From 375b8767dbac74703b876feface376652fee724d Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 19 Jun 2025 12:36:12 +0100 Subject: [PATCH 1/5] Update privilege_escalation_krbrelayup_service_creation.toml --- .../privilege_escalation_krbrelayup_service_creation.toml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index e9a7cdaea62..39ac5dce28a 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/06/19" [rule] author = ["Elastic"] @@ -76,11 +76,10 @@ sequence by winlog.computer_name with maxspan=5m [authentication where /* event 4624 need to be logged */ - event.action == "logged-in" and event.outcome == "success" and + event.action == "logged-in" and event.outcome == "success" and winlog.event_data.ElevatedToken == "%%1843" and process.pid == 0 and /* authenticate locally using relayed kerberos Ticket */ - winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and - cidrmatch(source.ip, "127.0.0.0/8", "::1") and source.port > 0] by winlog.event_data.TargetLogonId + winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and cidrmatch(source.ip, "127.0.0.0/8", "::1")] by winlog.event_data.TargetLogonId [any where /* event 4697 need to be logged */ From 9329da79607f03bca046f3b898296fe2d0982cb9 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 19 Jun 2025 12:49:45 +0100 Subject: [PATCH 2/5] Update privilege_escalation_windows_service_via_unusual_client.toml --- ...rivilege_escalation_windows_service_via_unusual_client.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 3f5256352a7..67ad617f97b 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/06/19" [rule] author = ["Elastic"] @@ -91,6 +91,7 @@ query = ''' configuration where host.os.type == "windows" and event.action == "service-installed" and (winlog.event_data.ClientProcessId == "0" or winlog.event_data.ParentProcessId == "0") and + startswith~(user.domain, winlog.computer_name) and winlog.event_data.ServiceAccount == "LocalSystem" and not winlog.event_data.ServiceFileName : ( "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe", From 78c9bad8153c250bb9f0c292652a6551d54fbf9b Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 19 Jun 2025 12:52:32 +0100 Subject: [PATCH 3/5] Update non-ecs-schema.json --- detection_rules/etc/non-ecs-schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index dfe2b4f5f85..5f16201aa9e 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -36,6 +36,7 @@ "SubjectLogonId": "keyword", "SubjectUserName": "keyword", "SubjectUserSid": "keyword", + "ServiceAccount": "keyword", "TargetUserName": "keyword", "TargetImage": "keyword", "TargetLogonId": "keyword", From 1725a76e95ae6d68c0f6a5b5775c4563da34266f Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 19 Jun 2025 12:53:22 +0100 Subject: [PATCH 4/5] Update non-ecs-schema.json --- detection_rules/etc/non-ecs-schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 5f16201aa9e..e2217256cdd 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -37,6 +37,7 @@ "SubjectUserName": "keyword", "SubjectUserSid": "keyword", "ServiceAccount": "keyword", + "ElevatedToken": "keyword", "TargetUserName": "keyword", "TargetImage": "keyword", "TargetLogonId": "keyword", From 8d3a7721c31dbed66e4ca3ccb56d58c6382ed988 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 19 Jun 2025 12:58:18 +0100 Subject: [PATCH 5/5] Update pyproject.toml --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 3f42e92b782..ea2dce8101b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.2.22" +version = "1.2.23" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"