[Rule Tuning] Remote Execution via File Shares (#4448)

elastic · Feb 5, 2025 · 3e0ba33 · 3e0ba33
1 parent 8024191
commit 3e0ba33
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/02/05"
 
 [transform]
 [[transform.osquery]]
@@ -116,7 +116,8 @@ sequence with maxspan=1m
       /* Veeam related processes */
       (
         process.name : (
-          "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", "Veeam.VSS.Sharepoint20??.exe"
+          "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe",
+          "Veeam.VSS.Sharepoint20??.exe", "OracleProxy.exe", "Veeam.SQL.Service", "VeeamDeploymentSvc.exe"
         ) and process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH"
       ) or
       /* PDQ related processes */
@@ -128,7 +129,7 @@ sequence with maxspan=1m
       ) or
       /* CrowdStrike related processes */
       (
-        (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-WindowsSensor.*.exe" and 
+        (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*Sensor*.exe" and 
          process.code_signature.trusted == true and process.code_signature.subject_name : "CrowdStrike, Inc.") or
         (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-CsInstallerService.exe" and 
          process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Windows Hardware Compatibility Publisher")