[Rule Tuning] Windows Misc Tuning

Author: w0rk3r

rules/windows/command_and_control_common_webservices.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/11/04"
+updated_date = "2025/12/01"
 
 [transform]
 [[transform.investigate]]
@@ -291,8 +291,9 @@ network where host.os.type == "windows" and
        dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com")
       ) or
 
-      (process.code_signature.subject_name : "Python Software Foundation" and process.code_signature.trusted == true and
-       dns.question.name : "files.pythonhosted.org") or 
+      (process.code_signature.subject_name : ("Python Software Foundation", "Anaconda, Inc.") and
+       process.code_signature.trusted == true and dns.question.name : "files.pythonhosted.org"
+      ) or
 
       /* Zoom */
       (process.name : "Zoom.exe" and (process.code_signature.subject_name : "Zoom Video Communications, Inc." and

rules/windows/execution_suspicious_powershell_imgload.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/18"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -92,12 +92,13 @@ host.os.type:windows and event.category:library and
     process.code_signature.trusted:true
   ) and
   not (
-    process.executable: C\:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe and
+    proces
+    processs.executable: C\:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe and
     process.code_signature.subject_name:"PDQ.com Corporation" and
     process.code_signature.trusted:true
   ) and
   not (
-    process.executable: C\:\\Windows\\Temp\\\{*\}\\_is*.exe and
+    process.name: (_is*.exe or "DellInstaller_x64.exe") and
     process.code_signature.subject_name:("Dell Technologies Inc." or "Dell Inc" or "Dell Inc.") and
     process.code_signature.trusted:true
   ) and
@@ -106,6 +107,11 @@ host.os.type:windows and event.category:library and
     process.code_signature.subject_name:("Chocolatey Software, Inc." or "Chocolatey Software, Inc") and
     process.code_signature.trusted:true
   ) and
+  not (
+    process.name: "Docker Desktop Installer.exe" and
+    process.code_signature.subject_name:"Docker Inc" and
+    process.code_signature.trusted:true
+  ) and
   not process.executable : (
     "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or
     "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"

rules/windows/persistence_browser_extension_install.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/22"
 integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -84,7 +84,24 @@ file where host.os.type == "windows" and event.type : "creation" and
     not
     (
       process.name : "firefox.exe" and
-      file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
+      file.name : (
+        "langpack-*@firefox.mozilla.org.xpi",
+        "*@dictionaries.addons.mozilla.org.xpi",
+        "[email protected]",
+        "[email protected]",
+        /* AdBlockPlus */
+        "{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi",
+        /* Bitwarden */
+        "{446900e4-71c2-419f-a6a7-df9c091e268b}.xpi",
+        "[email protected]",
+        /* 1Password */
+        "{d634138d-c276-4fc8-924b-40a0ea21d284}.xpi",
+        "[email protected]",
+        /* Grammarly */
+        "[email protected]",
+        "[email protected]",
+        "[email protected]"
+      )
     )
   ) or
   /* Chromium-Based Browsers */

rules/windows/persistence_via_application_shimming.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,17 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and
   process.args : "?*" and
   not (process.args : "-m" and process.args : "-bg") and
-  not process.args : "-mm"
+  not process.args : (
+    "-mm",
+    "?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\sysMergeInboxStoreApp.sdb",
+    "\"?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\sysMergeInboxStoreApp.sdb\"",
+    "?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\msiMergeInboxStoreApp.sdb",
+    "\"?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\msiMergeInboxStoreApp.sdb\"",
+    "?:\\Program Files (x86)\\Citrix\\ICA Client\\CitrixWorkspaceLegacySWDA.sdb",
+    "Citrix Workspace",
+    "C:\\Program Files\\IIS Express\\iisexpressshim.sdb",
+    "C:\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb"
+  )
 '''
 
 

