diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 96c0e3b3d18..4cbbea64307 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -72,7 +72,9 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest" and not ( file.path : ( - ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\* + ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\* or + ?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1* or + ?\:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1* ) and file.name:(*.psd1 or *.psm1) ) ''' diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index 3af1b926869..684a16c02f7 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/22" +updated_date = "2023/12/13" [rule] author = ["Elastic"] @@ -39,6 +39,7 @@ file where host.os.type == "windows" and event.action == "rename" and not file.path : ( "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp", "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe", + "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\AcroServicesUpdater2_x64.exe", "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe" ) ''' diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index 6bec3a140ea..5232fa70157 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -4,7 +4,7 @@ maturity = "production" integration = ["endpoint"] min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/14" [rule] author = ["Elastic"] @@ -90,7 +90,10 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S "Audinate Pty Ltd", "CyberArk Software Ltd.", "McAfeeSysPrep", - "NVIDIA Corporation PE Sign v2016") and + "NVIDIA Corporation PE Sign v2016", + "Trend Micro, Inc.", + "Fortinet Technologies (Canada) Inc.", + "Carbon Black, Inc.") and dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and not dll.hash.sha256 : diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 8004a068bdb..65fc728d445 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/14" [rule] author = ["Elastic"] @@ -87,7 +87,8 @@ event.category:process and host.os.type:windows and KerberosRequestorSecurityToken ) and not user.id : ("S-1-5-18" or "S-1-5-20") and not powershell.file.script_block_text : ( - "sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs") + ("sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs")) or + ("function global" and "\\windows\\sentinel\\4") ) ''' diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 1a8d8b4caee..d3107aaaca2 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/12/14" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -56,7 +56,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" +event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" and + not winlog.provider_name:"AD FS Auditing" '''