[Rule Tuning] Communication App Rules (#5487)

* [Rule Tuning] Communication App Rules

* Update defense_evasion_masquerading_business_apps_installer.toml

* Update defense_evasion_masquerading_business_apps_installer.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_business_apps_installer.toml

---------

Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 5ec8e3e)

Author: w0rk3r

rules/windows/command_and_control_common_webservices.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/17"
 
 [transform]
 [[transform.investigate]]
@@ -296,7 +296,8 @@ network where host.os.type == "windows" and
       ) or
 
       /* Zoom */
-      (process.name : "Zoom.exe" and (process.code_signature.subject_name : "Zoom Video Communications, Inc." and
+      (process.name : "Zoom.exe" and (
+       process.code_signature.subject_name : ("Zoom Video Communications, Inc.", "Zoom Communications, Inc.") and
        process.code_signature.trusted == true) and dns.question.name : ("www.googleapis.com", "graph.microsoft.com")
       ) or
 

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -33,25 +33,36 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "windows" and event.type == "start" and 
- not process.executable : 
-             ("?:\\Program Files\\*.exe", 
+process where host.os.type == "windows" and event.type == "start" and
+  process.parent.name : (
+    "slack.exe", "CiscoCollabHost.exe", "WebexHost.exe", "Teams.exe",
+    "Discord.exe", "Whatsapp.exe", "Zoom.exe", "thunderbird.exe"
+  ) and
+  not process.executable : (
+              "?:\\Program Files\\*.exe", 
               "?:\\Program Files (x86)\\*.exe", 
               "?:\\Windows\\System32\\WerFault.exe", 
-              "?:\\Windows\\SysWOW64\\WerFault.exe") and 
+              "?:\\Windows\\SysWOW64\\WerFault.exe"
+  ) and
+
+  /* Common Signed Browser Processes */
+  not (
+    process.executable : (
+        "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
+        "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
+        "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
+        "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
+    ) and process.code_signature.trusted == true
+  ) and
   (
     /* Slack */
     (process.parent.name : "slack.exe" and not
       (
         (
           process.executable : (
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-            "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
             "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin*\\Zoom.exe",
             "?:\\Windows\\System32\\rundll32.exe",
-            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
-            "?:\\Windows\\System32\\notepad.exe",
-            "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
+            "?:\\Windows\\System32\\notepad.exe"
           ) and process.code_signature.trusted == true
         ) or
         (
@@ -70,20 +81,11 @@ process where host.os.type == "windows" and event.type == "start" and
     /* WebEx */
     (process.parent.name : ("CiscoCollabHost.exe", "WebexHost.exe") and not
       (
-        (
-          process.executable : (
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
-            "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe"
-          ) and process.code_signature.trusted == true
-        ) or
-        (
-          process.code_signature.subject_name : (
-            "Cisco Systems, Inc.",
-            "Cisco WebEx LLC",
-            "Cisco Systems Inc."
-          ) and process.code_signature.trusted == true
-        )
+        process.code_signature.subject_name : (
+          "Cisco Systems, Inc.",
+          "Cisco WebEx LLC",
+          "Cisco Systems Inc."
+        ) and process.code_signature.trusted == true
       )
     ) or
 
@@ -93,8 +95,6 @@ process where host.os.type == "windows" and event.type == "start" and
         (
           process.executable : (
             "?:\\Windows\\BrowserCore\\BrowserCore.exe",
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", 
             "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"
           ) and process.code_signature.trusted == true
         ) or
@@ -115,7 +115,6 @@ process where host.os.type == "windows" and event.type == "start" and
       (
         (
           process.executable : (
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
             "?:\\Windows\\System32\\reg.exe",
             "?:\\Windows\\SysWOW64\\reg.exe"
           ) and process.code_signature.trusted == true
@@ -169,14 +168,13 @@ process where host.os.type == "windows" and event.type == "start" and
       (
         (
           process.executable : (
-            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
-            "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe",
-            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe"
+            "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\brave.exe"
           ) and process.code_signature.trusted == true
         ) or
         (
           process.code_signature.subject_name : (
-            "Zoom Video Communications, Inc."
+            "Zoom Video Communications, Inc.",
+            "Zoom Communications, Inc."
           ) and process.code_signature.trusted == true
         )
       )

rules/windows/defense_evasion_masquerading_business_apps_installer.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/09/01"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -25,21 +25,21 @@ severity = "low"
 tags = [
     "Domain: Endpoint",
     "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
     "Tactic: Initial Access",
     "Tactic: Execution",
-    "Resources: Investigation Guide",
-    "Data Source: Elastic Endgame",
+    "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "windows" and
+process where host.os.type == "windows" and 
   event.type == "start" and process.executable : "?:\\Users\\*\\Downloads\\*" and
-  not process.code_signature.status : ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and
+  not process.code_signature.status like ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and process.hash.sha256 != null and 
   (
     /* Slack */
     (process.name : "*slack*.exe" and not
@@ -69,13 +69,17 @@ process where host.os.type == "windows" and
       (process.code_signature.subject_name in (
         "WhatsApp LLC",
         "WhatsApp, Inc",
-        "24803D75-212C-471A-BC57-9EF86AB91435"
+        "24803D75-212C-471A-BC57-9EF86AB91435",
+        /* WhatsApp Installer - MS Store */
+        "Microsoft Corporation"
        ) and process.code_signature.trusted == true)
     ) or
 
     /* Zoom */
     (process.name : ("*zoom*installer*.exe", "*zoom*setup*.exe", "zoom.exe")  and not
-      (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
+      (process.code_signature.subject_name in (
+        "Zoom Video Communications, Inc.", "Zoom Communications, Inc."
+       ) and process.code_signature.trusted == true)
     ) or
 
     /* Outlook */

rules/windows/defense_evasion_masquerading_communication_apps.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/05/05"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,8 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and
-  event.type == "start" and
+  event.type == "start" and 
+  not process.code_signature.status like "errorCode_endpoint*" and process.hash.sha256 != null and 
   (
     /* Slack */
     (process.name : "slack.exe" and not
@@ -50,7 +51,8 @@ process where host.os.type == "windows" and
 
     /* Teams */
     (process.name : "Teams.exe" and not
-      (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
+      (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) and 
+      process.executable != "C:\\Program Files (x86)\\Teams Installer\\Teams.exe"
     ) or
 
     /* Discord */
@@ -60,7 +62,8 @@ process where host.os.type == "windows" and
 
     /* RocketChat */
     (process.name : "Rocket.Chat.exe" and not
-      (process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
+      (process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true) and 
+      process.executable != "C:\\Program Files\\rocketchat\\Rocket.Chat.exe"
     ) or
 
     /* Mattermost */
@@ -79,7 +82,10 @@ process where host.os.type == "windows" and
 
     /* Zoom */
     (process.name : "Zoom.exe" and not
-      (process.code_signature.subject_name : "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
+      (process.code_signature.subject_name : (
+        "Zoom Video Communications, Inc.",
+        "Zoom Communications, Inc."
+       ) and process.code_signature.trusted == true)
     ) or
 
     /* Outlook */