Files

T

Samirbous e1205cb5c5 [New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001 )

* [New/Tuning] Windows Top Threats 2024/2025

1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.

2) MSIEXEC:

* Update defense_evasion_mshta_susp_child.toml

* Update defense_evasion_script_via_html_app.toml

* Update defense_evasion_mshta_susp_child.toml

* Create defense_evasion_msiexec_remote_payload.toml

* Update defense_evasion_msiexec_remote_payload.toml

* ++

* Create execution_scripting_remote_webdav.toml

* Create execution_windows_fakecaptcha_cmd_ps.toml

* Create command_and_control_rmm_netsupport_susp_path.toml

* Update command_and_control_rmm_netsupport_susp_path.toml

* ++

* Update execution_jscript_fake_updates.toml

* Create command_and_control_dns_susp_tld.toml

* ++

* Create command_and_control_remcos_rat_iocs.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Update execution_scripts_archive_file.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* ++

* Create execution_nodejs_susp_patterns.toml

* Update execution_nodejs_susp_patterns.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Fix unit test errors

* Update defense_evasion_network_connection_from_windows_binary.toml

* Add system index

* Add tag

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Remove duplicate

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Create credential_access_browsers_unusual_parent.toml

* Update credential_access_browsers_unusual_parent.toml

* ++

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_mshta_susp_child.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_windows_phish_clickfix.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update execution_windows_phish_clickfix.toml

* Update rules/windows/defense_evasion_script_via_html_app.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_browsers_unusual_parent.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_nodejs_susp_patterns.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_script_via_html_app.toml

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

2025-09-01 15:41:51 +01:00

_deprecated

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912 )

2025-08-05 19:35:41 -04:00

apm

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

cross-platform

[New] Command Line Obfuscation via Whitespace Padding (#4860 )

2025-08-18 15:26:52 +01:00

integrations

[Rule Tuning] M365 Portal Logins (Impossible & Atypical) (#5031 )

2025-08-29 15:41:38 -04:00

linux

[New Rule] Multi-Base64 Decoding Attempt from Suspicious Location (#4931 )

2025-08-25 10:31:25 +02:00

macos

Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008 )

2025-08-26 13:03:59 +01:00

Prep main for 9.1 (#4555 )

2025-03-26 11:04:14 -04:00

network

[Rule Tuning] Reduce Severity from Critical to High (#4637 )

2025-05-06 21:37:47 +05:30

promotions

[Rule Tuning] Elastic Security External Alerts (#4962 )

2025-08-05 15:48:10 -05:00

threat_intel

[Rule Tuning] Reduce Severity from Critical to High (#4637 )

2025-05-06 21:37:47 +05:30

windows

[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001 )

2025-09-01 15:41:51 +01:00

README.md

[New Rule] Endpoint Security Behavior Protection (#1440 )

2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka