diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index f6901a2a1..f05d40e10 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/02/19" [rule] author = ["Austin Songer"] @@ -89,9 +89,12 @@ process where host.os.type == "windows" and event.type == "start" and ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and ( - process.args : "*Clear-History*" or - (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or - (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*") + process.command_line : "*Clear-History*" or + ( + process.command_line : ("*Remove-Item*", "* rm *") and + process.command_line : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*") + ) or + (process.command_line : "*Set-PSReadlineOption*" and process.command_line : "*SaveNothing*") ) ''' diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 724328bd2..628a39d09 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -22,13 +22,13 @@ index = [ ] language = "eql" license = "Elastic License v2" -name = "Encoded Executable Stored in the Registry" +name = "Deprecated - Encoded Executable Stored in the Registry" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Encoded Executable Stored in the Registry +### Investigating Deprecated - Encoded Executable Stored in the Registry Windows Registry is a hierarchical database storing low-level settings for the OS and applications. Adversaries exploit it to hide encoded executables, evading detection by avoiding direct disk storage. The detection rule identifies suspicious registry modifications, specifically targeting encoded patterns indicative of hidden executables, thus flagging potential defense evasion tactics. diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 65519ae0b..501408faa 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -84,8 +84,8 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.executable : ( - "C:\\*Program*Files*\\*.exe", - "\\Device\\HarddiskVolume*\\*Program*Files*\\*.exe" + "C:\\*Program Files*\\*.exe", + "\\Device\\HarddiskVolume*\\*Program Files*\\*.exe" ) and not process.executable : ( "?:\\Program Files\\*.exe", @@ -94,20 +94,14 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\ProgramData\\*.exe", "?:\\Windows\\Downloaded Program Files\\*.exe", "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe", - "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe" - ) and - not ( - /* Crowdstrike specific exclusion as it uses NT Object paths */ - event.dataset == "crowdstrike.fdr" and - process.executable : ( + "?:\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe", + + /* NT Object Paths */ "\\Device\\HarddiskVolume*\\Program Files\\*.exe", "\\Device\\HarddiskVolume*\\Program Files (x86)\\*.exe", "\\Device\\HarddiskVolume*\\Users\\*.exe", "\\Device\\HarddiskVolume*\\ProgramData\\*.exe", - "\\Device\\HarddiskVolume*\\Windows\\Downloaded Program Files\\*.exe", - "\\Device\\HarddiskVolume*\\Windows\\Temp\\.opera\\????????????\\CProgram?FilesOpera*\\*.exe", - "\\Device\\HarddiskVolume*\\Windows\\Temp\\.opera\\????????????\\CProgram?Files?(x86)Opera*\\*.exe" - ) + "\\Device\\HarddiskVolume*\\Windows\\Downloaded Program Files\\*.exe" ) ''' diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 7083ade34..54afa1516 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "windows" and event.type : "start" and +process where host.os.type == "windows" and event.type : "start" and process.command_line != null and process.parent.name : ("wsl.exe", "wslhost.exe") and not process.executable : ( "?:\\Program Files (x86)\\*", @@ -91,11 +91,12 @@ process where host.os.type == "windows" and event.type : "start" and "?:\\Windows\\System32\\conhost.exe", "?:\\Windows\\System32\\lxss\\wslhost.exe", "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\wsl.exe", "?:\\Windows\\Sys?????\\wslconfig.exe" ) and not ( /* Crowdstrike specific exclusion as it uses NT Object paths */ - event.dataset == "crowdstrike.fdr" and + (event.dataset == "crowdstrike.fdr" or event.action == "ProcessRollup2") and process.executable : ( "\\Device\\HarddiskVolume*\\Program Files (x86)\\*", "\\Device\\HarddiskVolume*\\Program Files\\*", @@ -103,8 +104,15 @@ process where host.os.type == "windows" and event.type : "start" and "\\Device\\HarddiskVolume*\\Windows\\System32\\conhost.exe", "\\Device\\HarddiskVolume*\\Windows\\System32\\lxss\\wslhost.exe", "\\Device\\HarddiskVolume*\\Windows\\System32\\WerFault.exe", + "\\Device\\HarddiskVolume*\\Windows\\System32\\wsl.exe", "\\Device\\HarddiskVolume*\\Windows\\Sys?????\\wslconfig.exe" ) + ) and + not ( + (process.name : "cmd.exe" and process.command_line : "*echo*%USERPROFILE%*") or + (process.name : "git.exe" and process.command_line : "git.exe -c log.*") or + (process.name : "powershell.exe" and process.command_line : "powershell.exe -Command $env:USERPROFILE") or + (process.name : "Code.exe" and process.command_line : ("*cli.js --folder-uri=vscode-remote://wsl*", "ms-vscode-remote.remote-wsl")) ) ''' diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index 41cd1eecb..f5e2c08a1 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -81,7 +81,25 @@ process where host.os.type == "windows" and event.type == "start" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe", "cmd.exe") or ?process.pe.original_file_name : ("powershell.exe", "pwsh.dll", "powershell_ise.exe", "Cmd.Exe") ) and - process.parent.name : ("wscript.exe", "mshta.exe") + process.parent.name : ("wscript.exe", "mshta.exe") and + not ( + process.args : ( + "C:\\Program Files\\Intel\\SUR\\QUEENCREEK\\x64\\task.bat", + "\"C:\\Program Files\\Intel\\SUR\\QUEENCREEK\\x64\\task.bat\"" + ) or + process.command_line : ( + "\"C:\\Windows\\system32\\cmd.exe\" /c auditpol.exe /set /SUBCATEGORY:*", + "\"C:\\Windows\\system32\\cmd.exe\" /c auditpol.exe /get*", + "\"C:\\Windows\\system32\\cmd.exe\" /c exit\"" + ) or + (process.args == "-File" and process.args == "-ExecutionPolicy") + ) + and + not ( + ?user.id == "S-1-5-18" and + /* Don't apply the user.id exclusion to Sysmon for compatibility */ + not event.dataset : ("windows.sysmon_operational", "windows.sysmon") + ) ''' diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index bf4474a4e..ff0cfea30 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -90,6 +90,11 @@ process where host.os.type == "windows" and event.type == "start" and not event.dataset : ("windows.sysmon_operational", "windows.sysmon") ) and + not process.parent.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe" + ) and + ( process.command_line : ( "*^*^*^*^*^*^*^*^*^*", @@ -171,6 +176,10 @@ process where host.os.type == "windows" and event.type == "start" and ( process.parent.name : ("explorer.exe", "cmd.exe") and process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*")) + ) and + not process.command_line : ( + "*Use-Icinga -Minimal*", + "*& {$j = sajb {Add-Type -AssemblyName*" ) ''' diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index c1b517fd3..06021e79c 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/02/19" [transform] [[transform.osquery]] @@ -45,10 +45,10 @@ index = [ ] language = "eql" license = "Elastic License v2" -name = "Adobe Hijack Persistence" +name = "Deprecated - Adobe Hijack Persistence" note = """## Triage and analysis -### Investigating Adobe Hijack Persistence +### Investigating Deprecated - Adobe Hijack Persistence Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed. diff --git a/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml b/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml index 46072ab0b..7a12ba94b 100644 --- a/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml +++ b/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/23" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -88,4 +88,4 @@ field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" \ No newline at end of file +value = "now-7d" \ No newline at end of file diff --git a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml index 4cd939b21..b68b5bdb6 100644 --- a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml +++ b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/23" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -87,4 +87,4 @@ field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" \ No newline at end of file +value = "now-7d" diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 9581d5192..b425a85e9 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -22,13 +22,13 @@ index = [ ] language = "kuery" license = "Elastic License v2" -name = "Suspicious PrintSpooler Service Executable File Creation" +name = "Deprecated - Suspicious PrintSpooler Service Executable File Creation" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Suspicious PrintSpooler Service Executable File Creation +### Investigating Deprecated - Suspicious PrintSpooler Service Executable File Creation The Print Spooler service in Windows manages print jobs, but vulnerabilities like CVE-2020-1048 can be exploited for privilege escalation. Adversaries may create malicious DLL files executed by the spooler to gain elevated privileges. The detection rule identifies such threats by monitoring file creation events linked to the spooler process, focusing on DLL files, which are common vectors for exploitation. diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 2ae9e761e..c67a0296b 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -35,7 +35,8 @@ type = "new_terms" query = ''' host.os.type:windows and event.category:process and event.type:start and process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and -not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "::1") +not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "::1" or 192.168.*) and +process.command_line:*.* ''' @@ -62,6 +63,6 @@ field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d" diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml index ac2bc337f..1f567d82f 100644 --- a/rules_building_block/discovery_signal_unusual_user_host.toml +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -2,7 +2,7 @@ bypass_bbr_timing = true creation_date = "2023/10/10" maturity = "production" -updated_date = "2024/09/01" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ from = "now-9m" index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" -name = "Unusual Discovery Activity by User" +name = "Deprecated - Unusual Discovery Activity by User" risk_score = 21 rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3" severity = "low" @@ -54,6 +54,6 @@ field = "new_terms_fields" value = ["host.id", "user.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d" diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index e6c2b4816..3a861c4ab 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/02/19" [rule] author = ["Elastic"] @@ -80,6 +80,6 @@ field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d"