Skip to content

[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 #5001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 66 commits into from
Sep 1, 2025
Merged

[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 #5001

merged 66 commits into from
Sep 1, 2025

Conversation

Samirbous
Copy link
Contributor

@Samirbous Samirbous commented Aug 21, 2025
edited
Loading

13 new rules and 3 tunings (compatible with majority of our endpoint integrations) to improve coverage for top threats/TTPs for Windows for last 6 to 12 months:

  1. MSHTA
  2. MSIEXEC
  3. Windows Run/fake CAPTCHA
  4. SocGolish/SmartApeSG (fake updates)
  5. NetSupport Manager
  6. AutoHotkey/NodeJS
  7. C2 - susp TLD
  8. C2 - IP address discovery
  9. proxy exec (ssh, conhost)
  10. REMCOS RAT
  11. payload from WebDAV
  12. chromium credaccess via injection or debugging

for threats like Ghostpulse and LummaC2 we have detection that hits on the delivery method (not payload as those require API or file access events not compatible with 3d party integrations like sysmon/crowdstrike/mde/s1).

Samirbous added 23 commits August 19, 2025 11:14
@Samirbous
[New/Tuning] Windows Top Threats 2024/2025
9c61d5b 
1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.

2) MSIEXEC:
@Samirbous
Update defense_evasion_mshta_susp_child.toml
5d02c4d
@Samirbous
Update defense_evasion_script_via_html_app.toml
4a26857
@Samirbous
Update defense_evasion_mshta_susp_child.toml
e1c879f
@Samirbous
Create defense_evasion_msiexec_remote_payload.toml
cebec1e
@Samirbous
Update defense_evasion_msiexec_remote_payload.toml
2ffb41e
@Samirbous
++
74980d5
@Samirbous
Create execution_scripting_remote_webdav.toml
a8dfabc
@Samirbous
Create execution_windows_fakecaptcha_cmd_ps.toml
0cdbf8a
@Samirbous
Create command_and_control_rmm_netsupport_susp_path.toml
098be4f
@Samirbous
Update command_and_control_rmm_netsupport_susp_path.toml
96a216b
@Samirbous
++
75846bf
@Samirbous
Update execution_jscript_fake_updates.toml
f480138
@Samirbous
Create command_and_control_dns_susp_tld.toml
5dc4175
@Samirbous
++
3b4b0fb
@Samirbous
Create command_and_control_remcos_rat_iocs.toml
5be9890
@Samirbous
Update execution_windows_fakecaptcha_cmd_ps.toml
018fc92
@Samirbous
Update execution_scripts_archive_file.toml
927b530
@Samirbous
Update defense_evasion_masquerading_renamed_autoit.toml
6cc236b
@Samirbous
++
1fd1227
@Samirbous
Create execution_nodejs_susp_patterns.toml
78d46ee
@Samirbous
Update execution_nodejs_susp_patterns.toml
530c88c
@Samirbous
Update execution_windows_fakecaptcha_cmd_ps.toml
8a48da0
@Samirbous Samirbous self-assigned this Aug 21, 2025
@Samirbous Samirbous added Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules labels Aug 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous @w0rk3r
Update rules/windows/command_and_control_dns_susp_tld.toml
ce60634 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous @w0rk3r
Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
b44ac19 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

w0rk3r
w0rk3r reviewed Sep 1, 2025
View reviewed changes
Samirbous and others added 2 commits September 1, 2025 15:10
@Samirbous @w0rk3r
Update rules/windows/discovery_host_public_ip_address_lookup.toml
ff1e7ca 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@Samirbous @w0rk3r
Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
ee823b6 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous @w0rk3r
Update rules/windows/discovery_host_public_ip_address_lookup.toml
2b62afb 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
w0rk3r
w0rk3r reviewed Sep 1, 2025
View reviewed changes
@Samirbous @w0rk3r
Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
aedd499 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous @w0rk3r
Update rules/windows/execution_nodejs_susp_patterns.toml
8a28463 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

w0rk3r
w0rk3r reviewed Sep 1, 2025
View reviewed changes
@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

w0rk3r
w0rk3r reviewed Sep 1, 2025
View reviewed changes
w0rk3r
w0rk3r approved these changes Sep 1, 2025
View reviewed changes
Copy link
Contributor

@w0rk3r w0rk3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we are g2g, nice work

@Samirbous @w0rk3r
Update rules/windows/command_and_control_dns_susp_tld.toml
43c1f33 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Sep 1, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ❌ Renamed Automation Script Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Process Spawned from an Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Microsoft HTML Application Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution with NodeJS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetSupport Manager Execution from an Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Public IP Discovery via DNS Query (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via FileFix Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Windows OpenSSH (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote Install via MsiExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential REMCOS Trojan Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Activity to a Suspicious Top Level Domain (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a WebDav Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Fake CAPTCHA Phishing Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Proxy Execution via Console Window Host (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous Samirbous merged commit e1205cb into main Sep 1, 2025
12 checks passed
@Samirbous Samirbous deleted the top-threats-july24-june25 branch September 1, 2025 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eric-forte-elastic eric-forte-elastic eric-forte-elastic left review comments

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@w0rk3r w0rk3r w0rk3r approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

Assignees

@Samirbous Samirbous

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Samirbous @tradebot-elastic @Mikaayenson @w0rk3r @terrancedejesus @eric-forte-elastic