fix(rules/windows): correct 15 broken correlation rules + add 7 new detections (validated on a live agent)#2270
Conversation
…etections Validated end-to-end by firing real payloads on a live Windows agent and confirming each alert in UTMStack (22/22 fired). Fixes regex backslash-escaping, the non-existent eventDataFileName field on 4663, eventDataProcessName on 4688 (use log.data.NewProcessName), the unpopulated log.channel clause, and the WinRM 4624-ProcessName issue. Adds 7 detections (shadow-copy deletion, suspicious PowerShell, Office-spawned shell, LOLBins, scheduled tasks, log tampering, credential dumping). Hardened for false positives; groupBy/deduplicateBy set on dataSource so a burst yields a single alert. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
❌ Go dependencies check failedThere are outdated Go dependencies, or modules that could not be inspected. Script output |
✅ AI review — ApprovedNo issues detected in this diff. ✅
|
⛔ Permission deniedOnly members of @utmstack/administrators or @utmstack/core-developers can merge PRs into this repository. PR author: @rvald26 The comments above (deps + AI review) are still valid — if you address them, the checks will re-run automatically, but final approval is left to an administrator. @utmstack/administrators please review. |
Summary
Corrects 15 Windows correlation rules that could never match (systemic bugs) and adds 7 new high-value detections. Every rule was validated end-to-end: imported as a rule, fired with a real payload on a live Windows agent, and the alert confirmed in UTMStack (22/22 fired).
Fixes — detection logic only; name/impact/category/description/references preserved
\W \S \sin the path regex consumed as metaclasses → never matched.path-separator wildcards.separatorseventDataProcessNameon 4688 (unpopulated)log.data.NewProcessName.separatorslog.EventDataFileName(absent on 4663)eventDataObjectNameeventDataFileNameeventDataObjectName.separators^%systemroot%\…never matchedeventDataFileName+ backslash regexeventDataObjectName, exclude System32eventDataFileNameeventDataObjectNameeventDataProcessNameon 4688log.data.NewProcessNameeventDataProcessNameon 4688log.data.NewProcessNameendsWith(…,"\ntds.dit")→\nnewline; unpopulatedlog.channelControlSet.*Control.Lsa+ value vialog.data.ObjectValueName; drop channel-)New detections
Why these fixes
On the tested agent the rules' assumptions didn't hold: 4688 fields (
NewProcessName/CommandLine/ParentProcessName) live underlog.data.*; 4663 carriesObjectName(there is noFileNamefield);log.channelis unpopulated on 4663/4657. The fixes target the actual ingested shapes.False-positive hardening + deduplication
crypt[0-9]*/abc/enc;NOTICE.txt/bareINSTRUCTIONremoved;msbuild *.csprojdropped; bareRegister-ScheduledTaskscoped;vssadminremoved from NTDS; etc.).groupBy/deduplicateBymoved to the populateddataSource(host) field so a burst of matching events collapses to a single alert — they previously grouped onorigin.ip/target.user, which are empty for endpoint events. The two ransomware mass-write rules usededuplicateBy; the rest usegroupBy.🤖 Generated with Claude Code