Skip to content

fix(rules/windows): correct 15 broken correlation rules + add 7 new detections (validated on a live agent)#2270

Merged
Kbayero merged 2 commits into
v11from
feature/windows-correlation-rules-validated
Jun 25, 2026
Merged

fix(rules/windows): correct 15 broken correlation rules + add 7 new detections (validated on a live agent)#2270
Kbayero merged 2 commits into
v11from
feature/windows-correlation-rules-validated

Conversation

@rvald26

@rvald26 rvald26 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Corrects 15 Windows correlation rules that could never match (systemic bugs) and adds 7 new high-value detections. Every rule was validated end-to-end: imported as a rule, fired with a real payload on a live Windows agent, and the alert confirmed in UTMStack (22/22 fired).

Fixes — detection logic only; name/impact/category/description/references preserved

Rule Bug Fix
possible_remote_code_execution_using_printernightmare \W \S \s in the path regex consumed as metaclasses → never matched . path-separator wildcards
powershell_profiles same backslash-regex bug . separators
printspooler_service_suspicious_file matched eventDataProcessName on 4688 (unpopulated) log.data.NewProcessName
printspooler_suspicious_spl_file backslash-regex bug . separators
ransom_note_creation used log.EventDataFileName (absent on 4663) eventDataObjectName
ransom_unusual_file_extension used eventDataFileName eventDataObjectName
remote_file_copy_desktopimgdownldr backslash-regex bug . separators
suspicious_event_…_admin_shares ^%systemroot%\… never matched backslash-free; exclude standard service dirs
uac_bypass_dll_sideloading eventDataFileName + backslash regex eventDataObjectName, exclude System32
unusual_dns_service_file_writes eventDataFileName eventDataObjectName
unusual_process_network_connection eventDataProcessName on 4688 log.data.NewProcessName
masquerading_detection eventDataProcessName on 4688 log.data.NewProcessName
ntds_extraction_attempts endsWith(…,"\ntds.dit")\n newline; unpopulated log.channel backslash-free; drop channel clause
ntlm_downgrade_attack wrong key path; value not in ObjectName; unpopulated channel ControlSet.*Control.Lsa + value via log.data.ObjectValueName; drop channel
windows_remote_management_abuse looked for wsmprovhost in a 4624 ProcessName (always -) detect wsmprovhost/winrshost spawning a recon tool (4688)

New detections

File ATT&CK Detects
ransom_inhibit_system_recovery T1490 vssadmin/wbadmin/bcdedit/wmic shadow-copy & recovery deletion
suspicious_powershell_obfuscation T1059.001 AMSI bypass / memory-injection, or download-cradle + exec
office_application_spawned_shell T1204.002 Office app → cmd/powershell/mshta/wscript/…
lolbin_proxy_execution T1218 mshta-http, regsvr32 squiblydoo, certutil download, bitsadmin, …
suspicious_scheduled_task_created T1053.005 schtasks / Register-ScheduledTask with a suspicious action
audit_or_event_log_tampering T1562.002 event-log clear (104) + auditpol/wevtutil/Clear-EventLog
credential_dumping_tool_indicators T1003 mimikatz/sekurlsa/procdump-lsass/comsvcs MiniDump

Why these fixes

On the tested agent the rules' assumptions didn't hold: 4688 fields (NewProcessName/CommandLine/ParentProcessName) live under log.data.*; 4663 carries ObjectName (there is no FileName field); log.channel is unpopulated on 4663/4657. The fixes target the actual ingested shapes.

False-positive hardening + deduplication

  • 9 rules tightened to drop benign triggers (ransomware extension list pruned of crypt[0-9]*/abc/enc; NOTICE.txt/bare INSTRUCTION removed; msbuild *.csproj dropped; bare Register-ScheduledTask scoped; vssadmin removed from NTDS; etc.).
  • groupBy/deduplicateBy moved to the populated dataSource (host) field so a burst of matching events collapses to a single alert — they previously grouped on origin.ip/target.user, which are empty for endpoint events. The two ransomware mass-write rules use deduplicateBy; the rest use groupBy.

🤖 Generated with Claude Code

…etections

Validated end-to-end by firing real payloads on a live Windows agent and
confirming each alert in UTMStack (22/22 fired). Fixes regex backslash-escaping,
the non-existent eventDataFileName field on 4663, eventDataProcessName on 4688
(use log.data.NewProcessName), the unpopulated log.channel clause, and the WinRM
4624-ProcessName issue. Adds 7 detections (shadow-copy deletion, suspicious
PowerShell, Office-spawned shell, LOLBins, scheduled tasks, log tampering,
credential dumping). Hardened for false positives; groupBy/deduplicateBy set on
dataSource so a burst yields a single alert.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@rvald26 rvald26 requested a review from a team June 25, 2026 17:47
@github-actions

Copy link
Copy Markdown

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output
🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./agent:
     - github.com/elastic/go-sysinfo: v1.15.4 → v1.15.5
     - gorm.io/gorm: v1.31.1 → v1.31.2

  📁 ./as400:
     - github.com/elastic/go-sysinfo: v1.15.4 → v1.15.5
     - gorm.io/gorm: v1.31.1 → v1.31.2

  📁 ./utmstack-collector:
     - github.com/elastic/go-sysinfo: v1.15.4 → v1.15.5
     - gorm.io/gorm: v1.31.1 → v1.31.2

  📁 ./installer:
     - github.com/cloudfoundry/gosigar: v1.3.121 → v1.3.122

  📁 ./plugins/gcp:
     - google.golang.org/api: v0.285.0 → v0.286.0

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.77.0 → v1.78.0
     - google.golang.org/api: v0.285.0 → v0.286.0

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.77.0 → v1.78.0

  📁 ./agent-manager:
     - gorm.io/gorm: v1.31.1 → v1.31.2

�[0;31m❌ Please update dependencies before merging.�[0m

@github-actions

Copy link
Copy Markdown

✅ AI review — Approved

No issues detected in this diff.

architecture (gemini-3-flash-lite) — clean

Summary: No reviewable changes in this diff (excluded paths only).

No findings.

bugs (gemini-3-flash-lite) — clean

Summary: No reviewable changes in this diff (excluded paths only).

No findings.

security (gemini-3-flash-lite) — clean

Summary: No reviewable changes in this diff (excluded paths only).

No findings.

@github-actions

Copy link
Copy Markdown

⛔ Permission denied

Only members of @utmstack/administrators or @utmstack/core-developers can merge PRs into this repository.

PR author: @rvald26

The comments above (deps + AI review) are still valid — if you address them, the checks will re-run automatically, but final approval is left to an administrator.

@utmstack/administrators please review.

@utmstackprapprover utmstackprapprover Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Author is not in @utmstack/administrators nor @utmstack/core-developers — admin review required.

@Kbayero Kbayero merged commit 7fca701 into v11 Jun 25, 2026
@Kbayero Kbayero deleted the feature/windows-correlation-rules-validated branch June 25, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants