diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index b301820e205..953275b973e 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/08/01" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/06/12" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -60,9 +61,9 @@ references = [ "https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/", "https://github.com/trustedsec/specula", ] -risk_score = 47 +risk_score = 73 rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6" -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", @@ -75,6 +76,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" @@ -84,7 +86,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi registry.path : ( "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\*", "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Today\\*" - ) and registry.data.strings : "*://*" + ) and registry.data.strings : ("*://*", "*http*") ''' diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index a5f8f32e7b7..0e73d7b7ab7 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/25" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -81,16 +82,14 @@ tags = [ "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -registry where host.os.type == "windows" and registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*", - "MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" -) +registry where host.os.type == "windows" and event.type == "change" and + registry.path : "*\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" and registry.data.strings != null ''' diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index f85adb5f6f8..cbc58475eaa 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/08/31" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = [ "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -83,6 +84,7 @@ tags = [ "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index eda22dc27bb..0285fbdc829 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/01/17" -integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -44,6 +44,7 @@ index = [ "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -111,38 +112,38 @@ tags = [ "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.path != null and - file.name : ("amsi.dll", "amsi") and + file.name : ("amsi.dll", "amsi") and + event.action != "A process changed a file creation time" and not file.path : ( - "?:\\$SysReset\\CloudImage\\Package_for_RollupFix*", + "?:\\$SysReset\\CloudImage\\Package_for_RollupFix*\\amsi.dll", "?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", - "?:\\$WINDOWS.~BT\\DUImageSandbox\\*", - "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", - "?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*", - "?:\\$WINDOWS.~BT\\Work\\*\\*", - "?:\\$WINDOWS.~BT\\Store\\Offline\\File\\C$\\Windows\\SoftwareDistribution\\Download.bak\\*", - "?:\\Windows\\CbsTemp\\*\\f\\amsi.dll", + "?:\\$WINDOWS.~BT\\*\\amsi.dll", + "?:\\Windows\\CbsTemp\\*\\amsi.dll", "?:\\Windows\\SoftwareDistribution\\Download\\*", - "?:\\Windows\\WinSxS\\amd64_microsoft-antimalware-scan-interface_*\\amsi.dll" - ) and - not - ( - process.executable : "C:\\Windows\\System32\\wbengine.exe" and - file.path : ( - "\\Device\\HarddiskVolume??\\Windows\\system32\\amsi.dll", - "\\Device\\HarddiskVolume??\\Windows\\syswow64\\amsi.dll", - "\\Device\\HarddiskVolume??\\Windows\\WinSxS\\*\\amsi.dll", - "\\\\?\\Volume{*}\\Windows\\WinSxS\\*\\amsi.dll", - "\\\\?\\Volume{*}\\Windows\\system32\\amsi.dll", - "\\\\?\\Volume{*}\\Windows\\syswow64\\amsi.dll" - ) - ) + "?:\\Windows\\WinSxS\\*\\amsi.dll", + "?:\\Windows\\servicing\\*\\amsi.dll", + "\\\\?\\Volume{*}\\Windows\\WinSxS\\*\\amsi.dll", + "\\\\?\\Volume{*}\\Windows\\system32\\amsi.dll", + "\\\\?\\Volume{*}\\Windows\\syswow64\\amsi.dll", + + /* Crowdstrike specific exclusion as it uses NT Object paths */ + "\\Device\\HarddiskVolume*\\Windows\\system32\\amsi.dll", + "\\Device\\HarddiskVolume*\\Windows\\syswow64\\amsi.dll", + "\\Device\\HarddiskVolume*\\Windows\\WinSxS\\*\\amsi.dll", + "\\Device\\HarddiskVolume*\\$SysReset\\CloudImage\\Package_for_RollupFix*\\amsi.dll", + "\\Device\\HarddiskVolume*\\$WINDOWS.~BT\\*\\amsi.dll", + "\\Device\\HarddiskVolume*\\Windows\\SoftwareDistribution\\Download\\*\\amsi.dll", + "\\Device\\HarddiskVolume*\\Windows\\CbsTemp\\*\\amsi.dll", + "\\Device\\HarddiskVolume*\\Windows\\servicing\\*\\amsi.dll" + ) ''' diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index e7e6c4f40d4..a8dac0c7b68 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/06/01" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -90,6 +91,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql"