[Rule Tuning] Potential Modification of Accessibility Binaries (#3401)

Co-authored-by: Ruben Groenewoud <[email protected]> (cherry picked from commit 50df6f3)
elastic · Feb 1, 2024 · 3b6f48e · 3b6f48e
1 parent ccabe7b
commit 3b6f48e
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2023/10/23"
+updated_date = "2024/01/23"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -119,6 +119,7 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : ("Utilman.exe", "winlogon.exe") and user.name == "SYSTEM" and
+ process.pe.original_file_name : "?*" and
  process.args :
     (
     "C:\\Windows\\System32\\osk.exe",