PyPI - nldcsc-elastic-rules - Versions diffs - 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl - Mend

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

nldcsc_elastic_rules/rules/windows/persistence_msi_installer_task_startup.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2024/09/05"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -35,18 +35,55 @@ type = "eql"
 query = '''
 any where host.os.type == "windows" and
- (process.name : "msiexec.exe" or Effective_process.name : "msiexec.exe") and
- (
-  (event.category == "file" and event.action == "creation" and
-   file.path : ("?:\\Windows\\System32\\Tasks\\*",
-                "?:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\*",
-                "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*")) or
-  (event.category == "registry" and event.action == "modification" and
-   registry.path : ("H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
-                    "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
-                    "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
-                    "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*"))
+  (process.name : "msiexec.exe" or Effective_process.name : "msiexec.exe") and
+  (
+    (
+      event.category == "file" and event.action == "creation" and
+      file.path : (
+        "?:\\Windows\\System32\\Tasks\\*",
+        "?:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\*",
+        "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*"
+      ) and
+      not file.path : (
+        "?:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task",
+        "?:\\Windows\\System32\\Tasks\\HP\\Sure Click\\Sure Click ?.?.??.????",
+        "?:\\Windows\\System32\\Tasks\\HP\\Sure Click\\Sure Click UI ?.?.??.????",
+        "?:\\Windows\\System32\\Tasks\\HP\\Sure Click\\Upgrade Repair ?.?.??.????",
+        "?:\\Windows\\System32\\Tasks\\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132",
+        "?:\\Windows\\System32\\Tasks\\IntelSURQC-Upgrade-86621605-2a0b-4128-8ffc-15514c247132-Logon"
+      )
+    ) or
+    (
+      event.category == "registry" and event.action == "modification" and registry.data.strings != null and
+      registry.path : (
+        "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
+        "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
+        "H*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*",
+        "H*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*"
+      ) and
+      not registry.data.strings : (
+        "C:\\Program Files (x86)\\Common Files\\Acronis\\TibMounter\\tib_mounter_monitor.exe",
+        "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe",
+        "C:\\Program Files\\Citrix\\Secure Access Client\\CtxsDPS.exe --clean-user-installs",
+        "C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe",
+        "C:\\Program Files\\Veeam\\Endpoint Backup\\Veeam.EndPoint.Tray.exe -NoControlPanel -CheckNumberOfRunningAgents",
+        "\"C:\\Program Files (x86)\\Cisco\\Cisco Secure Client\\UI\\csc_ui.exe\" -minimized",
+        "\"C:\\Program Files (x86)\\Citrix\\ICA Client\\concentr.exe\" /startup",
+        "\"C:\\Program Files (x86)\\Citrix\\ICA Client\\Receiver\\AnalyticsSrv.exe\" /Startup",
+        "\"C:\\Program Files (x86)\\Citrix\\ICA Client\\redirector.exe\" /startup",
+        "\"C:\\Program Files (x86)\\EPSON Software\\Download Navigator\\EPSDNMON.EXE\"",
+        "\"C:\\Program Files (x86)\\Jabra\\Direct6\\jabra-direct.exe\" /minimized",
+        "\"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vmware-tray.exe\"",
+        "\"C:\\Program Files\\ESET\\ESET Security\\ecmds.exe\" /run /hide /proxy",
+        "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"",
+        "\"C:\\Program Files\\KeePassXC\\KeePassXC.exe\"",
+        "\"C:\\Program Files\\Palo Alto Networks\\GlobalProtect\\PanGPA.exe\"",
+        "\"C:\\Program Files\\PDF24\\pdf24.exe\"",
+        "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr",
+        "\"C:\\PROGRA~2\\Citrix\\DEVICE~1\\Bin64\\DTCLIE~1.EXE\"",
+        "\"%ProgramFiles%\\Teams Installer\\Teams.exe\" --checkInstall --source=default"
+      )
+    )
   )
 '''
 note = """## Triage and analysis

nldcsc_elastic_rules/rules/windows/persistence_via_application_shimming.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,17 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and
   process.args : "?*" and
   not (process.args : "-m" and process.args : "-bg") and
-  not process.args : "-mm"
+  not process.args : (
+    "-mm",
+    "?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\sysMergeInboxStoreApp.sdb",
+    "\"?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\sysMergeInboxStoreApp.sdb\"",
+    "?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\msiMergeInboxStoreApp.sdb",
+    "\"?:\\Program Files\\WindowsApps\\Microsoft.ApplicationCompatibilityEnhancements_*\\sdb\\msiMergeInboxStoreApp.sdb\"",
+    "?:\\Program Files (x86)\\Citrix\\ICA Client\\CitrixWorkspaceLegacySWDA.sdb",
+    "Citrix Workspace",
+    "C:\\Program Files\\IIS Express\\iisexpressshim.sdb",
+    "C:\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb"
+  )
 '''

nldcsc_elastic_rules/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml CHANGED Viewed

@@ -2,13 +2,14 @@
 creation_date = "2022/10/20"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
-may create a new process with a different token to escalate privileges and bypass access controls.
+Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may
+enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate
+privileges and bypass access controls.
 """
 from = "now-9m"
 index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
@@ -94,21 +95,26 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur
  /* exclude processes with System Integrity  */
  not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
- not winlog.event_data.ProcessName :
-         ("?:\\Windows\\System32\\msiexec.exe",
-          "?:\\Windows\\SysWOW64\\msiexec.exe",
-          "?:\\Windows\\System32\\lsass.exe",
-          "?:\\Windows\\WinSxS\\*",
-          "?:\\Program Files\\*",
-          "?:\\Program Files (x86)\\*",
-          "?:\\Windows\\System32\\MRT.exe",
-          "?:\\Windows\\System32\\cleanmgr.exe",
-          "?:\\Windows\\System32\\taskhostw.exe",
-          "?:\\Windows\\System32\\mmc.exe",
-          "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe",
-          "?:\\Windows\\System32\\auditpol.exe",
-          "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe",
-          "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe")
+ not winlog.event_data.ProcessName : (
+        "?:\\Program Files (x86)\\*",
+        "?:\\Program Files\\*",
+        "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe",
+        "?:\\Windows\\System32\\auditpol.exe",
+        "?:\\Windows\\System32\\cleanmgr.exe",
+        "?:\\Windows\\System32\\lsass.exe",
+        "?:\\Windows\\System32\\mmc.exe",
+        "?:\\Windows\\System32\\MRT.exe",
+        "?:\\Windows\\System32\\msiexec.exe",
+        "?:\\Windows\\System32\\sdiagnhost.exe",
+        "?:\\Windows\\System32\\ServerManager.exe",
+        "?:\\Windows\\System32\\taskhostw.exe",
+        "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe",
+        "?:\\Windows\\System32\\WerFault.exe",
+        "?:\\Windows\\SysWOW64\\msiexec.exe",
+        "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe",
+        "?:\\Windows\\SysWOW64\\WerFault.exe",
+        "?:\\Windows\\WinSxS\\*"
+    )
 '''

nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2021/07/06"
 integration = ["endpoint", "windows", "system", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -105,10 +105,22 @@ process where host.os.type == "windows" and event.type == "start" and
  not process.executable : (
     "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
     "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe",
+    "?:\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWSave.exe",
+    "?:\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWriter2.exe",
+    "?:\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe",
+    "?:\\Program Files (x86)\\TSplus\\UniversalPrinter\\CPWriter2.exe",
+    "?:\\Program Files\\Seagull\\Printer Drivers\\Packages\\*\\DriverEnvironmentSetup.exe",
+    "?:\\Windows\\system32\\CNAB4RPD.EXE",
     /* Crowdstrike specific condition as it uses NT Object paths */
     "\\Device\\HarddiskVolume*\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe",
-    "\\Device\\HarddiskVolume*\\Program Files (x86)\\GPLGS\\gswin32c.exe"
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\GPLGS\\gswin32c.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWSave.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\Acro Software\\CutePDF Writer\\CPWriter2.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe",
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\TSplus\\UniversalPrinter\\CPWriter2.exe",
+    "\\Device\\HarddiskVolume*\\Program Files\\Seagull\\Printer Drivers\\Packages\\*\\DriverEnvironmentSetup.exe",
+    "\\Device\\HarddiskVolume*\\Windows\\system32\\CNAB4RPD.EXE"
  )
 '''

nldcsc_elastic_rules/rules/windows/privilege_escalation_via_ppid_spoofing.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2022/10/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -58,7 +58,8 @@ process where host.os.type == "windows" and event.action == "start" and
  not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
      process.executable : ("?:\\Windows\\System32\\osk.exe",
                            "?:\\Windows\\System32\\Narrator.exe",
-                           "?:\\Windows\\System32\\Magnify.exe")) and
+                           "?:\\Windows\\System32\\Magnify.exe",
+                           "?:\\Windows\\System32\\VoiceAccess.exe")) and
  not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and

{nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/METADATA RENAMED Viewed

@@ -1,3 +1,3 @@
 Metadata-Version: 2.4
 Name: nldcsc-elastic-rules
-Version: 0.0.8
+Version: 0.0.16

nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl