diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 7cee70ce5..0669884ae 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/10/13" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -77,6 +78,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 1817612d8..cf5e56ac3 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/10/13" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -48,6 +48,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -119,6 +120,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index e062b9751..70d23d495 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/14" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -76,6 +77,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index 12ccdf160..ff5cb36de 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/07/24" -integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2024/11/02" [rule] author = ["Elastic"] @@ -13,21 +13,21 @@ An adversary can use the Windows command line debugging utility cdb.exe to execu for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"] +index = [ + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "logs-system.security-*", + "logs-crowdstrike.fdr*" +] language = "eql" license = "Elastic License v2" name = "Execution via Windows Command Debugging Utility" references = ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"] risk_score = 47 rule_id = "bdfaddc4-4438-48b4-bc43-9f5cf8151c46" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -38,7 +38,8 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint" + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike" ] timestamp_override = "event.ingested" type = "eql" @@ -47,7 +48,12 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and (?process.pe.original_file_name == "CDB.Exe" or process.name : "cdb.exe") and process.args : ("-cf", "-c", "-pd") and - not process.executable : ("?:\\Program Files (x86)\\*\\cdb.exe", "?:\\Program Files\\*\\cdb.exe") + not process.executable : ( + "?:\\Program Files (x86)\\*\\cdb.exe", + "?:\\Program Files\\*\\cdb.exe", + "\\Device\\HarddiskVolume?\\Program Files (x86)\\*\\cdb.exe", + "\\Device\\HarddiskVolume?\\Program Files\\*\\cdb.exe" + ) ''' diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 0f2f2f758..5d3eefaf5 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/10/15" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -29,6 +29,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -88,16 +89,20 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "windows" and event.action == "start" and - (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name == "PowerShell.EXE") and - process.args : "*Set-NetFirewallProfile*" and - process.args : "*-Enabled*" and process.args : "*False*" and - process.args : ("*-All*", "*Public*", "*Domain*", "*Private*") +process where host.os.type == "windows" and event.type == "start" and + ( + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or + ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ) and + process.args : "*Set-NetFirewallProfile*" and + process.args : "*-Enabled*" and process.args : "*False*" and + process.args : ("*-All*", "*Public*", "*Domain*", "*Private*") ''' diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index e8ecd0ddc..c5be26162 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/07/16" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2024/11/02" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ description = """ Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Service DACL Modification via sc.exe" @@ -35,7 +35,8 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", - "Data Source: Microsoft Defender for Endpoint" + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index c30a63095..836d87c5c 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -49,6 +49,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -125,6 +126,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 27ac79214..5f800c774 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/01/13" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -22,6 +22,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -77,6 +78,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index a3da31eaf..15cdd0dfb 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/10/19" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,6 +23,7 @@ index = [ "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -85,13 +86,14 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "AdFind.exe" or ?process.pe.original_file_name == "AdFind.exe") and + (process.name : "AdFind*.exe" or ?process.pe.original_file_name == "AdFind.exe") and process.args : ("objectcategory=computer", "(objectcategory=computer)", "objectcategory=person", "(objectcategory=person)", "objectcategory=subnet", "(objectcategory=subnet)", diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 680344f4a..38dcc3099 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/12/04" -integration = ["endpoint", "windows", "system", "m365_defender"] +integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/11/02" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,6 +20,7 @@ index = [ "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -69,6 +70,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql"