[Rule Tuning] Windows High Severity - 5 (#5096)

w0rk3r · tradebot-elastic · commit 68380be4a4a5 · 2025-09-15T16:31:39.000Z
* [Rule Tuning] Windows High Severity - 4 * Update privilege_escalation_windows_service_via_unusual_client.toml (cherry picked from commit 7bd9c52)
diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/02/22"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -58,7 +58,7 @@ references = [
     "https://adsecurity.org/?p=280",
     "https://github.com/OTRF/Set-AuditRule",
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289"
 setup = """## Setup
 
@@ -83,7 +83,7 @@ As this specifies the servicePrincipalName Attribute GUID, it is expected to be
 Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success
 ```
 """
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/29"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -49,7 +49,7 @@ LDAP (Lightweight Directory Access Protocol) is crucial for querying and modifyi
 - Implement additional monitoring on LDAP queries and Active Directory access to detect similar patterns of excessive attribute queries in the future.
 - Review and tighten access controls and permissions within Active Directory to ensure that only necessary attributes are accessible to users based on their roles.
 - Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence of similar threats."""
-risk_score = 73
+risk_score = 21
 rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e"
 setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
 Steps to implement the logging policy with Advanced Audit Configuration:
@@ -63,7 +63,7 @@ Audit Policies >
 DS Access >
 Audit Directory Service Changes (Success,Failure)
 """
-severity = "high"
+severity = "low"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/03"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -59,9 +59,9 @@ note = """## Triage and analysis
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
 references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"]
-risk_score = 73
+risk_score = 21
 rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a"
-severity = "high"
+severity = "low"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -115,5 +115,5 @@ reference = "https://attack.mitre.org/tactics/TA0008/"
 
 [rule.threshold]
 field = ["host.id", "file.name"]
-value = 20
+value = 25
 
diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml
@@ -2,11 +2,13 @@
 creation_date = "2024/04/23"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
-description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n"
+description = """
+Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.
+"""
 from = "now-9m"
 index = [
     "logs-endpoint.events.file-*",
@@ -86,6 +88,14 @@ file where host.os.type == "windows" and event.type != "deletion" and
         "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js", 
         "\\Device\\HarddiskVolume*\\*\\Windows\\system32\\DriverStore\\FileRepository\\*\\MPDW-constraints.js",
         "\\Device\\HarddiskVolume*\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js"
+    ) and
+    not process.executable : (
+          "?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe",
+          "?:\\Windows\\System32\\taskhostw.exe"
+    ) and
+    not file.path : (
+        "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js",
+        "\\Device\\HarddiskVolume*\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js"
     )
 '''
 
diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/26"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -81,7 +81,7 @@ type = "eql"
 
 query = '''
 registry where host.os.type == "windows" and event.type == "change" and
-registry.value : ("windir", "systemroot") and
+registry.value : ("windir", "systemroot") and registry.data.strings != null and
 registry.path : (
     "*\\Environment\\windir",
     "*\\Environment\\systemroot"
diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/03/17"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/01"
+updated_date = "2025/09/11"
 
 [transform]
 [[transform.osquery]]
@@ -136,8 +136,8 @@ process where host.os.type == "windows" and event.type == "start" and
         "?:\\Windows\\System32\\WerFault.exe",
 
         /* Crowdstrike specific exclusion as it uses NT Object paths */
-        "?\\Device\\HarddiskVolume*\\Windows\\Sys?????\\mmc.exe",
-        "?\\Device\\HarddiskVolume*\\Windows\\Sys?????\\WerFault.exe"
+        "\\Device\\HarddiskVolume*\\Windows\\Sys?????\\mmc.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\Sys?????\\WerFault.exe"
   )
 '''
 
diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/02/07"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/06/19"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -96,7 +96,13 @@ configuration where host.os.type == "windows" and
     "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
     "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
     "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\*-CsInstallerService.exe",
-    "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" "
+    "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" ",
+    "\"%windir%\\AdminArsenal\\PDQDeployRunner\\service-1\\PDQDeployRunner-1.exe\" ",
+    "\"%windir%\\AdminArsenal\\PDQInventoryWakeCommand\\service-1\\PDQInventoryWakeCommand-1.exe\" ",
+    "\"%SystemRoot%\\nsnetpush.exe\"",
+    "\"C:\\WINDOWS\\ccmsetup\\ccmsetup.exe\" /runservice /ignoreskipupgrade /config:MobileClient.tcf",
+    "\"?:\\SMS\\bin\\x64\\srvboot.exe\"",
+    "%SystemRoot%\\pbpsdeploy.exe"
   )
 '''
 
