diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index aebc227ae..e72f823e8 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/04" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -14,9 +16,12 @@ from = "now-9m" index = [ "logs-endpoint.events.process-*", "winlogbeat-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -24,14 +29,6 @@ name = "Remote File Copy to a Hidden Share" references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"] risk_score = 47 rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -41,6 +38,9 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 86ac9eee0..9a028c034 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/16" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -21,9 +23,12 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-endpoint.events.process-*", - "logs-windows.*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -72,14 +77,6 @@ references = [ ] risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -91,6 +88,9 @@ tags = [ "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index ce5854fca..5e5031672 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/10/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Identifies suspicious file creations in the startup folder of a remote system. A laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Lateral Movement via Startup Folder" @@ -21,14 +23,6 @@ references = [ ] risk_score = 73 rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -38,6 +32,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 147e12aa0..9e73ea35e 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/09/02" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Identifies the installation of custom Application Compatibility Shim databases. abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Installation of Custom Shim Databases" @@ -25,13 +27,20 @@ tags = [ "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and - registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb", + "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" + ) and not process.executable : ("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe", "?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe", diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index c906da590..b9abf4983 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [transform] [[transform.osquery]] @@ -48,7 +50,7 @@ Attackers who add those DLLs to the registry locations can execute code with ele injection, and provide a solid and constant persistence on the machine. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppInit DLL" @@ -107,16 +109,8 @@ This rule identifies modifications on the AppInit registry keys. """ risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -126,7 +120,9 @@ registry where host.os.type == "windows" and event.type == "change" and "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" + "\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" ) and not process.executable : ( "?:\\Windows\\System32\\DriverStore\\FileRepository\\*\\Display.NvContainer\\NVDisplay.Container.exe", diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 5510e1a7d..19dec5c46 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/08/22" -integration = ["endpoint"] +integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Identifies the install of browser extensions. Malicious browser extensions can b masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system. """ from = "now-9m" -index = ["logs-endpoint.events.file-*"] +index = ["logs-endpoint.events.file-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Browser Extension Install" @@ -24,6 +26,9 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 22d29ec80..72a0dfd71 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/12/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ sometimes done by attackers to increase access to a system and avoid appearing i the net users command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Creation of a Hidden Local User Account" @@ -49,14 +51,6 @@ references = [ ] risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -67,6 +61,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -75,7 +71,8 @@ query = ''' registry where host.os.type == "windows" and event.type == "change" and registry.path : ( "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\", - "\\REGISTRY\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" + "\\REGISTRY\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\", + "MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" ) ''' diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 6dc825a60..cc48f08d2 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" -integration = ["endpoint"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ The Debugger and SilentProcessExit registry keys can allow an adversary to inter different process to be executed. This functionality can be abused by an adversary to establish persistence. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Image File Execution Options Injection" @@ -30,6 +32,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -45,7 +49,11 @@ registry where host.os.type == "windows" and event.type == "change" and "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", - "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess" + "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", + "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", + "MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", + "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", + "MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess" ) and /* add FPs here */ not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""") diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 204561141..0aec5fc8c 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2021/03/15" -integration = ["endpoint"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." [transform] [[transform.osquery]] @@ -37,7 +39,7 @@ Identifies suspicious startup shell folder modifications to change the default S detections monitoring file creation in the Windows Startup folder. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Startup Shell Folder Modification" @@ -110,6 +112,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" @@ -124,10 +128,16 @@ registry where host.os.type == "windows" and event.type == "change" and "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup", "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup", + "HKCU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", + "HKCU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup", "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup", "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", - "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup" + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup", + "MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", + "MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup", + "USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", + "USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup" ) and registry.data.strings != null and /* Normal Startup Folder Paths */ diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index d03c429f7..9a0858128 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/03/15" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/10/10" [rule] author = ["Elastic"] @@ -14,22 +14,14 @@ task scheduling functionality to facilitate initial or recurring execution of ma """ false_positives = ["Legitimate scheduled jobs may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Persistence via Scheduled Job Creation" risk_score = 47 rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql"