Skip to content

[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 #5001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 39 commits into
base: main
Choose a base branch
from
Open

[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 #5001

wants to merge 39 commits into from

Conversation

Samirbous
Copy link
Contributor

@Samirbous Samirbous commented Aug 21, 2025
edited
Loading

13 new rules and 3 tunings (compatible with majority of our endpoint integrations) to improve coverage for top threats/TTPs for Windows for last 6 to 12 months:

  1. MSHTA
  2. MSIEXEC
  3. Windows Run/fake CAPTCHA
  4. SocGolish/SmartApeSG (fake updates)
  5. NetSupport Manager
  6. AutoHotkey/NodeJS
  7. C2 - susp TLD
  8. C2 - IP address discovery
  9. proxy exec (ssh, conhost)
  10. REMCOS RAT
  11. payload from WebDAV
  12. chromium credaccess via injection or debugging

for threats like Ghostpulse and LummaC2 we have detection that hits on the delivery method (not payload as those require API or file access events not compatible with 3d party integrations like sysmon/crowdstrike/mde/s1).

Samirbous added 23 commits August 19, 2025 11:14
@Samirbous
[New/Tuning] Windows Top Threats 2024/2025
9c61d5b 
1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.

2) MSIEXEC:
@Samirbous
Update defense_evasion_mshta_susp_child.toml
5d02c4d
@Samirbous
Update defense_evasion_script_via_html_app.toml
4a26857
@Samirbous
Update defense_evasion_mshta_susp_child.toml
e1c879f
@Samirbous
Create defense_evasion_msiexec_remote_payload.toml
cebec1e
@Samirbous
Update defense_evasion_msiexec_remote_payload.toml
2ffb41e
@Samirbous
++
74980d5
@Samirbous
Create execution_scripting_remote_webdav.toml
a8dfabc
@Samirbous
Create execution_windows_fakecaptcha_cmd_ps.toml
0cdbf8a
@Samirbous
Create command_and_control_rmm_netsupport_susp_path.toml
098be4f
@Samirbous
Update command_and_control_rmm_netsupport_susp_path.toml
96a216b
@Samirbous
++
75846bf
@Samirbous
Update execution_jscript_fake_updates.toml
f480138
@Samirbous
Create command_and_control_dns_susp_tld.toml
5dc4175
@Samirbous
++
3b4b0fb
@Samirbous
Create command_and_control_remcos_rat_iocs.toml
5be9890
@Samirbous
Update execution_windows_fakecaptcha_cmd_ps.toml
018fc92
@Samirbous
Update execution_scripts_archive_file.toml
927b530
@Samirbous
Update defense_evasion_masquerading_renamed_autoit.toml
6cc236b
@Samirbous
++
1fd1227
@Samirbous
Create execution_nodejs_susp_patterns.toml
78d46ee
@Samirbous
Update execution_nodejs_susp_patterns.toml
530c88c
@Samirbous
Update execution_windows_fakecaptcha_cmd_ps.toml
8a48da0
@Samirbous Samirbous self-assigned this Aug 21, 2025
@Samirbous Samirbous added Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules labels Aug 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

@tradebot-elastic
Copy link

tradebot-elastic commented Aug 21, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed AutoIt Scripts Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Aug 21, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed AutoIt Scripts Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous Samirbous requested a review from w0rk3r August 21, 2025 21:22
@tradebot-elastic
Copy link

tradebot-elastic commented Aug 21, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed AutoIt Scripts Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Aug 21, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed AutoIt Scripts Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Aug 22, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Aug 22, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Aug 26, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Aug 27, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Aug 27, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Aug 27, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eric-forte-elastic eric-forte-elastic eric-forte-elastic left review comments

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

At least 2 approving reviews are required to merge this pull request.

Assignees

@Samirbous Samirbous

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Samirbous @tradebot-elastic @Mikaayenson @eric-forte-elastic