diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index 7fd0cb332..c1e793740 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/07/21" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "winlogbeat-*", + "endgame-*", ] language = "eql" license = "Elastic License v2" @@ -68,6 +69,7 @@ tags = [ "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index bfc81a473..4436cce75 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/08/18" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -69,6 +70,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 434c2d6eb..9d1336517 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/01/20" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ index = [ "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -71,6 +72,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index d4273cdcc..18215c26f 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/12/14" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -74,6 +75,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -90,11 +92,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry "SolarWinds.Collector.Service*.exe", "SolarwindsDiagnostics*.exe" ) and - registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start", - "MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start" - ) and + registry.path : "*\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and registry.data.strings : ("4", "0x00000004") ''' diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 7fc627c8c..933f3171f 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/15" -integration = ["endpoint", "windows", "m365_defender"] +integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -44,6 +44,7 @@ index = [ "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -105,10 +106,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", - "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql"