Skip to content

Commit 7fca701

Browse files
rvald26rvald26claudeKbayero
authored
fix(rules/windows): correct 15 broken correlation rules + add 7 new detections (#2270)
Validated end-to-end by firing real payloads on a live Windows agent and confirming each alert in UTMStack (22/22 fired). Fixes regex backslash-escaping, the non-existent eventDataFileName field on 4663, eventDataProcessName on 4688 (use log.data.NewProcessName), the unpopulated log.channel clause, and the WinRM 4624-ProcessName issue. Adds 7 detections (shadow-copy deletion, suspicious PowerShell, Office-spawned shell, LOLBins, scheduled tasks, log tampering, credential dumping). Hardened for false positives; groupBy/deduplicateBy set on dataSource so a burst yields a single alert. Co-authored-by: rvald26 <rick@utmstack.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com>
1 parent 527a9a0 commit 7fca701

22 files changed

Lines changed: 196 additions & 128 deletions
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Rule version v1.2.0 (validated 2026-06-24)
2+
dataTypes:
3+
- wineventlog
4+
name: 'Windows: Audit Policy or Event Log Tampering'
5+
impact:
6+
confidentiality: 2
7+
integrity: 3
8+
availability: 2
9+
category: Defense Evasion
10+
technique: 'T1562.002 - Impair Defenses: Disable Windows Event Logging'
11+
adversary: origin
12+
description: Detects clearing of event logs (event 104) or command-line tampering with auditing/logging (auditpol /clear or /set ...disable, wevtutil cl, Clear-EventLog, fsutil usn deletejournal). Complements the Security-log-cleared (1102) rule.
13+
references:
14+
- https://attack.mitre.org/techniques/T1562/002/
15+
where: |
16+
(equals("log.eventCode", "104")) || (equals("log.eventCode", 4688) && regexMatch("log.data.CommandLine", "(?i)(auditpol.*/clear|auditpol.*/set.*(success|failure):disable|wevtutil.*(cl |clear-log)|Clear-EventLog|fsutil.*usn.*deletejournal|Remove-EventLog)"))
17+
groupBy:
18+
- dataSource
19+
deduplicateBy: []
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Rule version v1.2.0 (validated 2026-06-24)
2+
dataTypes:
3+
- wineventlog
4+
name: 'Windows: Credential Dumping Tool Indicators'
5+
impact:
6+
confidentiality: 3
7+
integrity: 3
8+
availability: 2
9+
category: Credential Access
10+
technique: T1003 - OS Credential Dumping
11+
adversary: origin
12+
description: Detects command-line and PowerShell script-block indicators of credential-dumping tools (mimikatz/sekurlsa/lsadump, procdump lsass, comsvcs MiniDump, nanodump, rubeus). The command-line branch is the reliable trigger since AMSI blocks literal mimikatz strings in PowerShell.
13+
references:
14+
- https://attack.mitre.org/techniques/T1003/
15+
where: |
16+
(equals("log.eventCode", "4104") && regexMatch("log.eventDataScriptBlockText", "(?i)(invoke-mimikatz|sekurlsa|lsadump|kerberos::|crypto::|out-minidump|invoke-nanodump|get-keystrokes|mimikatz|invoke-kerberoast|rubeus)")) || (equals("log.eventCode", 4688) && regexMatch("log.data.CommandLine", "(?i)(sekurlsa|lsadump|mimikatz|procdump.*lsass|comsvcs.*minidump|nanodump|rundll32.*comsvcs|rubeus)"))
17+
groupBy:
18+
- dataSource
19+
deduplicateBy: []
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Rule version v1.2.0 (validated 2026-06-24)
2+
dataTypes:
3+
- wineventlog
4+
name: 'Windows: LOLBin Proxy Execution / Ingress Tool Transfer'
5+
impact:
6+
confidentiality: 2
7+
integrity: 2
8+
availability: 1
9+
category: Defense Evasion
10+
technique: T1218 - System Binary Proxy Execution
11+
adversary: origin
12+
description: Detects living-off-the-land binaries used for proxy execution or download (mshta http, regsvr32 squiblydoo, certutil -urlcache/-decode, bitsadmin /transfer, wmic process call create, msbuild, installutil, mavinject).
13+
references:
14+
- https://attack.mitre.org/techniques/T1218/
15+
where: |
16+
equals("log.eventCode", 4688) && regexMatch("log.data.CommandLine", "(?i)(mshta.*http|mshta.*vbscript|mshta.*javascript|regsvr32.*scrobj|regsvr32.*/i:http|rundll32.*javascript:|rundll32.*url[.]dll|certutil.*(-urlcache|-decode|-encode|-split|-verifyctl).*(http|[.]exe|[.]dll|[.]txt|[.]bin)|bitsadmin.*/transfer.*http|wmic.*/node:.*process.*call.*create|installutil.*/(u|logfile=)|regasm.*/u|mavinject.*/injectrunning|cmstp.*/s)")
17+
groupBy:
18+
- dataSource
19+
deduplicateBy: []

