[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021)

* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update defense_evasion_proxy_execution_via_msdt.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2025-08-28 11:37:15 -07:00
parent b91e73714e
commit 1af98a6170
5 changed files with 46 additions and 23 deletions
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2022/11/01"
-integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/07/03"
+updated_date = "2025/08/26"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
    "endgame-*",
    "logs-sentinel_one_cloud_funnel.*",
    "logs-m365_defender.event-*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -76,6 +77,7 @@ tags = [
    "Data Source: Sysmon",
    "Data Source: SentinelOne",
    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike",
    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -92,7 +94,11 @@ registry where host.os.type == "windows" and event.type == "change" and
  not process.executable : (
    /* Intune */
    "C:\\Windows\\system32\\deviceenroller.exe",
-    "C:\\Windows\\system32\\omadmclient.exe"
+    "C:\\Windows\\system32\\omadmclient.exe",
+
+    /* Crowdstrike specific exclusion as it uses NT Object paths */
+    "\\Device\\HarddiskVolume*\\system32\\deviceenroller.exe",
+    "\\Device\\HarddiskVolume*\\system32\\omadmclient.exe"
  )
 '''

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2022/05/31"
-integration = ["endpoint", "windows", "m365_defender"]
+integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/26"

 [rule]
 author = ["Elastic"]
@@ -17,6 +17,8 @@ index = [
    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-m365_defender.event-*",
+    "logs-crowdstrike.fdr*",
+    "logs-sentinel_one_cloud_funnel.*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -72,6 +74,8 @@ tags = [
    "Data Source: Elastic Defend",
    "Data Source: Microsoft Defender for Endpoint",
    "Data Source: Sysmon",
+    "Data Source: Crowdstrike",
+    "Data Source: SentinelOne",
    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -79,18 +83,29 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-   (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and
-   (
+  (?process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and
+  (
    process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or

-    (process.args : "-af" and process.args : "/skip" and
-     process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and
-     process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*")) or
+    (
+      process.args : "-af" and process.args : "/skip" and
+      process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and
+      process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*")
+    ) or

    (process.pe.original_file_name == "msdt.exe" and not process.name : "msdt.exe" and process.name != null) or

-    (process.pe.original_file_name == "msdt.exe" and not process.executable : ("?:\\Windows\\system32\\msdt.exe", "?:\\Windows\\SysWOW64\\msdt.exe"))
+    (
+      ?process.pe.original_file_name == "msdt.exe" and
+      not process.executable : (
+        "?:\\Windows\\system32\\msdt.exe",
+        "?:\\Windows\\SysWOW64\\msdt.exe",
+        /* Crowdstrike specific exclusion as it uses NT Object paths */
+        "\\Device\\HarddiskVolume*\\Windows\\system32\\msdt.exe",
+        "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\msdt.exe"
+      )
    )
+  )
 '''


@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/05/31"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/26"

 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ index = [
    "logs-m365_defender.event-*",
    "logs-sentinel_one_cloud_funnel.*",
    "endgame-*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -76,6 +77,7 @@ tags = [
    "Data Source: Microsoft Defender for Endpoint",
    "Data Source: SentinelOne",
    "Data Source: Elastic Endgame",
+    "Data Source: Crowdstrike",
    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/09/02"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/12"
+updated_date = "2025/08/26"

 [transform]
 [[transform.osquery]]
@@ -37,7 +37,7 @@ Identifies child processes of unusual instances of RunDLL32 where the command li
 RunDLL32 could indicate malicious activity.
 """
 from = "now-60m"
-index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-crowdstrike.fdr*"]
 interval = "30m"
 language = "eql"
 license = "Elastic License v2"
@@ -108,6 +108,7 @@ tags = [
    "Tactic: Defense Evasion",
    "Data Source: Elastic Defend",
    "Data Source: Sysmon",
+    "Data Source: Crowdstrike",
    "Resources: Investigation Guide",
 ]
 type = "eql"
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/23"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/26"

 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
    "endgame-*",
    "logs-m365_defender.event-*",
    "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -72,6 +73,7 @@ tags = [
    "Data Source: Sysmon",
    "Data Source: Microsoft Defender for Endpoint",
    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -79,11 +81,8 @@ type = "eql"

 query = '''
 registry where host.os.type == "windows" and event.type == "change" and
-  registry.path : (
-    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
-    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
-    "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt"
-  ) and registry.data.strings : ("1", "0x00000001")
+  registry.value : "EnableAt" and
+  registry.data.strings : ("1", "0x00000001")
 '''