[Rule Tuning] Misc Windows Tunings (#5955)

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

Author: 3 people

rules/windows/command_and_control_common_webservices.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/03/30"
+updated_date = "2026/04/21"
 
 [transform]
 [[transform.investigate]]
@@ -331,7 +331,9 @@ network where host.os.type == "windows" and
                               "Island Technology Inc.",
                               "GitHub, Inc.",
                               "Red Hat, Inc",
-                              "Mozilla Corporation"
+                              "Mozilla Corporation",
+                              "Spotify AB",
+                              "DeepL SE"
         )
       )
     )

…ial_access_iis_apppoolsa_pwd_appcmd.toml …ial_access_iis_apppoolsa_pwd_appcmd.tomlrules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml renamed to rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml renamed to rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

@@ -1,23 +1,26 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2020/08/18"
-integration = ["endpoint", "windows", "system"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/21"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
-Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker
-with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.
+Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to dump sensitive configuration
+data such as application pool credentials. An attacker with IIS web server access via a web shell can extract service
+account passwords by requesting full configuration output or targeting credential-related fields.
 """
 from = "now-9m"
 index = [
     "endgame-*",
+    "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
     "logs-system.security*",
-    "logs-windows.*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
     "winlogbeat-*",
 ]
 language = "eql"
@@ -34,16 +37,23 @@ tags = [
     "Tactic: Credential Access",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
-    "Rule Type: BBR",
     "Data Source: Windows Security Event Logs",
+    "Data Source: Microsoft Defender XDR",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
    (process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and
-   process.args : "list" and process.args : "/text*"
+   process.args : "list" and
+   (
+     process.args : ("/text:*password*", "/text:*processModel*", "/text:*userName*", "/config", "*connectionstring*") or
+     process.args == "/text:*"
+   )
 '''
 
 

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

@@ -2,11 +2,14 @@
 creation_date = "2021/07/07"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2026/04/07"
+updated_date = "2026/04/21"
 
 [rule]
 author = ["Elastic"]
-description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings."
+description = """
+Identifies use of the Set-MpPreference or Add-MpPreference PowerShell commands to disable or weaken certain Windows
+Defender settings, including detection of base64-encoded variants used to bypass command-line inspection.
+"""
 false_positives = ["Planned Windows Defender configuration changes."]
 from = "now-9m"
 index = [
@@ -64,6 +67,7 @@ references = [
     "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps",
     "https://www.elastic.co/security-labs/operation-bleeding-bear",
     "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine",
+    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml",
 ]
 risk_score = 47
 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87"
@@ -92,7 +96,50 @@ process where host.os.type == "windows" and event.type == "start" and
     process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
     ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
   ) and
-  process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
+  (
+    (
+      process.args : ("Set-MpPreference", "Add-MpPreference") and
+      process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
+    ) or
+    /* base64-encoded (UTF-16LE) fragments of critical Defender settings, 3 byte-alignment offsets each */
+    (
+      process.command_line : ("*-e *", "*-en *", "* -enc*", "*FromBase64String*") and
+      process.command_line : (
+        /* DisableRealtimeMonitoring */
+        "*RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA*",
+        "*QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA*",
+        "*EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA*",
+        /* disablerealtimemonitoring */
+        "*ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA*",
+        "*QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA*",
+        "*kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA*",
+        /* DisableIOAVProtection */
+        "*RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA*",
+        "*QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA*",
+        "*EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA*",
+        /* disableioavprotection */
+        "*ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA*",
+        "*QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA*",
+        "*kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA*",
+        /* DisableBehaviorMonitoring */
+        "*RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA*",
+        "*QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA*",
+        "*EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA*",
+        /* disablebehaviormonitoring */
+        "*ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA*",
+        "*QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA*",
+        "*kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA*",
+        /* DisableBlockAtFirstSeen */
+        "*RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA*",
+        "*QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA*",
+        "*EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA*",
+        /* disableblockatfirstseen */
+        "*ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA*",
+        "*QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA*",
+        "*kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA*"
+      )
+    )
+  )
 '''