rules/windows/masquerading_detection.yml

Lines changed: 3 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -29,37 +29,7 @@ description: |
2929
6. Kill the suspicious process and quarantine the file
3030
7. Search for other instances of the same file across the environment
3131
where: |
32-
(equals("log.eventCode", "4688") || equals("log.eventCode", "1")) &&
33-
(
34-
(
35-
regexMatch("log.eventDataProcessName", "(?i)\\\\csrss\\.exe$") &&
36-
!regexMatch("log.eventDataProcessName", "(?i)^C:\\\\Windows\\\\(System32|SysWOW64)\\\\csrss\\.exe$")
37-
) ||
38-
(
39-
regexMatch("log.eventDataProcessName", "(?i)\\\\services\\.exe$") &&
40-
!regexMatch("log.eventDataProcessName", "(?i)^C:\\\\Windows\\\\System32\\\\services\\.exe$")
41-
) ||
42-
(
43-
regexMatch("log.eventDataProcessName", "(?i)\\\\smss\\.exe$") &&
44-
!regexMatch("log.eventDataProcessName", "(?i)^C:\\\\Windows\\\\System32\\\\smss\\.exe$")
45-
) ||
46-
(
47-
regexMatch("log.eventDataProcessName", "(?i)\\\\wininit\\.exe$") &&
48-
!regexMatch("log.eventDataProcessName", "(?i)^C:\\\\Windows\\\\System32\\\\wininit\\.exe$")
49-
) ||
50-
(
51-
regexMatch("log.eventDataProcessName", "(?i)\\\\explorer\\.exe$") &&
52-
!regexMatch("log.eventDataProcessName", "(?i)^C:\\\\Windows\\\\explorer\\.exe$")
53-
) ||
54-
(
55-
regexMatch("log.eventDataProcessName", "(?i)\\\\svchost\\.exe$") &&
56-
!regexMatch("log.eventDataProcessName", "(?i)^C:\\\\Windows\\\\(System32|SysWOW64)\\\\svchost\\.exe$")
57-
) ||
58-
(
59-
regexMatch("log.eventDataProcessName", "(?i)\\\\lsass\\.exe$") &&
60-
!regexMatch("log.eventDataProcessName", "(?i)^C:\\\\Windows\\\\System32\\\\lsass\\.exe$")
61-
)
62-
)
32+
(equals("log.eventCode","4688") || equals("log.eventCode","1")) && ((regexMatch("log.data.NewProcessName","svchost[.]exe$") && !regexMatch("log.data.NewProcessName","[Ww]indows.(System32|SysWOW64).svchost[.]exe$")) || (regexMatch("log.data.NewProcessName","lsass[.]exe$") && !regexMatch("log.data.NewProcessName","[Ww]indows.System32.lsass[.]exe$")) || (regexMatch("log.data.NewProcessName","services[.]exe$") && !regexMatch("log.data.NewProcessName","[Ww]indows.System32.services[.]exe$")) || (regexMatch("log.data.NewProcessName","csrss[.]exe$") && !regexMatch("log.data.NewProcessName","[Ww]indows.(System32|SysWOW64).csrss[.]exe$")) || (regexMatch("log.data.NewProcessName","explorer[.]exe$") && !regexMatch("log.data.NewProcessName","[Ww]indows.explorer[.]exe$")))
6333
groupBy:
64-
- origin.host
65-
- target.user
34+
- dataSource
35+
deduplicateBy: []

