diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 97a6da20a..7e89e09c3 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/01/31" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -37,6 +37,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -103,14 +104,19 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and - registry.value: "BehaviorOnFailedVerify" and registry.data.strings : ("0", "0x00000000", "1", "0x00000001") - + registry.value: "BehaviorOnFailedVerify" and registry.data.strings : ("0", "0x00000000", "1", "0x00000001") and + not process.executable : + ("?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\CCM\\CcmExec.exe", + "\\Device\\HarddiskVolume*\\Windows\\system32\\svchost.exe", + "\\Device\\HarddiskVolume*\\Windows\\CCM\\CcmExec.exe") /* Full registry key path omitted due to data source variations: "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index 7476990c1..326f67485 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/04" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies suspicious child processes of communications apps, which can indicate communication app or the exploitation of a vulnerability on the application causing it to execute code. """ from = "now-9m" -index = ["logs-endpoint.events.process-*"] +index = ["logs-endpoint.events.process-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Communication App Child Process" @@ -26,28 +26,31 @@ tags = [ "Tactic: Persistence", "Data Source: Elastic Defend", "Resources: Investigation Guide", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "windows" and event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and + not process.executable : + ("?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe") and ( /* Slack */ (process.parent.name : "slack.exe" and not ( ( process.executable : ( - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe", "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin*\\Zoom.exe", "?:\\Windows\\System32\\rundll32.exe", "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", "?:\\Windows\\System32\\notepad.exe", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe" ) and process.code_signature.trusted == true ) or @@ -69,10 +72,6 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.executable : ( - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe" @@ -93,13 +92,10 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.executable : ( - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Windows\\BrowserCore\\BrowserCore.exe", "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe" + "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" ) and process.code_signature.trusted == true ) or ( @@ -119,13 +115,9 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.executable : ( - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", "?:\\Windows\\System32\\reg.exe", - "?:\\Windows\\SysWOW64\\reg.exe", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe" + "?:\\Windows\\SysWOW64\\reg.exe" ) and process.code_signature.trusted == true ) or ( @@ -155,10 +147,6 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.executable : ( - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Windows\\System32\\reg.exe", "?:\\Windows\\SysWOW64\\reg.exe" ) and process.code_signature.trusted == true @@ -181,13 +169,9 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.executable : ( - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", "?:\\Users\\*\\AppData\\Local\\Island\\Island\\Application\\Island.exe", - "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe" + "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe" ) and process.code_signature.trusted == true ) or ( @@ -203,11 +187,8 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.executable : ( - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\WerFault.exe", - "?:\\Windows\\SysWOW64\\WerFault.exe", - "?:\\Windows\\splwow64.exe" + "?:\\Windows\\splwow64.exe", + "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.EXE" ) and process.code_signature.trusted == true ) or ( diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index 850dcaa00..a3daa0e4c 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/25" -integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] +integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ index = [ "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -74,6 +75,7 @@ tags = [ "Data Source: SentinelOne", "Data Source: Sysmon", "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 3217e3637..3ccda2825 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/07/22" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Austin Songer"] @@ -19,6 +19,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -74,6 +75,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 65c26340f..084e10613 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" -integration = ["endpoint", "windows", "m365_defender"] +integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -44,6 +44,7 @@ index = [ "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -112,6 +113,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql"