Update defense_evasion_process_termination_followed_by_deletion.toml

w0rk3r · w0rk3r · commit 9f853a2ba19b · 2024-11-04T18:56:49.000-03:00
diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/10/18"
+updated_date = "2024/11/04"
 
 [transform]
 [[transform.osquery]]
@@ -112,7 +112,12 @@ sequence by host.id with maxspan=5s
     not process.executable like
              ("C:\\Windows\\SoftwareDistribution\\*.exe",
               "C:\\Windows\\WinSxS\\*.exe",
-              "?:\\Windows\\Postillion\\Office\\*.exe")
+              "?:\\Windows\\Postillion\\Office\\*.exe") and
+    not (
+      process.name : "infinst.exe" and process.parent.name: "dxsetup.exe" and
+      process.parent.code_signature.subject_name == "NVIDIA Corporation" and
+      process.parent.code_signature.status == "trusted"
+    )
    ] by process.executable
    [file where host.os.type == "windows" and event.type == "deletion" and file.extension in~ ("exe", "scr", "com") and
     not process.executable like
@@ -130,6 +135,12 @@ sequence by host.id with maxspan=5s
           "?:\\Windows\\tenable_mw_scan_*.exe",
           "?:\\Users\\*\\AppData\\Local\\Temp\\LogiUI\\Pak\\uninstall.exe",
           "?:\\ProgramData\\chocolatey\\*.exe"
+    ) and
+    not (process.name : "OktaVerifySetup-*.exe" and process.code_signature.subject_name == "Okta, Inc.") and
+    not (
+      process.executable : "?:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\CitrixReceiver\\*" and
+      process.code_signature.subject_name == "Citrix Systems, Inc." and
+      file.path : "?:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\CitrixReceiver\\*\\bootstrapperhelper.exe"
     )
    ] by file.path
 '''
