From 8d25a7ddce3755a4ffb2c46b06bf20379b3ef028 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 20 Apr 2026 18:38:09 -0300 Subject: [PATCH] [Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927) * [Rule Tuning] Fix MS Defender XDR tag * bump upodated_date --- pyproject.toml | 2 +- rules/cross-platform/command_and_control_tunnel_qemu.toml | 4 ++-- .../credential_access_gitleaks_execution.toml | 4 ++-- .../credential_access_trufflehog_execution.toml | 4 ++-- ...fense_evasion_genai_process_compiling_executables.toml | 4 ++-- ..._genai_process_encoding_prior_to_network_activity.toml | 4 ++-- .../execution_register_github_actions_runner.toml | 4 ++-- .../execution_via_github_actions_runner.toml | 4 ++-- .../collection_email_powershell_exchange_mailbox.toml | 4 ++-- rules/windows/collection_winrar_encryption.toml | 4 ++-- rules/windows/command_and_control_certreq_postdata.toml | 4 ++-- .../command_and_control_dns_tunneling_nslookup.toml | 4 ++-- rules/windows/command_and_control_headless_browser.toml | 4 ++-- ...ommand_and_control_multiple_rmm_vendors_same_host.toml | 6 +++--- rules/windows/command_and_control_outlook_home_page.toml | 4 ++-- ...ommand_and_control_port_forwarding_added_registry.toml | 4 ++-- rules/windows/command_and_control_rdp_tunnel_plink.toml | 4 ++-- rules/windows/command_and_control_remcos_rat_iocs.toml | 4 ++-- ...nd_and_control_remote_file_copy_desktopimgdownldr.toml | 4 ++-- .../command_and_control_remote_file_copy_mpcmdrun.toml | 4 ++-- .../command_and_control_rmm_after_msi_install.toml | 4 ++-- .../command_and_control_rmm_netsupport_susp_path.toml | 4 ++-- .../command_and_control_screenconnect_childproc.toml | 6 +++--- .../command_and_control_tool_transfer_via_curl.toml | 4 ++-- rules/windows/command_and_control_tunnel_cloudflared.toml | 4 ++-- rules/windows/command_and_control_tunnel_vscode.toml | 6 +++--- rules/windows/command_and_control_tunnel_yuze.toml | 4 ++-- .../command_and_control_velociraptor_shell_execution.toml | 4 ++-- .../credential_access_browsers_unusual_parent.toml | 4 ++-- rules/windows/credential_access_cmdline_dump_tool.toml | 4 ++-- ...edential_access_copy_ntds_sam_volshadowcp_cmdline.toml | 4 ++-- ...redential_access_domain_backup_dpapi_private_keys.toml | 4 ++-- rules/windows/credential_access_dump_registry_hives.toml | 4 ++-- rules/windows/credential_access_generic_localdumps.toml | 6 +++--- .../credential_access_iis_connectionstrings_dumping.toml | 4 ++-- rules/windows/credential_access_kirbi_file.toml | 4 ++-- .../credential_access_lsass_memdump_file_created.toml | 4 ++-- .../windows/credential_access_lsass_openprocess_api.toml | 4 ++-- .../credential_access_mimikatz_memssp_default_logs.toml | 4 ++-- .../credential_access_mod_wdigest_security_provider.toml | 4 ++-- ...s_persistence_network_logon_provider_modification.toml | 4 ++-- .../credential_access_rare_webdav_destination.toml | 4 ++-- ...redential_access_relay_ntlm_auth_via_http_spoolss.toml | 6 +++--- rules/windows/credential_access_saved_creds_vaultcmd.toml | 6 +++--- ...ntial_access_symbolic_link_to_shadow_copy_created.toml | 4 ++-- rules/windows/credential_access_veeam_commands.toml | 6 +++--- rules/windows/credential_access_wbadmin_ntds.toml | 6 +++--- .../windows/credential_access_wireless_creds_dumping.toml | 4 ++-- ...ding_the_hidden_file_attribute_with_via_attribexe.toml | 4 ++-- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml | 4 ++-- rules/windows/defense_evasion_amsienable_key_mod.toml | 4 ++-- .../defense_evasion_clearing_windows_console_history.toml | 4 ++-- .../defense_evasion_clearing_windows_event_logs.toml | 4 ++-- ...on_code_signing_policy_modification_builtin_tools.toml | 4 ++-- ...evasion_code_signing_policy_modification_registry.toml | 4 ++-- .../defense_evasion_create_mod_root_certificate.toml | 4 ++-- .../defense_evasion_defender_disabled_via_registry.toml | 4 ++-- ...defense_evasion_defender_exclusion_via_powershell.toml | 4 ++-- ...nse_evasion_delete_volume_usn_journal_with_fsutil.toml | 4 ++-- rules/windows/defense_evasion_disable_nla.toml | 4 ++-- .../defense_evasion_disable_posh_scriptblocklogging.toml | 4 ++-- ...evasion_disable_windows_firewall_rules_with_netsh.toml | 4 ++-- ...nse_evasion_disabling_windows_defender_powershell.toml | 4 ++-- rules/windows/defense_evasion_disabling_windows_logs.toml | 4 ++-- rules/windows/defense_evasion_dns_over_https_enabled.toml | 4 ++-- .../defense_evasion_dotnet_compiler_parent_process.toml | 4 ++-- .../defense_evasion_enable_inbound_rdp_with_netsh.toml | 4 ++-- ...fense_evasion_enable_network_discovery_with_netsh.toml | 4 ++-- ...e_evasion_execution_control_panel_suspicious_args.toml | 6 +++--- .../windows/defense_evasion_execution_lolbas_wuauclt.toml | 4 ++-- ...e_evasion_execution_msbuild_started_by_office_app.toml | 4 ++-- ...asion_execution_msbuild_started_by_system_process.toml | 6 +++--- ...defense_evasion_execution_msbuild_started_renamed.toml | 4 ++-- ...nse_evasion_execution_suspicious_explorer_winword.toml | 6 +++--- .../defense_evasion_execution_windefend_unusual_path.toml | 4 ++-- .../defense_evasion_file_creation_mult_extension.toml | 4 ++-- rules/windows/defense_evasion_from_unusual_directory.toml | 4 ++-- .../defense_evasion_hide_encoded_executable_registry.toml | 6 +++--- .../windows/defense_evasion_iis_httplogging_disabled.toml | 4 ++-- rules/windows/defense_evasion_indirect_exec_conhost.toml | 4 ++-- rules/windows/defense_evasion_indirect_exec_forfiles.toml | 4 ++-- rules/windows/defense_evasion_indirect_exec_openssh.toml | 4 ++-- rules/windows/defense_evasion_lolbas_win_cdb_utility.toml | 4 ++-- .../defense_evasion_lsass_ppl_disabled_registry.toml | 4 ++-- ..._evasion_masquerading_as_elastic_endpoint_process.toml | 6 +++--- .../defense_evasion_masquerading_renamed_autoit.toml | 4 ++-- ...vasion_masquerading_suspicious_werfault_childproc.toml | 6 +++--- .../defense_evasion_masquerading_trusted_directory.toml | 6 +++--- .../defense_evasion_microsoft_defender_tampering.toml | 4 ++-- .../defense_evasion_modify_ownership_os_files.toml | 4 ++-- .../defense_evasion_ms_office_suspicious_regmod.toml | 4 ++-- rules/windows/defense_evasion_mshta_susp_child.toml | 4 ++-- rules/windows/defense_evasion_msiexec_remote_payload.toml | 4 ++-- rules/windows/defense_evasion_ntlm_downgrade.toml | 4 ++-- ...defense_evasion_obf_args_unicode_modified_letters.toml | 4 ++-- ...nse_evasion_persistence_account_tokenfilterpolicy.toml | 6 +++--- ...ense_evasion_powershell_windows_firewall_disabled.toml | 4 ++-- .../windows/defense_evasion_proxy_execution_via_msdt.toml | 6 +++--- ...se_evasion_reg_disable_enableglobalqueryblocklist.toml | 4 ++-- rules/windows/defense_evasion_regmod_remotemonologue.toml | 4 ++-- rules/windows/defense_evasion_right_to_left_override.toml | 4 ++-- rules/windows/defense_evasion_root_dir_ads_creation.toml | 4 ++-- .../windows/defense_evasion_run_virt_windowssandbox.toml | 6 +++--- rules/windows/defense_evasion_sc_sdset.toml | 6 +++--- ...defense_evasion_scheduledjobs_at_protocol_enabled.toml | 6 +++--- rules/windows/defense_evasion_script_via_html_app.toml | 6 +++--- .../defense_evasion_sdelete_like_filename_rename.toml | 4 ++-- rules/windows/defense_evasion_sip_provider_mod.toml | 6 +++--- ...solarwinds_backdoor_service_disabled_via_registry.toml | 8 ++++---- .../defense_evasion_suspicious_certutil_commands.toml | 4 ++-- ...fense_evasion_suspicious_managedcode_host_process.toml | 4 ++-- .../defense_evasion_suspicious_short_program_name.toml | 4 ++-- .../defense_evasion_suspicious_zoom_child_process.toml | 4 ++-- ...asion_system_critical_proc_abnormal_file_activity.toml | 4 ++-- .../defense_evasion_unusual_ads_file_creation.toml | 4 ++-- rules/windows/defense_evasion_unusual_dir_ads.toml | 6 +++--- .../defense_evasion_unusual_system_vp_child_program.toml | 6 +++--- rules/windows/defense_evasion_via_filter_manager.toml | 4 ++-- .../defense_evasion_wdac_policy_by_unusual_process.toml | 4 ++-- .../defense_evasion_workfolders_control_execution.toml | 4 ++-- rules/windows/defense_evasion_wsl_bash_exec.toml | 6 +++--- rules/windows/defense_evasion_wsl_child_process.toml | 6 +++--- rules/windows/defense_evasion_wsl_enabled_via_dism.toml | 4 ++-- rules/windows/defense_evasion_wsl_kalilinux.toml | 8 ++++---- .../defense_evasion_wsl_registry_modification.toml | 4 ++-- rules/windows/discovery_ad_explorer_execution.toml | 4 ++-- rules/windows/discovery_adfind_command_activity.toml | 4 ++-- rules/windows/discovery_admin_recon.toml | 4 ++-- .../discovery_enumerating_domain_trusts_via_dsquery.toml | 4 ++-- .../discovery_enumerating_domain_trusts_via_nltest.toml | 4 ++-- .../windows/discovery_group_policy_object_discovery.toml | 4 ++-- rules/windows/discovery_peripheral_device.toml | 4 ++-- rules/windows/discovery_whoami_command_activity.toml | 4 ++-- ...tion_apt_solarwinds_backdoor_child_cmd_powershell.toml | 6 +++--- rules/windows/execution_com_object_xwizard.toml | 6 +++--- .../execution_command_shell_started_by_svchost.toml | 4 ++-- ...xecution_command_shell_started_by_unusual_process.toml | 4 ++-- rules/windows/execution_command_shell_via_rundll32.toml | 4 ++-- rules/windows/execution_enumeration_via_wmiprvse.toml | 4 ++-- rules/windows/execution_from_unusual_path_cmdline.toml | 4 ++-- .../windows/execution_initial_access_foxmail_exploit.toml | 6 +++--- rules/windows/execution_initial_access_via_msc_file.toml | 4 ++-- rules/windows/execution_mofcomp.toml | 6 +++--- rules/windows/execution_nodejs_susp_patterns.toml | 4 ++-- .../windows/execution_notepad_markdown_child_process.toml | 4 ++-- .../execution_powershell_susp_args_via_winscript.toml | 4 ++-- rules/windows/execution_scripting_remote_webdav.toml | 4 ++-- rules/windows/execution_scripts_archive_file.toml | 4 ++-- rules/windows/execution_shared_modules_local_sxs_dll.toml | 4 ++-- rules/windows/execution_susp_javascript_via_deno.toml | 4 ++-- rules/windows/execution_suspicious_cmd_wmi.toml | 4 ++-- rules/windows/execution_suspicious_pdf_reader.toml | 4 ++-- rules/windows/execution_suspicious_psexesvc.toml | 4 ++-- rules/windows/execution_via_compiled_html_file.toml | 4 ++-- rules/windows/execution_via_hidden_shell_conhost.toml | 4 ++-- .../execution_via_mmc_console_file_unusual_path.toml | 6 +++--- rules/windows/execution_windows_cmd_shell_susp_args.toml | 6 +++--- rules/windows/execution_windows_fakecaptcha_cmd_ps.toml | 4 ++-- rules/windows/execution_windows_phish_clickfix.toml | 4 ++-- rules/windows/execution_windows_powershell_susp_args.toml | 4 ++-- rules/windows/exfiltration_rclone_cloud_upload.toml | 4 ++-- rules/windows/exfiltration_smb_rare_destination.toml | 6 +++--- .../impact_deleting_backup_catalogs_with_wbadmin.toml | 4 ++-- rules/windows/impact_mod_critical_os_files.toml | 4 ++-- rules/windows/impact_modification_of_boot_config.toml | 4 ++-- ...lume_shadow_copy_deletion_or_resized_via_vssadmin.toml | 4 ++-- ...impact_volume_shadow_copy_deletion_via_powershell.toml | 4 ++-- .../impact_volume_shadow_copy_deletion_via_wmic.toml | 4 ++-- .../windows/initial_access_execution_from_inetcache.toml | 4 ++-- .../initial_access_execution_via_office_addins.toml | 4 ++-- .../initial_access_exfiltration_first_time_seen_usb.toml | 6 +++--- .../initial_access_exploit_jetbrains_teamcity.toml | 6 +++--- .../windows/initial_access_rdp_file_mail_attachment.toml | 4 ++-- .../initial_access_script_executing_powershell.toml | 4 ++-- .../initial_access_suspicious_ms_exchange_files.toml | 4 ++-- .../initial_access_suspicious_ms_exchange_process.toml | 6 +++--- ...ccess_suspicious_ms_exchange_worker_child_process.toml | 6 +++--- ...initial_access_suspicious_ms_office_child_process.toml | 4 ++-- ...nitial_access_suspicious_ms_outlook_child_process.toml | 4 ++-- ...itial_access_suspicious_windows_server_update_svc.toml | 6 +++--- rules/windows/initial_access_url_cve_2025_33053.toml | 4 ++-- ..._access_via_explorer_suspicious_child_parent_args.toml | 6 +++--- .../initial_access_webshell_screenconnect_server.toml | 4 ++-- ...fense_evasion_lanman_nullsessionpipe_modification.toml | 4 ++-- rules/windows/lateral_movement_evasion_rdp_shadowing.toml | 6 +++--- .../lateral_movement_execution_from_tsclient_mup.toml | 6 +++--- ...lateral_movement_mount_hidden_or_webdav_share_net.toml | 4 ++-- rules/windows/lateral_movement_rdp_enabled_registry.toml | 4 ++-- .../lateral_movement_remote_file_copy_hidden_share.toml | 4 ++-- .../lateral_movement_unusual_dns_service_children.toml | 4 ++-- .../lateral_movement_via_startup_folder_rdp_smb.toml | 6 +++--- rules/windows/lateral_movement_via_wsus_update.toml | 6 +++--- rules/windows/persistence_adobe_hijack_persistence.toml | 4 ++-- rules/windows/persistence_app_compat_shim.toml | 4 ++-- rules/windows/persistence_appcertdlls_registry.toml | 4 ++-- rules/windows/persistence_appinitdlls_registry.toml | 4 ++-- rules/windows/persistence_browser_extension_install.toml | 4 ++-- ...persistence_evasion_hidden_local_account_creation.toml | 4 ++-- .../persistence_evasion_registry_ifeo_injection.toml | 4 ++-- ...ce_evasion_registry_startup_shell_folder_modified.toml | 4 ++-- .../windows/persistence_local_scheduled_job_creation.toml | 6 +++--- rules/windows/persistence_ms_office_addins_file.toml | 6 +++--- rules/windows/persistence_ms_outlook_vba_template.toml | 8 ++++---- rules/windows/persistence_msoffice_startup_registry.toml | 4 ++-- rules/windows/persistence_netsh_helper_dll.toml | 6 +++--- ...nce_powershell_exch_mailbox_activesync_add_device.toml | 6 +++--- rules/windows/persistence_powershell_profiles.toml | 4 ++-- ...stence_priv_escalation_via_accessibility_features.toml | 4 ++-- rules/windows/persistence_services_registry.toml | 4 ++-- ...startup_folder_file_written_by_suspicious_process.toml | 4 ++-- rules/windows/persistence_startup_folder_scripts.toml | 4 ++-- .../persistence_suspicious_service_created_registry.toml | 4 ++-- rules/windows/persistence_system_shells_via_services.toml | 4 ++-- rules/windows/persistence_time_provider_mod.toml | 4 ++-- rules/windows/persistence_user_account_creation.toml | 4 ++-- rules/windows/persistence_via_application_shimming.toml | 6 +++--- .../windows/persistence_via_bits_job_notify_command.toml | 4 ++-- .../windows/persistence_via_hidden_run_key_valuename.toml | 4 ++-- ...stence_via_lsa_security_support_provider_registry.toml | 6 +++--- ...ence_via_telemetrycontroller_scheduledtask_hijack.toml | 6 +++--- ...ersistence_via_update_orchestrator_service_hijack.toml | 4 ++-- ...ows_management_instrumentation_event_subscription.toml | 6 +++--- ...ersistence_via_xp_cmdshell_mssql_stored_procedure.toml | 4 ++-- rules/windows/persistence_web_shell_aspx_write.toml | 4 ++-- rules/windows/persistence_webshell_detection.toml | 4 ++-- rules/windows/persistence_werfault_reflectdebugger.toml | 6 +++--- .../privilege_escalation_disable_uac_registry.toml | 4 ++-- .../privilege_escalation_exploit_cve_202238028.toml | 6 +++--- ...privilege_escalation_gpo_schtask_service_creation.toml | 6 +++--- rules/windows/privilege_escalation_lsa_auth_package.toml | 4 ++-- .../privilege_escalation_msi_repair_via_mshelp_link.toml | 6 +++--- .../privilege_escalation_named_pipe_impersonation.toml | 4 ++-- ...ege_escalation_port_monitor_print_processor_abuse.toml | 4 ++-- ...vilege_escalation_printspooler_registry_copyfiles.toml | 4 ++-- ...e_escalation_printspooler_service_suspicious_file.toml | 4 ++-- ..._escalation_printspooler_suspicious_file_deletion.toml | 6 +++--- ...ilege_escalation_printspooler_suspicious_spl_file.toml | 4 ++-- .../privilege_escalation_reg_service_imagepath_mod.toml | 4 ++-- ...privilege_escalation_rogue_windir_environment_var.toml | 4 ++-- ...ege_escalation_service_control_spawned_script_int.toml | 4 ++-- .../privilege_escalation_uac_bypass_com_clipup.toml | 6 +++--- .../privilege_escalation_uac_bypass_com_ieinstal.toml | 6 +++--- ...ge_escalation_uac_bypass_com_interface_icmluautil.toml | 6 +++--- ...rivilege_escalation_uac_bypass_diskcleanup_hijack.toml | 6 +++--- .../privilege_escalation_uac_bypass_dll_sideloading.toml | 6 +++--- .../privilege_escalation_uac_bypass_event_viewer.toml | 4 ++-- .../privilege_escalation_uac_bypass_mock_windir.toml | 4 ++-- .../privilege_escalation_uac_bypass_winfw_mmc_hijack.toml | 4 ++-- .../privilege_escalation_unquoted_service_path.toml | 4 ++-- ...ilege_escalation_unusual_parentchild_relationship.toml | 4 ++-- ...lege_escalation_unusual_printspooler_childprocess.toml | 4 ++-- ...ge_escalation_unusual_svchost_childproc_childless.toml | 4 ++-- .../execution_mcp_server_child_process.toml | 4 ++-- .../initial_access_microsoft_defender_alerts_signal.toml | 4 ++-- tests/test_all_rules.py | 2 +- 255 files changed, 575 insertions(+), 575 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 15b6d2f71..7ff99b978 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.18" +version = "1.6.19" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/cross-platform/command_and_control_tunnel_qemu.toml b/rules/cross-platform/command_and_control_tunnel_qemu.toml index 6441d002c..427552bb2 100644 --- a/rules/cross-platform/command_and_control_tunnel_qemu.toml +++ b/rules/cross-platform/command_and_control_tunnel_qemu.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/cross-platform/credential_access_gitleaks_execution.toml b/rules/cross-platform/credential_access_gitleaks_execution.toml index 4ae8155c9..2c0f26094 100644 --- a/rules/cross-platform/credential_access_gitleaks_execution.toml +++ b/rules/cross-platform/credential_access_gitleaks_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/cross-platform/credential_access_trufflehog_execution.toml b/rules/cross-platform/credential_access_trufflehog_execution.toml index 334251a1f..2ec12e5f3 100644 --- a/rules/cross-platform/credential_access_trufflehog_execution.toml +++ b/rules/cross-platform/credential_access_trufflehog_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml index 77ad5e0a0..db88b4d24 100644 --- a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml +++ b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Auditd Manager", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", "Domain: LLM", diff --git a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml index 5a7e264fd..d20e902e2 100644 --- a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml +++ b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", "Domain: LLM", diff --git a/rules/cross-platform/execution_register_github_actions_runner.toml b/rules/cross-platform/execution_register_github_actions_runner.toml index bd45fce94..e76404097 100644 --- a/rules/cross-platform/execution_register_github_actions_runner.toml +++ b/rules/cross-platform/execution_register_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/cross-platform/execution_via_github_actions_runner.toml b/rules/cross-platform/execution_via_github_actions_runner.toml index c82405b97..7e52d4236 100644 --- a/rules/cross-platform/execution_via_github_actions_runner.toml +++ b/rules/cross-platform/execution_via_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 972be2ad5..231b6077e 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon", diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 076a07172..bf71f609e 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index e546a3f7a..53bab0608 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -118,7 +118,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 27ba25a1e..e4cd598cb 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", ] diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 0febbefe3..b78d72857 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", "Data Source: Crowdstrike", diff --git a/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml b/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml index 43d260908..653f9a22e 100644 --- a/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml +++ b/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml @@ -9,7 +9,7 @@ integration = [ "crowdstrike", ] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ note = """## Triage and analysis ### Investigating Multiple Remote Management Tool Vendors on Same Host This rule aggregates process start events by `host.id`, host name, and a nine-minute time bucket. Data can come from -Elastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender for Endpoint, SentinelOne, +Elastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender XDR, SentinelOne, CrowdStrike FDR, or Elastic Endgame—where ECS process fields are populated. Each known RMM-related process name maps to one **vendor** label (e.g. TeamViewer, AnyDesk, ScreenConnect). If **two or more different vendor labels** appear in the same bucket, the rule signals. @@ -69,7 +69,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: CrowdStrike", "Data Source: Windows Security Event Logs", "Data Source: Elastic Endgame", diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index aa851b498..840e18aa6 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike", diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 51b0f50b6..ee664b7e3 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index ea76d1d25..335bee109 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon", diff --git a/rules/windows/command_and_control_remcos_rat_iocs.toml b/rules/windows/command_and_control_remcos_rat_iocs.toml index 828650100..486de75d5 100644 --- a/rules/windows/command_and_control_remcos_rat_iocs.toml +++ b/rules/windows/command_and_control_remcos_rat_iocs.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint" + "Data Source: Microsoft Defender XDR" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 82f163f5d..c77e3ce33 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [transform] [[transform.investigate]] @@ -153,7 +153,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", "Data Source: Crowdstrike", diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index cd047fec4..4b500c3c0 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [transform] [[transform.investigate]] @@ -151,7 +151,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/command_and_control_rmm_after_msi_install.toml b/rules/windows/command_and_control_rmm_after_msi_install.toml index 569732117..d2b63fe9a 100644 --- a/rules/windows/command_and_control_rmm_after_msi_install.toml +++ b/rules/windows/command_and_control_rmm_after_msi_install.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/20" [rule] author = ["Elastic"] @@ -59,7 +59,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Data Source: Windows Security Event Logs", "Data Source: Elastic Endgame" diff --git a/rules/windows/command_and_control_rmm_netsupport_susp_path.toml b/rules/windows/command_and_control_rmm_netsupport_susp_path.toml index 5070ea249..c9db80077 100644 --- a/rules/windows/command_and_control_rmm_netsupport_susp_path.toml +++ b/rules/windows/command_and_control_rmm_netsupport_susp_path.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", ] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index f7d5966fa..f885e59b1 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ ScreenConnect, a remote access tool, facilitates legitimate remote support but c - Examine the child process name and arguments, such as powershell.exe with encoded commands or cmd.exe with /c, to identify potentially malicious actions or commands being executed. - Check the network activity associated with the suspicious process, especially if the process arguments include network-related terms like *http* or *downloadstring*, to determine if there is any unauthorized data exfiltration or command and control communication. - Investigate the user account under which the suspicious process was executed to assess if the account has been compromised or is being misused. -- Correlate the event with other security alerts or logs from data sources like Elastic Defend or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activities. +- Correlate the event with other security alerts or logs from data sources like Elastic Defend or Microsoft Defender XDR to gather additional context and identify any related malicious activities. - Review the system's recent activity and changes, such as new scheduled tasks or services created by schtasks.exe or sc.exe, to identify any persistence mechanisms that may have been established by the attacker. ### False positive analysis @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", ] diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index ef45907cc..9a3c21f0f 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/04/20" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Sysmon", diff --git a/rules/windows/command_and_control_tunnel_cloudflared.toml b/rules/windows/command_and_control_tunnel_cloudflared.toml index eb025de67..0f99449d8 100644 --- a/rules/windows/command_and_control_tunnel_cloudflared.toml +++ b/rules/windows/command_and_control_tunnel_cloudflared.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs" diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index 913cd3bac..fe4dac341 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ Visual Studio Code (VScode) offers a remote tunnel feature enabling developers t - Check the parent process name to ensure it is not "Code.exe" when the process name is "code-tunnel.exe" with the "status" argument, as this is an exception in the rule. - Investigate the origin of the process by examining the user account and machine from which the process was initiated to determine if it aligns with expected usage patterns. - Analyze network logs to identify any unusual or unauthorized connections to GitHub or remote VScode instances that may suggest malicious activity. -- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context on the activity. +- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender XDR to gather additional context on the activity. - Assess the risk and impact by determining if the system or user account has been involved in previous suspicious activities or if there are any indicators of compromise. ### False positive analysis @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/command_and_control_tunnel_yuze.toml b/rules/windows/command_and_control_tunnel_yuze.toml index cd3862339..f4af4c589 100644 --- a/rules/windows/command_and_control_tunnel_yuze.toml +++ b/rules/windows/command_and_control_tunnel_yuze.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs" diff --git a/rules/windows/command_and_control_velociraptor_shell_execution.toml b/rules/windows/command_and_control_velociraptor_shell_execution.toml index 8801cffc6..8a23afda6 100644 --- a/rules/windows/command_and_control_velociraptor_shell_execution.toml +++ b/rules/windows/command_and_control_velociraptor_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs" diff --git a/rules/windows/credential_access_browsers_unusual_parent.toml b/rules/windows/credential_access_browsers_unusual_parent.toml index b02f77448..a98b4dcc5 100644 --- a/rules/windows/credential_access_browsers_unusual_parent.toml +++ b/rules/windows/credential_access_browsers_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/27" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide", diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 1c55bf1c6..0f8f0bc02 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", ] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 5057638d0..a1390ee54 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -125,7 +125,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", "Data Source: Crowdstrike", diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 719a14ef0..e55d7a8f4 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 18de8dbd6..212c1722f 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", "Data Source: Crowdstrike", diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 01dd1f390..e1d5cfb43 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ Full user-mode dumps are a diagnostic feature in Windows that captures detailed - Check for any recent changes to the registry key by examining the modification timestamps and identifying the user or process responsible for the change. - Investigate the context of the alert by reviewing recent process execution logs to identify any suspicious processes that may have triggered the dump, especially those not matching the legitimate svchost.exe process with user IDs S-1-5-18, S-1-5-19, or S-1-5-20. - Analyze any generated dump files for sensitive information, such as credentials, and determine if they were accessed or exfiltrated by unauthorized users or processes. -- Correlate the alert with other security events or logs, such as Sysmon or Microsoft Defender for Endpoint, to identify any related suspicious activities or patterns that could indicate a broader attack. +- Correlate the alert with other security events or logs, such as Sysmon or Microsoft Defender XDR, to identify any related suspicious activities or patterns that could indicate a broader attack. ### False positive analysis @@ -74,7 +74,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 025d8529f..d59d46cd3 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index 8f5e1c47d..c1dbb3130 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 2dd0821b6..18e6ccef4 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -113,7 +113,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", ] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index d6a78623f..b4bdff4cb 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/02" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -112,7 +112,7 @@ tags = [ "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide" ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 8b7aa352c..9eb4f717d 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 03fe54854..01b035e3c 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index a66e6cacb..34d4cb672 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -120,7 +120,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml index 41ab73ef4..9c38d1d7f 100644 --- a/rules/windows/credential_access_rare_webdav_destination.toml +++ b/rules/windows/credential_access_rare_webdav_destination.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -46,7 +46,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 0f9a40028..a0fe23faf 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ NTLM, a suite of Microsoft security protocols, is often targeted by adversaries - Investigate the network connections initiated by the rundll32.exe process to identify any HTTP requests targeting named pipes, such as those containing "/print/pipe/", "/pipe/spoolss", or "/pipe/srvsvc". - Check the system's event logs for any related authentication attempts or failures around the time of the alert to identify potential NTLM relay activity. - Analyze the history of the Windows Printer Spooler service on the affected host to determine if it has been recently manipulated or exploited. -- Correlate the alert with other security events or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Correlate the alert with other security events or alerts from data sources like Microsoft Defender XDR or Sysmon to identify any related suspicious activities or patterns. - Assess the user account associated with the NTLM authentication attempt to determine if it has been compromised or is being used in an unauthorized manner. ### False positive analysis @@ -77,7 +77,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index bcb205d1e..a07bc3edc 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ Windows Credential Manager stores credentials for websites, applications, and ne - Investigate the parent process of vaultcmd.exe to understand how it was initiated and whether it was triggered by a legitimate application or script. - Examine recent login activity and network connections from the host to identify any signs of lateral movement or unauthorized access attempts. - Correlate this event with other security alerts or logs from the same host or user to identify potential patterns of malicious behavior. -- Review endpoint security logs from tools like Microsoft Defender for Endpoint or Crowdstrike for additional context or corroborating evidence of credential access attempts. +- Review endpoint security logs from tools like Microsoft Defender XDR or Crowdstrike for additional context or corroborating evidence of credential access attempts. ### False positive analysis @@ -76,7 +76,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index b8650e2ef..ad25bfb0b 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic", "Austin Songer"] @@ -102,7 +102,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index 2895e6e80..aa0cdd6a0 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ Veeam credentials stored in MSSQL databases are crucial for managing backup oper - Examine the command line arguments for any references to [VeeamBackup].[dbo].[Credentials] to determine if there was an attempt to access or decrypt Veeam credentials. - Check the user account associated with the process execution to assess if it is a legitimate user or potentially compromised. - Investigate the source host for any signs of unauthorized access or suspicious activity, such as unusual login times or failed login attempts. -- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related malicious activities or patterns. +- Correlate the alert with other security events or logs from data sources like Microsoft Defender XDR or Sysmon to identify any related malicious activities or patterns. - Assess the risk and impact by determining if any Veeam credentials were successfully accessed or exfiltrated, and evaluate the potential for data breaches or ransomware attacks. ### False positive analysis @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index d8e4b5920..e392615e1 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ Wbadmin is a Windows utility for backup and recovery, often used by administrato - Review the process execution details to confirm the presence of wbadmin.exe with the specific arguments related to NTDS.dit, as indicated by the process.command_line field. - Check the user account associated with the process execution to determine if it belongs to a privileged group such as Backup Operators, which could indicate potential misuse of privileges. - Investigate the source host identified by host.os.type to determine if it is a domain controller, as this would be a critical factor in assessing the risk of the activity. -- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Correlate the event with other security logs or alerts from data sources like Microsoft Defender XDR or Sysmon to identify any related suspicious activities or patterns. - Examine recent changes or access attempts to the NTDS.dit file on the domain controller to identify any unauthorized access or modifications. - Assess the risk score and severity level to prioritize the investigation and determine if immediate response actions are necessary. @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index efaef16ac..623b098db 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -106,7 +106,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index ab0b32e27..56265257f 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -114,7 +114,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 0285fbdc8..171fa8df0 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -111,7 +111,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index a8dac0c7b..bb568e077 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -89,7 +89,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index f05d40e10..9ed21d870 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/04/07" [rule] author = ["Austin Songer"] @@ -74,7 +74,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 50a42f7e7..b45115f6a 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 2ff0537af..afa59bcf1 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -104,7 +104,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 7e89e09c3..5037185cd 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -102,7 +102,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 514692fc0..ee21a9903 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 6194cfb85..c94e860b7 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 0666acac3..2bd3ec3b6 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index aa7309054..0b23f63a3 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index e808563ba..c3002bf2b 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/25" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index be0fc9188..4549efc37 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -112,7 +112,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 7787f5001..c6f009c6b 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 5d0fb5328..ef4bc8c75 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 8a2c924a7..4f134c5ba 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/04/07" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 3ccda2825..46b0b48b5 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Austin Songer"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 8efcca4ce..715ae9fc0 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 0ac8e7710..3c49cefa7 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 3518f6d74..80a29d4a3 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index f5b76cd15..04fc753b3 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ The Control Panel in Windows is a system utility that allows users to view and a - Check the parent process of control.exe to determine if it was spawned by a legitimate application or a potentially malicious one. - Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears suspicious. - Examine recent file modifications or creations in directories like \\AppData\\Local\\ or \\Users\\Public\\ to identify any unauthorized or unexpected changes. -- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the potential threat. +- Correlate the event with other security alerts or logs from data sources like Microsoft Defender XDR or Sysmon to gather additional context on the potential threat. - Assess the network activity of the host during the time of the alert to identify any unusual outbound connections that may indicate data exfiltration or command and control communication. ### False positive analysis @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 23c029f86..22f6c5e1b 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -115,7 +115,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index c5fd16c25..e89e35174 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 08c29c23c..80f7e5f58 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Check the command line arguments used to start MSBuild.exe for any suspicious or unusual parameters that could indicate malicious activity. - Investigate the user account associated with the process to determine if it aligns with expected behavior or if it might be compromised. - Examine recent file modifications or creations in directories commonly used by MSBuild to identify any unauthorized or unexpected files. -- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the activity. +- Correlate the event with other security alerts or logs from data sources like Microsoft Defender XDR or Sysmon to gather additional context on the activity. - Assess the network activity of the host during the time of the alert to identify any potential data exfiltration or communication with known malicious IP addresses. ### False positive analysis @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 084e10613..6ac0aa03a 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -112,7 +112,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 4b5e879dc..5b530a23e 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ DLL side-loading exploits the DLL search order to load malicious code into trust - Investigate the process execution path to determine if it deviates from the standard paths listed in the query, such as "?:\\Windows\\explorer.exe" or "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE". - Examine the process creation history and parent process to identify any unusual or suspicious parent-child relationships that might indicate malicious activity. - Check for any recent file modifications or creations in the directory from which the process was executed, which could suggest the presence of a malicious DLL. -- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify potential patterns of malicious behavior. +- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, or Microsoft Defender XDR to gather additional context and identify potential patterns of malicious behavior. - Assess the risk and impact of the event by considering the risk score and severity level provided, and determine if immediate containment or further investigation is necessary. ### False positive analysis @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", "Data Source: Crowdstrike", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 4bc03f720..6e978ecb8 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic", "Dennis Perto"] @@ -72,7 +72,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 8725775f1..37eeedd39 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index e90c1453f..8f8205b28 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -120,7 +120,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 2adf52c0c..4aea12920 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ Windows Registry is a hierarchical database storing low-level settings for the O - Analyze the encoded data string "TVqQAAMAAAAEAAAA*" to determine if it corresponds to a known malicious executable or pattern. - Check the modification timestamp to correlate with any other suspicious activities or events on the system around the same time. - Investigate the process or user account responsible for the registry modification to assess if it is associated with legitimate activity or known threats. -- Cross-reference the alert with other data sources such as Sysmon, Microsoft Defender for Endpoint, or SentinelOne for additional context or corroborating evidence of malicious behavior. +- Cross-reference the alert with other data sources such as Sysmon, Microsoft Defender XDR, or SentinelOne for additional context or corroborating evidence of malicious behavior. - Evaluate the system's network activity and connections during the time of the registry modification to identify any potential command and control communications or data exfiltration attempts. ### False positive analysis @@ -69,7 +69,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 608e97c8b..8dba2825a 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_indirect_exec_conhost.toml b/rules/windows/defense_evasion_indirect_exec_conhost.toml index 2bf8c9b53..9875c62ec 100644 --- a/rules/windows/defense_evasion_indirect_exec_conhost.toml +++ b/rules/windows/defense_evasion_indirect_exec_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_indirect_exec_forfiles.toml b/rules/windows/defense_evasion_indirect_exec_forfiles.toml index 35a8dcd17..c1e1ff10e 100644 --- a/rules/windows/defense_evasion_indirect_exec_forfiles.toml +++ b/rules/windows/defense_evasion_indirect_exec_forfiles.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_indirect_exec_openssh.toml b/rules/windows/defense_evasion_indirect_exec_openssh.toml index 2ab97f6ee..274d2a94f 100644 --- a/rules/windows/defense_evasion_indirect_exec_openssh.toml +++ b/rules/windows/defense_evasion_indirect_exec_openssh.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index 760a67eeb..9c86d6fea 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml index 666ad8bda..f56e60a4c 100644 --- a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml +++ b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 00ea4e6ed..cbd25e2a0 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ Endpoint security solutions, like Elastic and Microsoft Defender, monitor and pr - Examine the parent process executable path and name to determine if it is a known legitimate process or potentially malicious. Pay special attention to paths not listed in the known benign paths, such as those outside "?:\\Program Files\\Elastic\\*" or "?:\\Windows\\System32\\*". - Investigate the command-line arguments used by the parent process to identify any unusual or suspicious patterns that could indicate malicious activity, especially if they do not match the benign arguments like "test", "version", or "status". - Check the historical activity of the parent process to see if it has been involved in other suspicious activities or if it has a history of spawning security-related processes. -- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and identify any related suspicious activities. +- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender XDR, or Sysmon to gather additional context and identify any related suspicious activities. - Assess the risk and impact of the alert by considering the environment, the criticality of the affected systems, and any potential data exposure or operational disruption. ### False positive analysis @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 749e89527..2e56826ca 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -110,7 +110,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike" ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index f7808e814..9c0326943 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ WerFault.exe is a Windows error reporting tool that handles application crashes. - Investigate the network connections established by the suspicious process to identify any unusual or unauthorized external communications. - Analyze file writes and modifications made by the process to detect any unauthorized changes or potential indicators of compromise. - Check the parent process tree to understand the context of how WerFault.exe was invoked and identify any preceding suspicious activities or processes. -- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Microsoft Defender for Endpoint, Sysmon, or SentinelOne to gather additional context and assess the scope of the potential threat. +- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Microsoft Defender XDR, Sysmon, or SentinelOne to gather additional context and assess the scope of the potential threat. ### False positive analysis @@ -75,7 +75,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 501408faa..01dc133b1 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ The Program Files directories in Windows are trusted locations for legitimate so - Review the process executable path to confirm if it matches any known masquerading patterns, such as unexpected directories containing "Program Files" in their path. - Check the parent process of the suspicious executable to determine how it was launched and assess if the parent process is legitimate or potentially malicious. - Investigate the user account associated with the process execution to determine if it has low privileges and if the activity aligns with typical user behavior. -- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Correlate the event with other security logs or alerts from data sources like Microsoft Defender XDR or Sysmon to identify any related suspicious activities or patterns. - Examine the file hash of the executable to see if it matches known malware signatures or if it has been flagged in threat intelligence databases. - Assess the network activity associated with the process to identify any unusual outbound connections that could indicate data exfiltration or command-and-control communication. @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 7e8e3addb..ee0c20ee8 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Austin Songer"] @@ -83,7 +83,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_modify_ownership_os_files.toml b/rules/windows/defense_evasion_modify_ownership_os_files.toml index 21d79ba0e..6e5487524 100644 --- a/rules/windows/defense_evasion_modify_ownership_os_files.toml +++ b/rules/windows/defense_evasion_modify_ownership_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/02" +updated_date = "2026/04/07" [rule] @@ -68,7 +68,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index aee207a0b..b2dc8dcda 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/defense_evasion_mshta_susp_child.toml b/rules/windows/defense_evasion_mshta_susp_child.toml index bbf270aa6..6ee8722d6 100644 --- a/rules/windows/defense_evasion_mshta_susp_child.toml +++ b/rules/windows/defense_evasion_mshta_susp_child.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_msiexec_remote_payload.toml b/rules/windows/defense_evasion_msiexec_remote_payload.toml index 7d4242385..10cc4a665 100644 --- a/rules/windows/defense_evasion_msiexec_remote_payload.toml +++ b/rules/windows/defense_evasion_msiexec_remote_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_ntlm_downgrade.toml b/rules/windows/defense_evasion_ntlm_downgrade.toml index d9a469560..50e388b48 100644 --- a/rules/windows/defense_evasion_ntlm_downgrade.toml +++ b/rules/windows/defense_evasion_ntlm_downgrade.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_obf_args_unicode_modified_letters.toml b/rules/windows/defense_evasion_obf_args_unicode_modified_letters.toml index 2f30e9d9d..995bb8c66 100644 --- a/rules/windows/defense_evasion_obf_args_unicode_modified_letters.toml +++ b/rules/windows/defense_evasion_obf_args_unicode_modified_letters.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/11/13" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index bf0b6c60d..3cd2cf9c8 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ The LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabl - Identify the user account and process responsible for the registry modification by examining the associated event logs for user and process information. - Check for any recent remote connections to the affected system, focusing on connections initiated by local administrator accounts, to determine if the change was exploited for lateral movement. - Investigate any other recent registry changes on the host to identify potential patterns of unauthorized modifications that could indicate broader malicious activity. -- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and assess the scope of the potential threat. +- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, SentinelOne, or Microsoft Defender XDR to gather additional context and assess the scope of the potential threat. - Assess the system for signs of compromise or malicious activity, such as unusual processes, network connections, or file modifications, that may have occurred around the time of the registry change. ### False positive analysis @@ -76,7 +76,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 772ec9c60..3c8fa869a 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/04/07" [rule] author = ["Austin Songer"] @@ -84,7 +84,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index f388d5379..2ebee1744 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ The Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a legitimate tool use - Examine the parent process of msdt.exe to determine if it was launched by an unexpected or potentially malicious process like cmd.exe, powershell.exe, or mshta.exe. - Check the file path of the msdt.exe executable to ensure it matches the standard locations (?:\\Windows\\system32\\msdt.exe or ?:\\Windows\\SysWOW64\\msdt.exe) and investigate any deviations. - Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related malicious activities or patterns. +- Correlate the event with other security alerts or logs from data sources like Microsoft Defender XDR or Sysmon to identify any related malicious activities or patterns. - Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate action is required to mitigate potential threats. ### False positive analysis @@ -72,7 +72,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: Crowdstrike", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index 74bb37e81..0528a23a8 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 8bf18cae2..9fc674fd1 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_right_to_left_override.toml b/rules/windows/defense_evasion_right_to_left_override.toml index 2b351c4f4..55e559b0b 100644 --- a/rules/windows/defense_evasion_right_to_left_override.toml +++ b/rules/windows/defense_evasion_right_to_left_override.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index 6c2740ef0..4855512bd 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_run_virt_windowssandbox.toml b/rules/windows/defense_evasion_run_virt_windowssandbox.toml index c24ae9e43..cd0cbd061 100644 --- a/rules/windows/defense_evasion_run_virt_windowssandbox.toml +++ b/rules/windows/defense_evasion_run_virt_windowssandbox.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ Windows Sandbox is a lightweight virtual environment designed to safely run untr - Investigate any file system access attempts by the sandbox, particularly focusing on write access to the host file system indicated by "C:\\false". Determine if any unauthorized or suspicious files have been modified or created. - Examine network activity associated with the sandbox process to identify any unexpected or unauthorized connections, especially if "true>" is present in the command line. - Check for any logon commands executed by the sandbox process using "" in the command line to identify potential persistence mechanisms or automated tasks that could indicate malicious intent. -- Correlate the sandbox activity with other security alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify any related suspicious activities. +- Correlate the sandbox activity with other security alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender XDR to gather additional context and identify any related suspicious activities. ### False positive analysis @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index e543bd70b..618eba2a7 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/16" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ The `sc.exe` utility in Windows is used to manage services, including modifying - Examine the specific arguments used with "sc.exe" to identify which user groups (e.g., IU, SU, BA, SY, WD) were targeted for access denial. - Check the process execution timeline to determine if this activity coincides with other suspicious behavior or unauthorized access attempts. - Investigate the user account associated with the process execution to assess if it has the necessary privileges and if the activity aligns with their typical behavior. -- Correlate this event with other security alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to identify potential patterns or related incidents. +- Correlate this event with other security alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender XDR to identify potential patterns or related incidents. - Assess the impact on the affected service by verifying its current state and functionality, ensuring it is not hidden or unmanageable. - If necessary, consult with system administrators to understand the legitimate need for such modifications and confirm if the activity was authorized. @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index baa9ab7ad..433269750 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ The AT command, a legacy Windows utility, schedules tasks for execution, often u - Identify the user account and process responsible for the registry change by examining the event logs for associated user and process information. - Check for any scheduled tasks created or modified around the time of the registry change to determine if the AT command was used to schedule any tasks. - Investigate the system for any signs of lateral movement or persistence mechanisms that may have been established using the AT command. -- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and assess the scope of potential malicious activity. +- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender XDR, or SentinelOne to gather additional context and assess the scope of potential malicious activity. ### False positive analysis @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index b170725e2..eb937d05a 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/09" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] @@ -41,7 +41,7 @@ Microsoft HTML Applications (HTA) allow scripts to run in a trusted environment, - Check the parent process executable path to determine if the process was spawned by a known legitimate application or if it deviates from expected behavior, especially if it is not from the specified exceptions like Citrix, Microsoft Office, or Quokka.Works GTInstaller. - Investigate the origin of the HTA file, particularly if it was executed from common download locations like the Downloads folder or temporary archive extraction paths, to assess if it was downloaded from the internet or extracted from an archive. - Analyze the process arguments and count to identify any unusual or unexpected parameters that could indicate malicious intent, especially if the process name is "mshta.exe" and the command line does not include typical HTA or HTM file references. -- Correlate the event with other security logs and alerts from data sources like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and determine if this activity is part of a broader attack pattern. +- Correlate the event with other security logs and alerts from data sources like Sysmon, SentinelOne, or Microsoft Defender XDR to gather additional context and determine if this activity is part of a broader attack pattern. ### False positive analysis @@ -70,7 +70,7 @@ tags = [ "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 4436cce75..a7cfcc59c 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 9d1336517..b20e917c7 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ Subject Interface Package (SIP) providers are integral to Windows' cryptographic - Review the registry path and value changes to confirm if they match the suspicious patterns specified in the query, such as modifications under the paths related to CryptSIPDllPutSignedDataMsg or Trust FinalPolicy. - Identify the process responsible for the registry change by examining the process name and compare it against the exclusions in the query, ensuring it is not a benign process like msiexec.exe or regsvr32.exe. - Investigate the DLL file specified in the registry change to determine its legitimacy, checking its digital signature and origin. -- Correlate the event with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related suspicious activities or patterns. +- Correlate the event with other security logs or alerts from data sources like Sysmon or Microsoft Defender XDR to identify any related suspicious activities or patterns. - Assess the risk context by considering the host's role and any recent changes or incidents that might explain the registry modification, ensuring it aligns with expected behavior or authorized changes. ### False positive analysis @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 585068b0d..7451ffa73 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ SolarWinds software is integral for network management, often requiring deep sys - Examine the registry path in the alert to ensure it corresponds to the critical service start type locations, such as "HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start". - Check the registry data value to verify if it has been set to "4" (disabled), indicating a potential attempt to disable a service. - Investigate the timeline of the registry change event to identify any preceding or subsequent suspicious activities on the host. -- Correlate the alert with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activities or patterns. +- Correlate the alert with other security logs or alerts from data sources like Sysmon or Microsoft Defender XDR to identify any related malicious activities or patterns. - Assess the impacted service to determine its role in security operations and evaluate the potential impact of it being disabled. - Contact the system owner or administrator to verify if the registry change was authorized or part of a legitimate maintenance activity. @@ -56,7 +56,7 @@ SolarWinds software is integral for network management, often requiring deep sys - Restore the registry settings for the affected services to their original state, ensuring that critical security services are re-enabled and configured to start automatically. - Conduct a thorough review of the affected system for additional signs of compromise, including unauthorized user accounts, scheduled tasks, or other persistence mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. -- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized registry changes, leveraging data sources like Sysmon and Microsoft Defender for Endpoint. +- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized registry changes, leveraging data sources like Sysmon and Microsoft Defender XDR. - Review and update access controls and permissions for SolarWinds processes to limit their ability to modify critical system settings, reducing the risk of future exploitation.""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 9698c3f6a..b443fd2c3 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -121,7 +121,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index a3e25bc19..6f467ccb2 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index fdca3fcd0..b0f4d9aaf 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -108,7 +108,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 611a28342..b243fffa5 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -115,7 +115,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon", diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 2126ccfcd..31d0dd3c1 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -112,7 +112,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 27cda437a..9f15b3b44 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -115,7 +115,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Elastic Endgame", ] diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 2ad97e219..d428cc29c 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/12" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ Alternate Data Streams (ADS) in Windows allow files to contain multiple data str - Examine the process arguments, specifically looking for the pattern "?:\\\\*:*", to understand the context of the execution and identify any suspicious or unusual characteristics. - Check the parent process of the flagged process to assess if it was initiated by a legitimate or expected source. - Investigate the user account associated with the process execution to determine if the activity aligns with the user's typical behavior or if it appears anomalous. -- Correlate the event with other security logs or alerts from data sources like Sysmon, Microsoft Defender for Endpoint, or Crowdstrike to gather additional context and identify any related suspicious activities. +- Correlate the event with other security logs or alerts from data sources like Sysmon, Microsoft Defender XDR, or Crowdstrike to gather additional context and identify any related suspicious activities. - Search for any known indicators of compromise (IOCs) related to the process or file path in threat intelligence databases to assess if the activity is associated with known threats. ### False positive analysis @@ -69,7 +69,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 1cba1345c..a5e0af41b 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ In Windows environments, the System process (PID 4) is a critical component resp - Review the process details of the suspicious child process, including the executable path and command line arguments, to determine if it matches known malicious patterns or anomalies. - Check the parent process (PID 4) to confirm it is indeed the System process and verify if any legitimate processes are excluded as per the rule (e.g., Registry, MemCompression, smss.exe). - Investigate the timeline of events leading up to the process start event to identify any preceding suspicious activities or anomalies that might indicate process injection or exploitation. -- Correlate the alert with other security telemetry from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related alerts or indicators of compromise. +- Correlate the alert with other security telemetry from data sources like Microsoft Defender XDR or Sysmon to identify any related alerts or indicators of compromise. - Examine the network activity associated with the suspicious process to detect any unauthorized connections or data exfiltration attempts. - Consult threat intelligence sources to determine if the process executable or its behavior is associated with known malware or threat actor techniques. - If necessary, isolate the affected system to prevent further potential malicious activity and conduct a deeper forensic analysis. @@ -68,7 +68,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index bd7519885..049b7174f 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "system", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -113,7 +113,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml index 2d1d79edb..5347f7437 100644 --- a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml +++ b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 61fdcc336..0ff8b519b 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic", "Austin Songer"] @@ -71,7 +71,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 42ba25c63..71521ac69 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on - Investigate the parent-child process relationship, especially focusing on whether wsl.exe is the parent process and if it has spawned any unexpected child processes that are not wslhost.exe. - Examine the command-line arguments used with wsl.exe for any suspicious or unauthorized commands, such as accessing sensitive files like /etc/shadow or /etc/passwd, or using network tools like curl. - Check the user's activity history and system logs to identify any patterns of behavior that might indicate misuse or compromise, particularly focusing on any deviations from typical usage patterns. -- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident. +- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender XDR, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident. ### False positive analysis @@ -72,7 +72,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 0cf2a79e5..4afbf6335 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/04/20" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on - Investigate the parent process, specifically wsl.exe or wslhost.exe, to understand how the execution was initiated and if it aligns with expected user behavior or scheduled tasks. - Check the user account associated with the process execution to verify if the activity is consistent with the user's typical behavior or if the account may have been compromised. - Analyze the event dataset, especially if it is from crowdstrike.fdr, to gather additional context about the process execution and any related activities on the host. -- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or SentinelOne to identify any related suspicious activities or patterns. +- Correlate the alert with other security events or logs from data sources like Microsoft Defender XDR or SentinelOne to identify any related suspicious activities or patterns. - Assess the risk score and severity in the context of the organization's environment to prioritize the investigation and response actions accordingly. ### False positive analysis @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index f210bf69d..0a55830ff 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index d8753675b..cac107a18 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ Windows Subsystem for Linux (WSL) allows users to run Linux distributions on Win - Review the process details to confirm the presence of "wsl.exe" with arguments indicating an attempt to install or use Kali Linux, such as "-d", "--distribution", "-i", or "--install". - Check the file paths associated with the Kali Linux installation, such as "?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*" or "?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe", to verify if the installation files exist on the system. - Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious. -- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Correlate the event with other security logs or alerts from data sources like Microsoft Defender XDR or Sysmon to identify any related suspicious activities or patterns. - Assess the risk and impact of the detected activity by considering the context of the environment and any potential threats posed by the use of Kali Linux on the system. ### False positive analysis @@ -58,7 +58,7 @@ Windows Subsystem for Linux (WSL) allows users to run Linux distributions on Win - Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized access or privilege escalation has occurred. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement additional monitoring and alerting for similar activities across the network, focusing on WSL usage and installation attempts of known penetration testing tools. -- Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, leveraging data sources like Microsoft Defender for Endpoint and Sysmon.""" +- Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, leveraging data sources like Microsoft Defender XDR and Sysmon.""" references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 2e219f30e..df5373526 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/discovery_ad_explorer_execution.toml b/rules/windows/discovery_ad_explorer_execution.toml index 52e76151a..1711cf657 100644 --- a/rules/windows/discovery_ad_explorer_execution.toml +++ b/rules/windows/discovery_ad_explorer_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 154f03672..744bee44e 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 79c6b4eb5..60d3e9259 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 885e2d7cf..90e5b2080 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 967492d0e..b8a3e0757 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/04/20" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Data Source: Sysmon", ] diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index fee2c05af..7920f7250 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index dcc46b623..54c3e18ee 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 7cbfd8936..142eee109 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/04/20" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: Windows Security Event Logs", ] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 74799bd0d..4c7a0bd8b 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ SolarWinds is a widely used IT management tool that can be targeted by adversari - Examine the timeline of events around the process start event to identify any preceding or subsequent suspicious activities, such as unusual network connections or file modifications. - Check the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential compromise or misuse. - Investigate the command line arguments used by the child process to assess if they contain any malicious or unexpected commands. -- Correlate the event with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify potential patterns of malicious behavior. +- Correlate the event with other security logs and alerts from data sources like Microsoft Defender XDR or Sysmon to gather additional context and identify potential patterns of malicious behavior. - Assess the system's current state for any indicators of compromise, such as unauthorized changes to system configurations or the presence of known malware signatures. ### False positive analysis @@ -76,7 +76,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 933814648..b69aa6c39 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ The Windows Component Object Model (COM) facilitates communication between softw - Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity. - Verify the process.executable path to ensure it matches the expected system paths (C:\\Windows\\SysWOW64\\xwizard.exe or C:\\Windows\\System32\\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise. - Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes. -- Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns. +- Correlate the event with other security data sources such as Microsoft Defender XDR or Sysmon logs to gather additional context and identify any related suspicious activities or patterns. - Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation. ### False positive analysis @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 46e6569f8..05457485e 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -112,7 +112,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", ] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 3db3ebe2c..ef3479f33 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index c0273819d..6fe9c7385 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 5b7c76345..f66db05c1 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 51e7dee44..aa767a82b 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -118,7 +118,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", ] diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index 084cd4eff..578c3e0b2 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ Foxmail, a popular email client, can be exploited by adversaries to gain initial - Examine the arguments of the spawned process to verify if they point to a suspicious temporary directory, as indicated by the query pattern (e.g., paths under "?:\\Users\\*\\AppData\\*"). - Investigate the contents of the identified temporary directory for any unusual or malicious files that may have been executed. - Check the email logs and Foxmail client activity to identify any recent emails that could have contained malicious attachments or links leading to the exploitation attempt. -- Correlate the event with other security alerts or logs from data sources like Elastic Defend, Sysmon, or Microsoft Defender for Endpoint to identify any related suspicious activities or patterns. +- Correlate the event with other security alerts or logs from data sources like Elastic Defend, Sysmon, or Microsoft Defender XDR to identify any related suspicious activities or patterns. - Assess the risk and impact on the affected system by determining if any unauthorized changes or additional malicious processes have been initiated following the initial alert. ### False positive analysis @@ -75,7 +75,7 @@ tags = [ "Data Source: Windows Security Event Logs", "Data Source: Elastic Endgame", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 1f7219d96..bf17a4d65 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -60,7 +60,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index a20ec6e9a..687dbc616 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", @@ -68,7 +68,7 @@ Mofcomp.exe is a tool used to compile Managed Object Format (MOF) files, which d - Investigate the user account associated with the process execution, especially if it is not the system account (S-1-5-18), to determine if the account has been compromised or is being misused. - Examine the parent process of mofcomp.exe to ensure it is not a known safe process like ScenarioEngine.exe, and assess whether the parent process is legitimate or potentially malicious. - Check for any recent changes or additions to the WMI repository, including new namespaces or classes, which could indicate malicious activity or persistence mechanisms. -- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Crowdstrike to identify any related suspicious activities or patterns. +- Correlate the alert with other security events or logs from data sources like Microsoft Defender XDR or Crowdstrike to identify any related suspicious activities or patterns. ### False positive analysis diff --git a/rules/windows/execution_nodejs_susp_patterns.toml b/rules/windows/execution_nodejs_susp_patterns.toml index 4bdf3d086..b7d843d2f 100644 --- a/rules/windows/execution_nodejs_susp_patterns.toml +++ b/rules/windows/execution_nodejs_susp_patterns.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] @@ -39,7 +39,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/execution_notepad_markdown_child_process.toml b/rules/windows/execution_notepad_markdown_child_process.toml index 13e0813ef..09e16af1c 100644 --- a/rules/windows/execution_notepad_markdown_child_process.toml +++ b/rules/windows/execution_notepad_markdown_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide", diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index 10032c680..5caa469c2 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/04/20" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", ] diff --git a/rules/windows/execution_scripting_remote_webdav.toml b/rules/windows/execution_scripting_remote_webdav.toml index bc04b569d..23f001f3a 100644 --- a/rules/windows/execution_scripting_remote_webdav.toml +++ b/rules/windows/execution_scripting_remote_webdav.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/execution_scripts_archive_file.toml b/rules/windows/execution_scripts_archive_file.toml index 5243860e9..ff434831c 100644 --- a/rules/windows/execution_scripts_archive_file.toml +++ b/rules/windows/execution_scripts_archive_file.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] @@ -40,7 +40,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 3c92dda7f..3ff3ee181 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/execution_susp_javascript_via_deno.toml b/rules/windows/execution_susp_javascript_via_deno.toml index 97d11c507..459299b76 100644 --- a/rules/windows/execution_susp_javascript_via_deno.toml +++ b/rules/windows/execution_susp_javascript_via_deno.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 997ab7641..90f655fa3 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 8dbb33050..5883e1c2e 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index fc830cb9c..de5bff315 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 527d9eae4..f08930cce 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -128,7 +128,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index df930dae4..ded22d9c9 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 4d0567ab5..a87bee414 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ Microsoft Management Console (MMC) is a Windows utility that provides a framewor - Investigate the origin of the .msc file by examining file creation and modification timestamps, and check for any recent changes or unusual activity in the directory where the file resides. - Analyze the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears suspicious. - Check for any related alerts or logs around the same timeframe that might indicate lateral movement or other malicious activities, such as unusual network connections or file access patterns. -- Correlate the event with other data sources mentioned in the rule, such as Microsoft Defender for Endpoint or Crowdstrike, to gather additional context or corroborating evidence of potential malicious activity. +- Correlate the event with other data sources mentioned in the rule, such as Microsoft Defender XDR or Crowdstrike, to gather additional context or corroborating evidence of potential malicious activity. - Assess the risk and impact of the execution by determining if the .msc file has any known malicious signatures or if it attempts to perform unauthorized actions on the system. ### False positive analysis @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index 7c07363db..92537b3fb 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/04/20" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ The Windows Command Shell (cmd.exe) is a critical component for executing comman - Check the parent process of the cmd.exe execution to determine if it is a known benign process or if it is associated with potentially malicious activity, especially if the parent process is explorer.exe or other unusual executables. - Investigate the user account associated with the cmd.exe process to determine if the activity aligns with the user's typical behavior or if it appears anomalous. - Examine the network activity of the host to identify any unusual outbound connections or data transfers that may correlate with the suspicious command execution. -- Cross-reference the alert with other security logs or alerts from tools like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and corroborate findings. +- Cross-reference the alert with other security logs or alerts from tools like Sysmon, SentinelOne, or Microsoft Defender XDR to gather additional context and corroborate findings. - Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate response actions are necessary. ### False positive analysis @@ -71,7 +71,7 @@ tags = [ "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", ] diff --git a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml index 3b73fe7f1..743d8f0b8 100644 --- a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml +++ b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/execution_windows_phish_clickfix.toml b/rules/windows/execution_windows_phish_clickfix.toml index ff9f43a3a..2af7b370c 100644 --- a/rules/windows/execution_windows_phish_clickfix.toml +++ b/rules/windows/execution_windows_phish_clickfix.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 5e01365b3..e52883644 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/04/20" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Resources: Investigation Guide", diff --git a/rules/windows/exfiltration_rclone_cloud_upload.toml b/rules/windows/exfiltration_rclone_cloud_upload.toml index b66cc9b1c..e428a65ab 100644 --- a/rules/windows/exfiltration_rclone_cloud_upload.toml +++ b/rules/windows/exfiltration_rclone_cloud_upload.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs" diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 5811c56fa..b3855562f 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ Server Message Block (SMB) is a protocol used for sharing files and printers wit - Check the destination IP address to determine if it is associated with any known malicious activity or if it belongs to an external network that should not be receiving SMB traffic from internal systems. - Investigate the process with PID 4 on the source host, which typically corresponds to the Windows System process, to identify any unusual activity or recent changes that could indicate compromise or misuse. - Analyze network logs to trace the SMB traffic flow and identify any patterns or additional connections that may suggest data exfiltration attempts. -- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and determine if this is part of a larger attack campaign. +- Correlate the alert with other security events or logs from data sources like Microsoft Defender XDR or Sysmon to gather additional context and determine if this is part of a larger attack campaign. - Consult with the IT or network team to verify if there are any legitimate business reasons for the detected SMB traffic to the external network, and if not, consider blocking the connection and conducting a deeper investigation into the source host. ### False positive analysis @@ -68,7 +68,7 @@ tags = [ "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Resources: Investigation Guide", diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 8c1e77cc3..1fed34fd2 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/09" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/impact_mod_critical_os_files.toml b/rules/windows/impact_mod_critical_os_files.toml index 32e3b5a4c..b987e1a36 100644 --- a/rules/windows/impact_mod_critical_os_files.toml +++ b/rules/windows/impact_mod_critical_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 14850280d..9de5d4d73 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index f6f73d438..b8832fcac 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 39ada5349..dec362ab8 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic", "Austin Songer"] @@ -99,7 +99,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 3298b577c..0f341a491 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index b123d9b67..d150b4e7e 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index 00b31a4d9..e7b3fc1a4 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index c85bc4e17..609a96b88 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ Removable devices, like USB drives, are common in Windows environments for data - Correlate the timestamp of the registry event with user activity logs to identify which user was logged in at the time of the device connection. - Check for any subsequent file access or transfer events involving the new device to assess potential data exfiltration. - Investigate the device's history by searching for any previous connections to other systems within the network to determine if it has been used elsewhere. -- Analyze any related alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint for additional context or suspicious activities linked to the device. +- Analyze any related alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender XDR for additional context or suspicious activities linked to the device. ### False positive analysis @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 9acaecc40..9e0086590 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -45,7 +45,7 @@ JetBrains TeamCity is a continuous integration and deployment server used to aut - Examine the command-line arguments of the suspicious child processes, especially those involving "cmd.exe" or "powershell.exe", to understand the actions being executed. - Check for any recent vulnerabilities or patches related to JetBrains TeamCity that might explain the suspicious behavior. - Investigate the user account under which the suspicious processes were executed to determine if it aligns with expected usage patterns or if it indicates potential compromise. -- Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activity or indicators of compromise. +- Correlate the alert with other security events or logs from data sources like Sysmon or Microsoft Defender XDR to identify any related malicious activity or indicators of compromise. - Assess network activity from the host to detect any unusual outbound connections that might suggest data exfiltration or communication with a command and control server. ### False positive analysis @@ -79,7 +79,7 @@ tags = [ "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index 9e6429272..7c15a80be 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 7ea7e0e73..13ed459c8 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 1d9ac75ee..e31fab6d2 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic", "Austin Songer"] @@ -58,7 +58,7 @@ tags = [ "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 00f178cfb..29ab929ca 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/04/07" [rule] author = ["Elastic", "Austin Songer"] @@ -46,7 +46,7 @@ Microsoft Exchange Server's Unified Messaging (UM) integrates voice messaging wi - Gather additional context by checking the process command line arguments and the user account under which the suspicious process was executed to identify any anomalies or unauthorized access. - Investigate the historical activity of the host by reviewing recent logs for any other unusual or unauthorized processes, especially those related to the Microsoft Exchange Server. - Check for any recent patches or updates applied to the Microsoft Exchange Server to ensure that vulnerabilities like CVE-2021-26857 have been addressed. -- Correlate the alert with other security tools and data sources such as Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or indicators of compromise. +- Correlate the alert with other security tools and data sources such as Microsoft Defender XDR or Sysmon to identify any related suspicious activities or indicators of compromise. - Assess the network activity from the host to detect any potential lateral movement or data exfiltration attempts that might be associated with the suspicious process. ### False positive analysis @@ -83,7 +83,7 @@ tags = [ "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index d6fed06ce..d78fd8dc0 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ Microsoft Exchange Server uses the worker process (w3wp.exe) to handle web reque - Investigate the timeline of events leading up to the alert, including any preceding or subsequent processes, to understand the context and potential impact of the suspicious activity. - Check for any associated network activity or connections initiated by the suspicious processes to identify potential data exfiltration or communication with external command and control servers. - Review recent changes or access logs on the affected Exchange server to identify any unauthorized access attempts or modifications that could indicate exploitation or the presence of a web shell. -- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and corroborate findings. +- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender XDR, or SentinelOne to gather additional context and corroborate findings. - Assess the risk and impact of the detected activity, considering the severity and risk score, and determine appropriate response actions, such as isolating the affected system or conducting a deeper forensic analysis. ### False positive analysis @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index de4be6c22..9ceb4c48b 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 964b692c4..9805ae01f 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon", diff --git a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml index 051751faf..d3204de1f 100644 --- a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml +++ b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ note = """## Triage and analysis - Investigate the timeline of events leading up to the alert, including any preceding or subsequent processes, to understand the context and potential impact of the suspicious activity. - Check for any associated network activity or connections initiated by the suspicious processes to identify potential data exfiltration or communication with external command and control servers. - Review recent changes or access logs on the affected server to identify any unauthorized access attempts or modifications that could indicate exploitation or the presence of a web shell. -- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and corroborate findings. +- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender XDR, or SentinelOne to gather additional context and corroborate findings. - Assess the risk and impact of the detected activity, considering the severity and risk score, and determine appropriate response actions, such as isolating the affected system or conducting a deeper forensic analysis. ### False positive analysis @@ -67,7 +67,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/initial_access_url_cve_2025_33053.toml b/rules/windows/initial_access_url_cve_2025_33053.toml index 6f022a55f..e83f5c2c6 100644 --- a/rules/windows/initial_access_url_cve_2025_33053.toml +++ b/rules/windows/initial_access_url_cve_2025_33053.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/11" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 123281bc7..535c62c43 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ Windows Explorer, a core component of the Windows OS, manages file and folder na - Review the process details to confirm the suspicious child process was indeed started by explorer.exe with the specific parent arguments indicating DCOM usage, such as "-Embedding". - Check the process command line arguments and execution context to identify any potentially malicious scripts or commands being executed by the child process. - Investigate the parent process explorer.exe to determine if it was started by a legitimate user action or if there are signs of compromise, such as unusual user activity or recent phishing attempts. -- Correlate the event with other security logs or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Correlate the event with other security logs or alerts from data sources like Microsoft Defender XDR or Sysmon to identify any related suspicious activities or patterns. - Examine the network activity associated with the suspicious process to detect any unauthorized data exfiltration or communication with known malicious IP addresses. - Assess the system for any additional indicators of compromise, such as unexpected changes in system files or registry keys, which might suggest a broader attack. @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index 261f57864..61a539319 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 6ddfe3c7e..6a52a0875 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index d761b1752..308784a35 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/30" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ Remote Desktop Shadowing allows administrators to view or control active RDP ses - Check for any instances of "mstsc.exe" being executed with the "/shadow:*" argument, as this could signify an attempt to shadow an RDP session. - Correlate the identified processes and registry changes with user activity logs to determine if the actions were authorized or expected as part of legitimate administrative tasks. - Analyze network logs for any unusual remote connections or lateral movement patterns that coincide with the timing of the detected shadowing activity. -- Consult endpoint security solutions like Microsoft Defender for Endpoint or SentinelOne for additional context or alerts related to the same host or user account involved in the shadowing activity. +- Consult endpoint security solutions like Microsoft Defender XDR or SentinelOne for additional context or alerts related to the same host or user account involved in the shadowing activity. ### False positive analysis @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 002889aff..9db7bdce8 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ The TSClient mountpoint is a feature of the Remote Desktop Protocol (RDP) that a - Examine the executed process's hash and compare it against known malicious hashes in threat intelligence databases to determine if the file is potentially harmful. - Investigate the source system from which the RDP session originated to identify any signs of compromise or unauthorized access that could indicate lateral movement. - Check for any additional suspicious activities on the target host, such as unexpected network connections or file modifications, that may correlate with the execution event. -- Review the security logs from data sources like Microsoft Defender for Endpoint or Sysmon for any related alerts or anomalies that could provide further context on the incident. +- Review the security logs from data sources like Microsoft Defender XDR or Sysmon for any related alerts or anomalies that could provide further context on the incident. ### False positive analysis @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 3352383eb..800d44c0d 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 76936f155..bb3961a1d 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 75ea925db..54982018f 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 4ee2d91cf..e6c4ac622 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ tags = [ "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index f02efb407..3897f215a 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ The Windows Startup folder is a mechanism that allows programs to run automatica - Investigate the origin of the remote connection by examining network logs or RDP session logs to identify the source IP address and user account involved in the connection. - Analyze the newly created or modified file in the Startup folder for malicious characteristics, such as unusual file names, unexpected file types, or known malware signatures, using antivirus or sandbox analysis tools. - Review user account activity and permissions to determine if the account associated with the process has been compromised or is being misused for unauthorized access. -- Correlate this event with other security alerts or logs from data sources like Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or patterns indicating lateral movement attempts. +- Correlate this event with other security alerts or logs from data sources like Sysmon, Microsoft Defender XDR, or SentinelOne to identify any related suspicious activities or patterns indicating lateral movement attempts. ### False positive analysis @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index dddccbfc9..3a0776e2c 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ Windows Server Update Services (WSUS) is a system that manages updates for Micro - Examine the process execution path to verify if it matches the specified directories: "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*" or "\\Device\\HarddiskVolume?\\Windows\\SoftwareDistribution\\Download\\Install\\*". - Investigate the source and destination hosts involved in the alert to determine if there are any unauthorized or unexpected connections, focusing on potential lateral movement activities. - Check the timeline of events leading up to and following the alert to identify any other suspicious activities or patterns that may indicate a broader attack. -- Correlate the alert with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and confirm the legitimacy of the activity. +- Correlate the alert with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender XDR to gather additional context and confirm the legitimacy of the activity. - Assess the user accounts involved in the process execution to ensure they are legitimate and have not been compromised, paying attention to any anomalies in user behavior or access patterns. ### False positive analysis @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 06021e79c..8b33c86de 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -109,7 +109,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index c99c0974d..36a7a5f35 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ tags = [ "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Crowdstrike", diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 7cad22546..28d420a8c 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 350bb9b90..a1e30ff2c 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -126,7 +126,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 5b2e32e97..ca8eabc30 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index e51958ef4..9966cc7f7 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index cdf2e8f62..e2b2bd655 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 078d2f215..7fdd50905 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -118,7 +118,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index e06210688..090c2db53 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ Scheduled jobs in Windows environments allow tasks to be automated by executing - Examine the process executable path to determine if the job creation is associated with any known legitimate processes, such as CCleaner or ManageEngine, which are excluded in the detection rule. - Investigate the origin of the process that created the scheduled job by checking the process execution history and command line arguments to identify any potentially malicious behavior. - Analyze the scheduled job's content and associated scripts or programs to identify any suspicious or unauthorized code that may indicate malicious intent. -- Correlate the event with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activity. +- Correlate the event with other security logs and alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender XDR to gather additional context and identify any related malicious activity. - Assess the risk and impact of the scheduled job by determining if it aligns with known adversary tactics, techniques, and procedures (TTPs) related to persistence, as outlined in the MITRE ATT&CK framework. ### False positive analysis @@ -69,7 +69,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index cdc8c0467..aaca7e367 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ Microsoft Office AddIns enhance productivity by allowing custom functionalities - Isolate the affected endpoint from the network to prevent further spread of the potential threat. - Terminate any suspicious Microsoft Office processes that may be running add-ins from the identified directories. - Remove the malicious add-in files from the specified startup directories: "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\", "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\", and "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\". -- Conduct a full antivirus and antimalware scan on the affected system using tools like Microsoft Defender for Endpoint to ensure no other malicious files are present. +- Conduct a full antivirus and antimalware scan on the affected system using tools like Microsoft Defender XDR to ensure no other malicious files are present. - Review and restore any altered system configurations or settings to their default state to ensure system integrity. - Monitor the affected system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further analysis and to determine if additional systems are affected.""" @@ -67,7 +67,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index a509c414c..a3ad58f7d 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ Microsoft Outlook supports VBA scripting to automate tasks, which can be exploit - Identify the user account associated with the file path to understand which user profile was potentially compromised. - Investigate recent login activities and processes executed by the identified user to detect any anomalies or unauthorized access. - Examine the contents of the VbaProject.OTM file for any suspicious or unfamiliar VBA scripts that could indicate malicious intent. -- Correlate the findings with other data sources such as Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context or related events. +- Correlate the findings with other data sources such as Sysmon, Microsoft Defender XDR, or SentinelOne to gather additional context or related events. - Assess the risk and impact of the detected activity and determine if further containment or remediation actions are necessary. ### False positive analysis @@ -54,7 +54,7 @@ Microsoft Outlook supports VBA scripting to automate tasks, which can be exploit - Terminate any suspicious Outlook processes on the affected machine to stop the execution of potentially harmful scripts. - Remove the unauthorized or malicious VbaProject.OTM file from the affected user's Outlook directory to eliminate the persistence mechanism. - Restore the VbaProject.OTM file from a known good backup if available, ensuring that it is free from any unauthorized modifications. -- Conduct a full antivirus and antimalware scan on the affected endpoint using tools like Microsoft Defender for Endpoint to identify and remove any additional threats. +- Conduct a full antivirus and antimalware scan on the affected endpoint using tools like Microsoft Defender XDR to identify and remove any additional threats. - Review and update endpoint security policies to restrict unauthorized modifications to Outlook VBA files, leveraging application whitelisting or similar controls. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" references = [ @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index 6be85a0e7..1832880f1 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "windows"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Sysmon", diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index ea1754b71..75557b135 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ Netsh, a command-line utility in Windows, allows for network configuration and d - Check the timestamp of the registry change event to determine when the modification occurred and correlate it with any other suspicious activities or events on the system. - Investigate the origin of the DLL file by examining its properties, such as the file path, creation date, and digital signature, to assess its legitimacy. - Analyze recent user activity and scheduled tasks to identify any potential execution of netsh.exe that could have triggered the malicious DLL. -- Cross-reference the alert with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify any related threats or indicators of compromise. +- Cross-reference the alert with other security logs and alerts from data sources like Microsoft Defender XDR or Sysmon to gather additional context and identify any related threats or indicators of compromise. ### False positive analysis @@ -66,7 +66,7 @@ tags = [ "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", "Data Source: Crowdstrike", diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 289233277..f33794f95 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ ActiveSync is a protocol enabling mobile devices to synchronize with Exchange ma - Check the device ID added to the ActiveSyncAllowedDeviceIDs list to verify if it is recognized and authorized for use within the organization. - Investigate the source IP address and host from which the PowerShell command was executed to assess if it aligns with expected administrative activity or if it originates from an unusual or suspicious location. - Review recent email access logs for the user account to identify any unusual patterns or access from unfamiliar devices that could indicate unauthorized access. -- Correlate this event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns. +- Correlate this event with other security alerts or logs from data sources like Microsoft Defender XDR or Sysmon to identify any related suspicious activities or patterns. ### False positive analysis @@ -77,7 +77,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 419fec79e..1fcab6228 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -119,7 +119,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 9cb6a3c52..d928c4e75 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -115,7 +115,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 4907ef082..f3bc2d9b5 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 603f51367..fa13de6dc 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -120,7 +120,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 2458d4540..2130f6474 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -120,7 +120,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index ec8cdfbd5..ccfc59f15 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index a3b0b221f..9e2e849dd 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -100,7 +100,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Crowdstrike", "Data Source: Sysmon", diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 7b99257a7..24df7b73b 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -114,7 +114,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 5fff35a5c..9f0eaba79 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 1fb717e1a..201a62212 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ Application shimming is a Windows feature designed to ensure software compatibil - Check the timeline of events around the execution of sdbinst.exe to identify any related or preceding suspicious activities, such as unusual file modifications or network connections. - Analyze the user account associated with the execution of sdbinst.exe to verify if it is a legitimate user and if there are any signs of account compromise. - Examine the system for any newly installed or modified application compatibility databases (.sdb files) that could be associated with the suspicious execution of sdbinst.exe. -- Correlate the alert with other security tools and logs, such as Microsoft Defender for Endpoint or Sysmon, to gather additional context and confirm the presence of malicious activity. +- Correlate the alert with other security tools and logs, such as Microsoft Defender XDR or Sysmon, to gather additional context and confirm the presence of malicious activity. ### False positive analysis @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index d5ed04b00..f7da4d4c1 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 249be5b3c..e45e326ef 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Crowdstrike", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 909fe26fa..7434f4b58 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ Security Support Providers (SSPs) in Windows environments facilitate authenticat - Investigate the process responsible for the registry modification by examining the process executable path, ensuring it is not a legitimate process like "C:\\Windows\\System32\\msiexec.exe" or "C:\\Windows\\SysWOW64\\msiexec.exe". - Check the historical activity of the identified process to determine if it has been involved in other suspicious activities or registry changes. - Analyze the user account context under which the process was executed to assess if it aligns with expected behavior or if it indicates potential compromise. -- Correlate the event with other security alerts or logs from data sources such as Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and identify any related malicious activity. +- Correlate the event with other security alerts or logs from data sources such as Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender XDR, or SentinelOne to gather additional context and identify any related malicious activity. - Evaluate the potential impact of the registry change on system security and persistence mechanisms, considering the MITRE ATT&CK tactic of Persistence and technique T1547. ### False positive analysis @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 5ce887dd0..15484f03b 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ The Microsoft Compatibility Appraiser, part of Windows telemetry, uses scheduled - Examine the command-line arguments of the suspicious process to determine if they include the "-cv*" flag, which may indicate a hijack attempt. - Check the execution history of the flagged process to see if it aligns with legitimate system activities or if it appears anomalous. - Investigate the user account context under which the suspicious process is running to assess if it has elevated privileges or is associated with unusual user behavior. -- Correlate the alert with other security logs and telemetry data from sources like Microsoft Defender for Endpoint or Sysmon to identify any related malicious activities or indicators of compromise. +- Correlate the alert with other security logs and telemetry data from sources like Microsoft Defender XDR or Sysmon to identify any related malicious activities or indicators of compromise. - Analyze any network connections initiated by the suspicious process to detect potential data exfiltration or communication with known malicious IP addresses. - Review recent changes to scheduled tasks on the system to identify unauthorized modifications that could indicate persistence mechanisms. @@ -73,7 +73,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 5460a9a10..b272ac39d 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -116,7 +116,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: Windows Security Event Logs", "Data Source: SentinelOne", diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index a064ad7db..908697a05 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Examine the parent process of `wmic.exe` to determine how it was launched and assess whether this aligns with expected behavior or if it suggests malicious activity. - Investigate the user account associated with the `wmic.exe` process to determine if it has the necessary privileges to create WMI event subscriptions and whether the account activity is consistent with normal operations. - Check for any recent changes or additions to WMI event filters, consumers, or bindings on the affected system to identify unauthorized modifications that could indicate persistence mechanisms. -- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify any related suspicious activities or patterns. +- Correlate the alert with other security events or logs from data sources like Microsoft Defender XDR or Sysmon to gather additional context and identify any related suspicious activities or patterns. ### False positive analysis @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 848ae070e..6f80f92e6 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/persistence_web_shell_aspx_write.toml b/rules/windows/persistence_web_shell_aspx_write.toml index 087b5183a..d2525ae6e 100644 --- a/rules/windows/persistence_web_shell_aspx_write.toml +++ b/rules/windows/persistence_web_shell_aspx_write.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", "Resources: Investigation Guide", ] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 133006547..fb2526b83 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: Crowdstrike", ] diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index fe4ec7548..e36e47950 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ Werfault, the Windows Error Reporting service, can be manipulated by attackers t - Check the timestamp of the registry change event to determine when the modification occurred and correlate it with other suspicious activities or events on the system around the same time. - Investigate the user account or process responsible for the registry change to assess whether it is a legitimate action or potentially malicious. Look for unusual or unauthorized accounts making the change. - Examine the system for any recent executions of Werfault with the "-pr" parameter, as this could indicate attempts to trigger the malicious payload. -- Search for any related alerts or logs from data sources such as Elastic Endgame, Elastic Defend, Microsoft Defender for Endpoint, SentinelOne, or Sysmon that might provide additional context or corroborate the suspicious activity. +- Search for any related alerts or logs from data sources such as Elastic Endgame, Elastic Defend, Microsoft Defender XDR, SentinelOne, or Sysmon that might provide additional context or corroborate the suspicious activity. - Assess the system for any signs of compromise or persistence mechanisms, such as unexpected startup items, scheduled tasks, or other registry modifications that could indicate a broader attack. ### False positive analysis @@ -67,7 +67,7 @@ tags = [ "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Sysmon", "Data Source: Crowdstrike", diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index dc3a6bd37..fe72bda07 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", ] diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 4d153d831..8a33efd84 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ CVE-2022-38028 targets the Windows Print Spooler service, a core component manag - Review the alert details to confirm the presence of the file "MPDW-constraints.js" in the specified critical paths: "?:\\\\*\\\\Windows\\\\system32\\\\DriVerStoRe\\\\FiLeRePoSiToRy\\\\*\\\\MPDW-constraints.js" or "?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js". - Check the file creation and modification timestamps to determine when the file was placed or altered in the system directories. - Investigate the source of the file by examining recent user activity and process execution logs around the time the file appeared, focusing on any suspicious or unauthorized actions. -- Correlate the event with other data sources such as Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or processes that might indicate exploitation attempts. +- Correlate the event with other data sources such as Sysmon, Microsoft Defender XDR, or SentinelOne to identify any related suspicious activities or processes that might indicate exploitation attempts. - Assess the risk and impact by determining if the affected system has any sensitive roles or access that could be leveraged by an attacker through privilege escalation. - If malicious activity is confirmed, initiate containment measures such as isolating the affected system and conducting a full malware scan to prevent further exploitation. @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 447985003..83884ae54 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ Group Policy Objects (GPOs) are crucial for centralized management in Windows en - Check the process that initiated the file change, ensuring it is not "C:\\\\Windows\\\\System32\\\\dfsrs.exe", which is excluded as a legitimate system process. - Investigate the user account associated with the file modification event to determine if it has domain admin rights and assess if the activity aligns with their typical behavior or role. - Examine recent changes in the GPO settings to identify any new or altered scheduled tasks or services that could be used for malicious purposes. -- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to identify any related suspicious activities or patterns. +- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender XDR to identify any related suspicious activities or patterns. - Assess the impact by identifying which domain-joined machines are affected by the GPO changes and determine if any unauthorized tasks or services have been executed. ### False positive analysis @@ -70,7 +70,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 24dcc87b0..baa7db7dd 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 8302d8047..e13d66699 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ Windows Installer (MSI) is a service used for software installation and maintena - Check the user domain associated with the process to confirm if it matches "NT AUTHORITY", "AUTORITE NT", or "AUTORIDADE NT", which may indicate a system-level account was used. - Investigate the parent process of the browser to determine if it was expected or if it shows signs of compromise or unusual behavior. - Examine the timeline of events to see if an elevated process was spawned shortly after the browser accessed the Microsoft Help page, indicating potential exploitation. -- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context or evidence of malicious activity. +- Correlate the event with other security logs or alerts from data sources like Elastic Endgame, Sysmon, or Microsoft Defender XDR to gather additional context or evidence of malicious activity. - Assess the risk and impact of the elevated process by identifying its actions and any changes made to the system, such as modifications to critical files or registry keys. ### False positive analysis @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 2cfed3e66..267c8047b 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -118,7 +118,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml index e4d788cb9..5312efa7e 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_processor_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index e1aae601b..fb6fb248e 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ tags = [ "Data Source: Sysmon", "Resources: Investigation Guide", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", ] type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 5209db6b7..b108f0ef6 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ tags = [ "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 1f6466d29..667e7d725 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ The Print Spooler service in Windows manages print jobs and interactions with pr - Examine the process responsible for the deletion by checking the process name and its parent process to determine if it is a known legitimate process or a potentially malicious one. - Investigate the timeline of events around the deletion to identify any preceding or subsequent suspicious activities, such as privilege escalation attempts or unauthorized access. - Check for any recent vulnerabilities or exploits related to the Print Spooler service that might have been leveraged in this context. -- Correlate the event with other security logs and alerts from data sources like Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and confirm the presence of malicious activity. +- Correlate the event with other security logs and alerts from data sources like Sysmon, Microsoft Defender XDR, or SentinelOne to gather additional context and confirm the presence of malicious activity. - Assess the affected system for any signs of compromise or persistence mechanisms that may have been established following the deletion event. ### False positive analysis @@ -75,7 +75,7 @@ tags = [ "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index baf7f5ac5..b906e9f6e 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -107,7 +107,7 @@ tags = [ "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index 7b6d04f8e..c143191b4 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ tags = [ "Data Source: Crowdstrike", "Resources: Investigation Guide", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 265e44364..3f2ee2dbf 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Resources: Investigation Guide", diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index cc533de6f..3ebb42ff5 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -99,7 +99,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 4f92ccdc7..c4ae4deaa 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Review the process execution details to confirm the presence of ClipUp.exe running from a non-standard path, as indicated by the process.executable field not matching "C:\\Windows\\System32\\ClipUp.exe". - Investigate the parent process, dllhost.exe, to determine if it was legitimately initiated or if it shows signs of compromise, focusing on the process.parent.args field to verify the use of the specific COM interface CLSID: /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}. - Check the user account context under which ClipUp.exe was executed to assess if it aligns with expected user behavior or if it suggests unauthorized access. -- Correlate this event with other security logs and alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or patterns. +- Correlate this event with other security logs and alerts from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender XDR, or SentinelOne to identify any related suspicious activities or patterns. - Examine recent changes or anomalies in system configurations or installed software that might indicate preparation for or execution of a UAC bypass attempt. - If available, review network activity logs for any unusual outbound connections or data exfiltration attempts following the execution of ClipUp.exe. @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 280063046..22dc34f4e 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Investigate the parent process "ieinstal.exe" to determine if its execution is legitimate, checking for any unusual or unexpected usage patterns. - Examine the command-line arguments used by the parent process, specifically looking for the "-Embedding" argument, to understand the context of its execution. - Check the code signature of the suspicious process to determine if it is signed by a trusted entity, and assess the trustworthiness of the signature if present. -- Correlate this event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related malicious activity. +- Correlate this event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender XDR, or SentinelOne to identify any related malicious activity. - Investigate the user account associated with the process to determine if there are any signs of compromise or unauthorized access attempts. - Assess the risk and impact of the potential UAC bypass attempt on the system and broader network, and take appropriate containment or remediation actions if necessary. @@ -72,7 +72,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index cc5a3e44a..97b252aa6 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ The ICMLuaUtil Elevated COM Interface is a Windows component that facilitates Us - Examine the command-line arguments of the `dllhost.exe` process to confirm the presence of the suspicious `/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}` or `/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}` arguments. - Check for any recent changes or installations on the system that might have introduced the suspicious behavior, focusing on software that might interact with UAC settings. - Investigate the user account under which the `dllhost.exe` process was executed to determine if it has been compromised or if it has elevated privileges. -- Correlate the event with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related suspicious activities or patterns. +- Correlate the event with other security logs or alerts from data sources like Sysmon or Microsoft Defender XDR to identify any related suspicious activities or patterns. - Assess the network activity of the affected system around the time of the alert to detect any potential data exfiltration or communication with known malicious IP addresses. ### False positive analysis @@ -69,7 +69,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 8763bfd52..a4e5b7cbf 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ User Account Control (UAC) is a security feature in Windows that helps prevent u - Investigate the parent process to determine how the suspicious process was initiated and assess if it was triggered by a legitimate application or script. - Check the user account under which the process was executed to identify if it aligns with expected user behavior or if it indicates potential compromise. - Analyze recent system changes or scheduled tasks to identify any unauthorized modifications that could facilitate UAC bypass. -- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the activity. +- Correlate the event with other security alerts or logs from data sources like Microsoft Defender XDR or Sysmon to gather additional context on the activity. - Assess the risk and impact of the event by considering the severity and risk score, and determine if further containment or remediation actions are necessary. ### False positive analysis @@ -74,7 +74,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index db0e8042a..99d1e4fa5 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ The IFileOperation COM interface is a Windows component used for file operations - Investigate the file path of the loaded DLL to ensure it does not originate from benign system paths like "C:\\Windows\\SoftwareDistribution\\" or "C:\\Windows\\WinSxS\\". - Analyze the parent process of "dllhost.exe" to determine how it was initiated and whether it aligns with expected behavior or indicates potential compromise. - Review recent system changes or installations that might have introduced the suspicious DLL, focusing on any unauthorized or unexpected software installations. -- Correlate the event with other security logs or alerts from data sources such as Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to identify any related suspicious activities or patterns. +- Correlate the event with other security logs or alerts from data sources such as Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender XDR, or SentinelOne to identify any related suspicious activities or patterns. - Assess the risk and impact of the potential UAC bypass attempt and determine if further containment or remediation actions are necessary. ### False positive analysis @@ -74,7 +74,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index c9cd1c4a1..f663ebc63 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -117,7 +117,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Windows Security Event Logs", "Data Source: Sysmon", "Data Source: SentinelOne", diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index e8e462a1c..450e49e03 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -118,7 +118,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 9afd46092..6fc59695d 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -115,7 +115,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index bcf50e457..a9e3bdfde 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Data Source: Elastic Endgame", "Data Source: Sysmon", diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index dedb007cc..1cc48c88b 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -118,7 +118,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index ed49a3830..338d77f69 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Crowdstrike", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Elastic Endgame", "Data Source: Sysmon", ] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 5205c3c67..da9e6ea10 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Resources: Investigation Guide", ] diff --git a/rules_building_block/execution_mcp_server_child_process.toml b/rules_building_block/execution_mcp_server_child_process.toml index 12629a21b..a293c6cd8 100644 --- a/rules_building_block/execution_mcp_server_child_process.toml +++ b/rules_building_block/execution_mcp_server_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: SentinelOne", "Rule Type: BBR", "Domain: LLM", diff --git a/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml b/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml index 168d55055..d37cb9930 100644 --- a/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml +++ b/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/04/07" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ tags = [ "Domain: Endpoint", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Defender for Endpoint", + "Data Source: Microsoft Defender XDR", "Data Source: Microsoft Defender for Cloud Apps", "Data Source: Microsoft Defender for Identity", "Use Case: Threat Detection", diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index ae988fb12..4316476ce 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -428,7 +428,7 @@ class TestRuleTags(BaseRuleTest): "logs-system.system*": {"all": ["Data Source: Windows System Event Logs"]}, "logs-sentinel_one_cloud_funnel.*": {"all": ["Data Source: SentinelOne"]}, "logs-fim.event-*": {"all": ["Data Source: File Integrity Monitoring"]}, - "logs-m365_defender.event-*": {"all": ["Data Source: Microsoft Defender for Endpoint"]}, + "logs-m365_defender.event-*": {"all": ["Data Source: Microsoft Defender XDR"]}, "logs-crowdstrike.fdr*": {"all": ["Data Source: Crowdstrike"]}, }