_file_name Conditions

* --
diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/12/04"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Elastic"]
@@ -60,14 +60,6 @@ references = [
 ]
 risk_score = 47
 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
     "Domain: Endpoint",
@@ -89,8 +81,8 @@ process where host.os.type == "windows" and event.type == "start" and
 (
   (
     (
-      process.name:"rar.exe" or ?process.code_signature.subject_name == "win.rar GmbH" or
-      ?process.pe.original_file_name == "Command line RAR"
+      process.name : ("rar.exe", "WinRAR.exe") or ?process.code_signature.subject_name == "win.rar GmbH" or
+      ?process.pe.original_file_name == "WinRAR.exe"
     ) and
     process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*")
   ) or
diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/11/22"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Austin Songer"]
@@ -86,7 +86,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   (
     process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-    ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+    ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
   ) and
   (
     process.args : "*Clear-History*" or
diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Elastic"]
@@ -88,7 +88,7 @@ process where host.os.type == "windows" and event.type == "start" and
   (
     (
       process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-      ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+      ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
     ) and
     process.args : "Clear-EventLog"
   )
diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/07/20"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Elastic"]
@@ -100,7 +100,7 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and
+ (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")) and
   process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and
   process.args : ("*-Exclusion*")
 '''
diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/07/07"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   (
     process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-    ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+    ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
   ) and
   process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
 '''
diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/05/06"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
@@ -90,7 +90,7 @@ process where host.os.type == "windows" and event.type == "start" and
   (
     (
       process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or
-      ?process.pe.original_file_name in ("pwsh.exe", "powershell.exe", "powershell_ise.exe")
+      ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
     ) and
 	  process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled"
   )  or
diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/10/15"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Austin Songer"]
@@ -96,7 +96,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   (
     process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-    ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+    ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
   ) and
   process.args : "*Set-NetFirewallProfile*" and
   process.args : "*-Enabled*" and process.args : "*False*" and
diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/03/08"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Elastic"]
@@ -85,8 +85,10 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and
-  (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-  ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
+  (
+    (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
+    ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE"))
+  )
 '''
 
 
diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/03/26"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Elastic"]
@@ -86,7 +86,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
   process.parent.name : "ScreenConnect.Service.exe" and
   (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or
-  ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
+  ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE"))
 '''
 
 

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`creation_date = "2020/02/18"`
`3`	`3`	`integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]`
`4`	`4`	`maturity = "production"`
`5`		`-updated_date = "2025/03/20"`
	`5`	`+updated_date = "2025/09/12"`
`6`	`6`
`7`	`7`	`[rule]`
`8`	`8`	`author = ["Elastic"]`
`@@ -88,7 +88,7 @@ process where host.os.type == "windows" and event.type == "start" and`
`88`	`88`	`(`
`89`	`89`	`(`
`90`	`90`	`process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or`
`91`		`- ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")`
	`91`	`+ ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")`
`92`	`92`	`) and`
`93`	`93`	`process.args : "Clear-EventLog"`
`94`	`94`	`)`