[Rule Tuning] Unusual Network Activity from a Windows System Binary (#2509)

w0rk3r · web-flow · commit 4bfcbeab36c8 · 2023-02-01T13:19:28.000-03:00
* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml
diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/01/31"
 
 [rule]
 author = ["Elastic"]
@@ -63,7 +63,13 @@ sequence by process.entity_id with maxspan=5m
       process.name : "MSBuild.exe" or
       process.name : "msdt.exe" or
       process.name : "mshta.exe" or
-      process.name : "msiexec.exe" or
+      (
+         process.name : "msiexec.exe" and not
+         dns.question.name : (
+            "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com",
+            "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local"
+         )
+      ) or
       process.name : "msxsl.exe" or
       process.name : "odbcconf.exe" or
       process.name : "rcsi.exe" or
