Update execution_windows_script_from_internet.toml (#4452)

elastic · Feb 7, 2025 · 27e8b85 · 27e8b85
1 parent c7f5385
commit 27e8b85
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Mark of The Web enrichment was added to Elastic Defend file events in 8.15.0."
 min_stack_version = "8.15.0"
-updated_date = "2025/01/31"
+updated_date = "2025/02/07"
 
 [rule]
 author = ["Elastic"]
@@ -38,7 +38,8 @@ sequence by host.id, user.id with maxspan=3m
   file.extension in~ ("js", "jse", "vbs", "vbe", "wsh", "hta", "cmd", "bat") and
   (file.origin_url != null or file.origin_referrer_url != null)]
 [process where host.os.type == "windows" and event.type == "start" and
- process.parent.name : "explorer.exe" and process.args_count >= 2 and
+ process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "explorer.exe", "winrar.exe", "7zFM.exe", "7zG.exe", "Bandizip.exe") and 
+ process.args_count >= 2 and
  (
   process.name in~ ("wscript.exe", "mshta.exe") or
   (process.name : "cmd.exe" and process.command_line : ("*.cmd*", "*.bat*"))