rules/windows/ntds_extraction_attempts.yml

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -27,23 +27,18 @@ description: |
2727
8. Check backup systems and shadow copies for unauthorized access
2828
9. Coordinate with incident response team for full forensic analysis
2929
where: |
30-
oneOf("log.eventCode", ["4663", "4656"]) &&
31-
equals("log.channel", "Security") &&
32-
(
33-
endsWith("log.eventDataObjectName", "\\ntds.dit") ||
34-
contains("log.eventDataObjectName", "\\NTDS\\") ||
35-
endsWith("log.eventDataProcessName", "\\ntdsutil.exe") ||
36-
endsWith("log.eventDataProcessName", "\\vssadmin.exe")
37-
) &&
38-
!equals("log.eventDataAccessMask", "0")
30+
oneOf("log.eventCode", ["4663","4656"]) && (contains("log.eventDataObjectName", "ntds.dit") || endsWith("log.eventDataProcessName", "ntdsutil.exe")) && !equals("log.eventDataAccessMask", "0")
3931
afterEvents:
4032
- indexPattern: v11-log-wineventlog-*
4133
with:
42-
- field: origin.host
34+
- field: log.eventCode
4335
operator: filter_term
44-
value: '{{.origin.host}}'
36+
value: '4663'
37+
- field: dataSource.keyword
38+
operator: filter_term
39+
value: '{{.dataSource}}'
4540
within: 30m
4641
count: 2
4742
groupBy:
48-
- origin.host
49-
- target.user
43+
- dataSource
44+
deduplicateBy: []

rules/windows/ntlm_downgrade_attack.yml

Lines changed: 3 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -31,17 +31,7 @@ description: |
3131
7. Audit network traffic for NTLMv1 authentication attempts
3232
8. Consider disabling NTLM entirely where possible
3333
where: |
34-
equals("log.eventCode", "4657") &&
35-
equals("log.channel", "Security") &&
36-
(
37-
regexMatch("log.eventDataObjectName", "(?i)\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\LMCompatibilityLevel") ||
38-
regexMatch("log.eventDataObjectName", "(?i)\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\NtlmMinClientSec") ||
39-
regexMatch("log.eventDataObjectName", "(?i)\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\NtlmMinServerSec") ||
40-
regexMatch("log.eventDataObjectName", "(?i)\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\RestrictSendingNTLMTraffic") ||
41-
regexMatch("log.eventDataObjectName", "(?i)\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\MSV1_0\\\\AuditReceivingNTLMTraffic") ||
42-
regexMatch("log.eventDataObjectName", "(?i)\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\Parameters\\\\RequireSignOrSeal")
43-
) &&
44-
!regexMatch("log.eventDataSubjectUserName", "(?i)^(SYSTEM|TrustedInstaller)$")
34+
equals("log.eventCode", "4657") && regexMatch("log.eventDataObjectName", "ControlSet.*Control.Lsa") && regexMatch("log.data.ObjectValueName", "(LMCompatibilityLevel|NtlmMinClientSec|NtlmMinServerSec|RestrictSendingNTLMTraffic|AuditReceivingNTLMTraffic|RequireSignOrSeal)") && !regexMatch("log.eventDataSubjectUserName", "(?i)^(SYSTEM|TrustedInstaller)$")
4535
groupBy:
46-
- origin.host
47-
- target.user
36+
- dataSource
37+
deduplicateBy: []
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Rule version v1.2.0 (validated 2026-06-24)
2+
dataTypes:
3+
- wineventlog
4+
name: 'Windows: Office Application Spawned Command or Script Interpreter'
5+
impact:
6+
confidentiality: 2
7+
integrity: 3
8+
availability: 2
9+
category: Execution
10+
technique: 'T1204.002 - User Execution: Malicious File'
11+
adversary: origin
12+
description: Detects an Office/document application (winword, excel, outlook, etc.) spawning a command or script interpreter - a classic macro/phishing payload execution chain.
13+
references:
14+
- https://attack.mitre.org/techniques/T1204/002/
15+
where: |
16+
equals("log.eventCode", 4688) && regexMatch("log.data.ParentProcessName", "(?i)(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|wordpad).exe$") && regexMatch("log.data.NewProcessName", "(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|bitsadmin|certutil|curl).exe$")
17+
groupBy:
18+
- dataSource
19+
deduplicateBy: []

rules/windows/possible_remote_code_execution_using_printernightmare.yml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,8 @@ description: "Adversaries may exploit remote services to gain unauthorized acces
1515
A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system."
1616
references:
1717
- "https://attack.mitre.org/techniques/T1210/"
18-
where: equals("log.eventCode", 4663) &&
19-
regexMatch("log.eventDataObjectName", "\\Windows\\System32\\spool\\drivers\\") &&
20-
regexMatch("log.eventDataObjectName", "\\.(dll|exe)$") && !contains("log.eventDataProcessName", "spoolsv.exe")
18+
where: |
19+
equals("log.eventCode", 4663) && regexMatch("log.eventDataObjectName", "[Ww]indows.System32.spool.drivers") && regexMatch("log.eventDataObjectName", "[.](dll|exe)$") && !contains("log.eventDataProcessName", "spoolsv.exe")
2120
groupBy:
22-
- origin.ip
23-
- target.user
21+
- dataSource
22+
deduplicateBy: []

rules/windows/powershell_profiles.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,8 @@ description: "Identifies the creation or modification of a PowerShell profile. P
1515
references:
1616
- "https://attack.mitre.org/tactics/TA0003/"
1717
- "https://attack.mitre.org/techniques/T1098/002/"
18-
where: equals("log.eventCode", 4663) &&
19-
regexMatch("log.eventDataObjectName", "(:\\Users\\.*\\Documents\\(WindowsPowerShell|PowerShell)\\.*profile\\.ps1$|:\\Windows\\System32\\WindowsPowerShell\\.*profile\\.ps1$)")
18+
where: |
19+
equals("log.eventCode", 4663) && regexMatch("log.eventDataObjectName", "(Users.*Documents.(WindowsPowerShell|PowerShell).*profile[.]ps1$|Windows.System32.WindowsPowerShell.*profile[.]ps1$)")
2020
groupBy:
21-
- origin.ip
22-
- target.user
21+
- dataSource
22+
deduplicateBy: []

rules/windows/printspooler_service_suspicious_file.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,8 @@ description: "Detects attempts to exploit privilege escalation vulnerabilities r
1616
references:
1717
- "https://attack.mitre.org/tactics/TA0004/"
1818
- "https://attack.mitre.org/techniques/T1068/"
19-
where: contains("log.eventDataProcessName", "spoolsv.exe") && !regexMatch("log.eventDataProcessPath", "^C:\\\\Windows\\\\System32\\\\spoolsv.exe$")
19+
where: |
20+
(equals("log.eventCode",4688) || equals("log.eventCode",1)) && contains("log.data.NewProcessName", "spoolsv.exe") && !regexMatch("log.data.NewProcessName", "[Ss]ystem32.spoolsv[.]exe$")
2021
groupBy:
21-
- origin.ip
22-
- target.user
22+
- dataSource
23+
deduplicateBy: []

0 commit comments

Comments
 (0)