elastic · w0rk3r · Jul 7, 2025 · Jul 2, 2025 · Jul 2, 2025 · Jul 2, 2025
diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/02/16"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/06"
+updated_date = "2025/07/02"
 
 [rule]
 author = ["Elastic"]
@@ -73,7 +73,7 @@ file where host.os.type == "windows" and event.type == "creation" and
  process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-1-*") and
  not file.path : (
  "?:\\*\\UPM_Profile\\NTUSER.DAT",
- "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOOD.LOAD",
+ "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOODLOAD",
  "?:\\*\\UPM_Profile\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat*",
  "?:\\Windows\\Netwrix\\Temp\\????????.???.offreg",
  "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*"

diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/02"
 
 [transform]
 [[transform.osquery]]
@@ -127,7 +127,14 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
  (process.name : "attrib.exe" or ?process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and
- not (process.parent.name: "cmd.exe" and process.command_line: "attrib +R +H +S +A *.cui")
+ not (process.parent.name: "cmd.exe" and process.command_line: "attrib +R +H +S +A *.cui") and
+
+ not (
+ process.parent.name: "draw.io.exe" and
+ (
+ process.command_line : ("*drawio.bkp*", "*drawio.dtmp*")
+ )
+ )
 '''
 
 

diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/24"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/07/02"
 
 [rule]
 author = ["Elastic"]
@@ -82,6 +82,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
  process.name : ("esensor.exe", "elastic-endpoint.exe") and
  process.parent.executable != null and
+ process.args != null and
  /* add FPs here */
  not process.parent.executable : (
  "?:\\Program Files\\Elastic\\*",
@@ -94,14 +95,15 @@ process where host.os.type == "windows" and event.type == "start" and
  process.parent.executable : (
  "?:\\Windows\\System32\\cmd.exe",
  "?:\\Windows\\System32\\SecurityHealthHost.exe",
+ "?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe",
  "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
  ) and
  process.args : (
  "test", "version",
  "top", "run",
  "*help", "status",
  "upgrade", "/launch",
- "/enable"
+ "/enable", "/av"
  )
  )
 '''

diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/11/01"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/03"
 
 [rule]
 author = ["Elastic"]
@@ -88,7 +88,12 @@ registry where host.os.type == "windows" and event.type == "change" and
  "HKLM\\*\\LocalAccountTokenFilterPolicy",
  "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy",
  "MACHINE\\*\\LocalAccountTokenFilterPolicy"
- ) and registry.data.strings : ("1", "0x00000001")
+ ) and registry.data.strings : ("1", "0x00000001") and
+ not process.executable : (
+ /* Intune */
+ "C:\\Windows\\system32\\deviceenroller.exe",
+ "C:\\Windows\\system32\\omadmclient.exe"
+ )
 '''
 
 

diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/01/21"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/05/08"
+updated_date = "2025/07/02"
 
 [transform]
 [[transform.osquery]]
@@ -125,7 +125,11 @@ type = "eql"
 query = '''
 file where host.os.type == "windows" and event.type == "creation" and
 
- file.path : "C:\\*:*" and
+ file.path : "C:\\*:*" and file.extension in~ (
+ "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js",
+ "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso"
+ ) and
+
  not file.path : 
  ("C:\\*:zone.identifier*",
  "C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA",
@@ -160,12 +164,12 @@ file where host.os.type == "windows" and event.type == "creation" and
  "?:\\windows\\System32\\svchost.exe",
  "?:\\Windows\\System32\\WFS.exe"
  ) and
+
+ not (
+ ?process.code_signature.trusted == true and
+ file.name : "*:sec.endpointdlp:$DATA"
+ )
 
- file.extension :
- (
- "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js",
- "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso"
- )
 '''
 
 

diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/02"
 
 [transform]
 [[transform.osquery]]
@@ -124,10 +124,36 @@ type = "new_terms"
 query = '''
 host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and
 process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and
-not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211"
+
+ not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211"
 '''
 
 
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "*SysVol*WindowsDefenderATPOnboardingScript.cmd*"
+
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "\"cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd"
+
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."process.command_line"]
+case_insensitive = true
+value = "\"C:\\\\???????\\\\system32\\\\cmd.exe\" /d /c C:\\\\???????\\\\system32\\\\hpatchmonTask.cmd"
+
+
 [[rule.filters]]
 
 [rule.filters.meta]
@@ -158,6 +184,7 @@ case_insensitive = true
 value = """
 cmd /C ".\\inetsrv\\iissetup.exe /keygen "
 """
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]