From ba354ceff97a567b85dde1f636d5bd1c3d2c4905 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 1 Sep 2025 08:25:52 -0700 Subject: [PATCH] [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038) --- ...asion_disable_posh_scriptblocklogging.toml | 21 +++++++----- ...nusual_network_connection_via_dllhost.toml | 6 ++-- ...usual_network_connection_via_rundll32.toml | 6 ++-- ...ateral_movement_scheduled_task_target.toml | 8 +++-- .../persistence_appinitdlls_registry.toml | 32 ++++++++++++------- ...ation_printspooler_registry_copyfiles.toml | 31 ++++++++++-------- ...ion_unusual_printspooler_childprocess.toml | 27 +++++++++++++--- 7 files changed, 88 insertions(+), 43 deletions(-) diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 25fd9f2d7..44663919c 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/01/31" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -79,22 +80,26 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging", - "MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" - ) and registry.data.strings : ("0", "0x00000000") and + registry.value : "EnableScriptBlockLogging" and + registry.data.strings : ("0", "0x00000000") and not process.executable : ( "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\DeviceEnroller.exe", "?:\\Windows\\system32\\omadmclient.exe", - "?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe" + "?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe", + + /* Crowdstrike specific exclusion as it uses NT Object paths */ + "\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe", + "\\Device\\HarddiskVolume*\\Windows\\System32\\DeviceEnroller.exe", + "\\Device\\HarddiskVolume*\\Windows\\system32\\omadmclient.exe", + "\\Device\\HarddiskVolume*\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe" ) ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index cb9954662..ef3d4c6c6 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/05/28" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ index = [ "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -69,6 +70,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide", + "Data Source: SentinelOne", ] type = "eql" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index d8f7da300..f2db06b1a 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/12" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ index = [ "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -68,6 +69,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: SentinelOne", ] type = "eql" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 857d749b7..5301c4b0a 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/20" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,6 +13,7 @@ index = [ "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -57,6 +58,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: SentinelOne", ] type = "eql" @@ -69,7 +71,7 @@ sequence by host.id, process.entity_id with maxspan = 1m source.ip != "127.0.0.1" and source.ip != "::1" ] [registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and - registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] + registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] ''' diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 40d0f0740..350bb9b90 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/18" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/28" [transform] [[transform.osquery]] @@ -55,6 +55,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -127,20 +128,14 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", - "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", - "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", - "MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" - ) and + registry.value : "AppInit_Dlls" and not process.executable : ( "?:\\Windows\\System32\\DriverStore\\FileRepository\\*\\Display.NvContainer\\NVDisplay.Container.exe", "?:\\Windows\\System32\\msiexec.exe", @@ -149,8 +144,23 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe", "?:\\Program Files (x86)\\Commvault\\Base\\cvd.exe", "?:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe", - "?:\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe" + "?:\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe", + + /* Crowdstrike specific condition as it uses NT Object paths */ + "\\Device\\HarddiskVolume*\\Windows\\System32\\DriverStore\\FileRepository\\*\\Display.NvContainer\\NVDisplay.Container.exe", + "\\Device\\HarddiskVolume*\\Windows\\System32\\msiexec.exe", + "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\msiexec.exe", + "\\Device\\HarddiskVolume*\\Program Files\\Commvault\\Base\\cvd.exe", + "\\Device\\HarddiskVolume*\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe", + "\\Device\\HarddiskVolume*\\Program Files (x86)\\Commvault\\Base\\cvd.exe", + "\\Device\\HarddiskVolume*\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe", + "\\Device\\HarddiskVolume*\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe" ) + /* + Full registry key path omitted due to data source variations: + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" + "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" + */ ''' diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 742afb6cc..020105af0 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/26" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -12,7 +12,14 @@ Exploitation involves chaining multiple primitives to load an arbitrary DLL into SYSTEM. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Suspicious Print Spooler Point and Print DLL" @@ -68,23 +75,21 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", ] type = "eql" query = ''' sequence by host.id with maxspan=30s [registry where host.os.type == "windows" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory" - ) and - registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4"] + registry.value : "SpoolDirectory" and + registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory" and + registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4"] [registry where host.os.type == "windows" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module" - ) and - registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4\\*"] + registry.value : "Module" and + registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module" and + registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4\\*"] ''' diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index de94d161c..c0568c400 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/07/06" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -17,7 +17,17 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-system.security*", + "logs-windows.forwarded*", + "winlogbeat-*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "endgame-*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Unusual Print Spooler Child Process" @@ -71,6 +81,11 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Windows Security Event Logs", "Resources: Investigation Guide", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Elastic Endgame", + "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" @@ -89,7 +104,11 @@ process where host.os.type == "windows" and event.type == "start" and not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") and not process.executable : ( "?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", - "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe" + "?:\\Program Files (x86)\\GPLGS\\gswin32c.exe", + + /* Crowdstrike specific condition as it uses NT Object paths */ + "\\Device\\HarddiskVolume*\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe", + "\\Device\\HarddiskVolume*\\Program Files (x86)\\GPLGS\\gswin32c.exe" ) '''