Merge branch 'main' into terrancedejesus/issue5189

terrancedejesus · web-flow · commit 8ed29f9c65bd · 2025-10-08T11:37:54.000-04:00
diff --git a/detection_rules/etc/packages.yaml b/detection_rules/etc/packages.yaml
@@ -7,12 +7,12 @@ package:
   registry_data:
     categories:
     - security
+    # Added siem category as these rules are used by the Elastic Security detection engine for security monitoring
+    - siem
     conditions:
       elastic:
         capabilities:
         - security
-        # Added siem category as these rules are used by the Elastic Security detection engine for security monitoring
-        - siem
         subscription: basic
       kibana.version: ^9.2.0
     description: Prebuilt detection rules for Elastic Security
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.4.10"
+version = "1.4.11"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/27"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/10/07"
 
 [rule]
 author = ["Elastic"]
@@ -81,7 +81,8 @@ type = "eql"
 
 query = '''
 registry where host.os.type == "windows" and event.type == "change" and
-  registry.value : "RunAsPPL" and registry.path : "*\\SYSTEM\\*ControlSet*\\Control\\Lsa\\RunAsPPL" and
+  registry.data.strings != null and registry.value : "RunAsPPL" and
+  registry.path : "*\\SYSTEM\\*ControlSet*\\Control\\Lsa\\RunAsPPL" and
   not registry.data.strings : ("1", "0x00000001", "2", "0x00000002")
 '''
 
diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/31"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/10/07"
 
 [rule]
 author = ["Elastic"]
@@ -84,7 +84,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-registry where host.os.type == "windows" and event.type == "change" and
+registry where host.os.type == "windows" and event.type == "change" and registry.data.strings != null and
 (
   (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or
   (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad")
diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/18"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/08/18"
+updated_date = "2025/10/07"
 
 [rule]
 author = ["Elastic"]
@@ -79,7 +79,7 @@ type = "eql"
 
 query = '''
 registry where host.os.type == "windows" and event.type == "change" and
-  registry.value : ("ServiceDLL", "ImagePath") and
+  registry.data.strings != null and registry.value : ("ServiceDLL", "ImagePath") and
   registry.path : (
       "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
       "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/05"
 integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/10/07"
 
 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ type = "eql"
 
 query = '''
 registry where host.os.type == "windows" and event.type == "change" and process.executable != null and
-  registry.value == "ImagePath" and
+  registry.data.strings != null and registry.value == "ImagePath" and
   registry.key : (
     "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc",
     "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker",