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

@@ -2,13 +2,14 @@
 creation_date = "2022/10/20"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
-may create a new process with a different token to escalate privileges and bypass access controls.
+Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may
+enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate
+privileges and bypass access controls.
 """
 from = "now-9m"
 index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
@@ -94,21 +95,26 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur
  /* exclude processes with System Integrity  */
  not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
 
- not winlog.event_data.ProcessName :
-         ("?:\\Windows\\System32\\msiexec.exe",
-          "?:\\Windows\\SysWOW64\\msiexec.exe",
-          "?:\\Windows\\System32\\lsass.exe",
-          "?:\\Windows\\WinSxS\\*",
-          "?:\\Program Files\\*",
-          "?:\\Program Files (x86)\\*",
-          "?:\\Windows\\System32\\MRT.exe",
-          "?:\\Windows\\System32\\cleanmgr.exe",
-          "?:\\Windows\\System32\\taskhostw.exe",
-          "?:\\Windows\\System32\\mmc.exe",
-          "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe",
-          "?:\\Windows\\System32\\auditpol.exe",
-          "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe",
-          "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe")
+ not winlog.event_data.ProcessName : (
+        "?:\\Program Files (x86)\\*",
+        "?:\\Program Files\\*",
+        "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe",
+        "?:\\Windows\\System32\\auditpol.exe",
+        "?:\\Windows\\System32\\cleanmgr.exe",
+        "?:\\Windows\\System32\\lsass.exe",
+        "?:\\Windows\\System32\\mmc.exe",
+        "?:\\Windows\\System32\\MRT.exe",
+        "?:\\Windows\\System32\\msiexec.exe",
+        "?:\\Windows\\System32\\sdiagnhost.exe",
+        "?:\\Windows\\System32\\ServerManager.exe",
+        "?:\\Windows\\System32\\taskhostw.exe",
+        "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe",
+        "?:\\Windows\\System32\\WerFault.exe",
+        "?:\\Windows\\SysWOW64\\msiexec.exe",
+        "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe",
+        "?:\\Windows\\SysWOW64\\WerFault.exe",
+        "?:\\Windows\\WinSxS\\*"
+    )
 '''
 
 

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/07/06"
 integration = ["endpoint", "windows", "system", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -105,10 +105,22 @@ process where host.os.type == "windows" and event.type == "start" and
  not process.executable : (
     "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
     "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe",
+    "?:\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWSave.exe",
+    "?:\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWriter2.exe",
+    "?:\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe",
+    "?:\\Program Files (x86)\\TSplus\\UniversalPrinter\\CPWriter2.exe",
+    "?:\\Program Files\\Seagull\\Printer Drivers\\Packages\\*\\DriverEnvironmentSetup.exe",
+    "?:\\Windows\\system32\\CNAB4RPD.EXE",
 
     /* Crowdstrike specific condition as it uses NT Object paths */
     "\\Device\\HarddiskVolume*\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
-    "\\Device\\HarddiskVolume*\\Program Files (x86)\\GPLGS\\gswin32c.exe"
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\GPLGS\\gswin32c.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWSave.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWriter2.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\TSplus\\UniversalPrinter\\CPWriter2.exe",
+    "\\Device\\HarddiskVolume*\\Program Files\\Seagull\\Printer Drivers\\Packages\\*\\DriverEnvironmentSetup.exe",
+    "\\Device\\HarddiskVolume*\\Windows\\system32\\CNAB4RPD.EXE"
  )
 '''
 

rules/windows/privilege_escalation_via_ppid_spoofing.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/10/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -58,7 +58,8 @@ process where host.os.type == "windows" and event.action == "start" and
  not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
      process.executable : ("?:\\Windows\\System32\\osk.exe",
                            "?:\\Windows\\System32\\Narrator.exe",
-                           "?:\\Windows\\System32\\Magnify.exe")) and
+                           "?:\\Windows\\System32\\Magnify.exe",
+                           "?:\\Windows\\System32\\VoiceAccess.exe")) and
 
  not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and