From 6c623d69b45ff33c45aa0a3054e703989750121c Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 27 Aug 2025 09:20:55 -0300 Subject: [PATCH 1/3] [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 --- ...persistence_account_tokenfilterpolicy.toml | 12 ++++++-- ...ense_evasion_proxy_execution_via_msdt.toml | 29 ++++++++++++++----- ...eg_disable_enableglobalqueryblocklist.toml | 6 ++-- ...defense_evasion_rundll32_no_arguments.toml | 7 +++-- ...ion_scheduledjobs_at_protocol_enabled.toml | 14 ++++----- 5 files changed, 45 insertions(+), 23 deletions(-) diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index f4b7ac3f852..9ddaab8cec8 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/11/01" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/07/03" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ index = [ "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -76,6 +77,7 @@ tags = [ "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -92,7 +94,11 @@ registry where host.os.type == "windows" and event.type == "change" and not process.executable : ( /* Intune */ "C:\\Windows\\system32\\deviceenroller.exe", - "C:\\Windows\\system32\\omadmclient.exe" + "C:\\Windows\\system32\\omadmclient.exe", + + /* Crowdstrike specific exclusion as it uses NT Object paths */ + "\\Device\\HarddiskVolume?\\system32\\deviceenroller.exe", + "\\Device\\HarddiskVolume?\\system32\\omadmclient.exe" ) ''' diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 353a2156cb7..83565ade197 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/05/31" -integration = ["endpoint", "windows", "m365_defender"] +integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ index = [ "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -72,6 +73,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -79,18 +81,29 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and - ( + (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and + ( process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or - (process.args : "-af" and process.args : "/skip" and - process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and - process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*")) or + ( + process.args : "-af" and process.args : "/skip" and + process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and + process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*") + ) or (process.pe.original_file_name == "msdt.exe" and not process.name : "msdt.exe" and process.name != null) or - (process.pe.original_file_name == "msdt.exe" and not process.executable : ("?:\\Windows\\system32\\msdt.exe", "?:\\Windows\\SysWOW64\\msdt.exe")) + ( + process.pe.original_file_name == "msdt.exe" and + not process.executable : ( + "?:\\Windows\\system32\\msdt.exe", + "?:\\Windows\\SysWOW64\\msdt.exe", + /* Crowdstrike specific exclusion as it uses NT Object paths */ + "\\Device\\HarddiskVolume?\\Windows\\system32\\msdt.exe", + "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\msdt.exe" + ) ) + ) ''' diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index 66566945113..ea84093427a 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/05/31" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ index = [ "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -76,6 +77,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 350f90971dc..42ea3a75fbc 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/02" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/12" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -37,7 +37,7 @@ Identifies child processes of unusual instances of RunDLL32 where the command li RunDLL32 could indicate malicious activity. """ from = "now-60m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-crowdstrike.fdr*"] interval = "30m" language = "eql" license = "Elastic License v2" @@ -108,6 +108,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] type = "eql" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 78e006e81d4..60cfde08eec 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/23" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -72,6 +73,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -79,11 +81,9 @@ type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", - "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", - "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" - ) and registry.data.strings : ("1", "0x00000001") + registry.value : "EnableAt" and + registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and + registry.data.strings : ("1", "0x00000001") ''' From 0a44421f9246a3df2119aa87ad97f78cbe36f4f3 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 28 Aug 2025 06:40:43 -0700 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...nse_evasion_persistence_account_tokenfilterpolicy.toml | 4 ++-- .../windows/defense_evasion_proxy_execution_via_msdt.toml | 8 ++++---- ...defense_evasion_scheduledjobs_at_protocol_enabled.toml | 1 - 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 9ddaab8cec8..33a09e0df4e 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -97,8 +97,8 @@ registry where host.os.type == "windows" and event.type == "change" and "C:\\Windows\\system32\\omadmclient.exe", /* Crowdstrike specific exclusion as it uses NT Object paths */ - "\\Device\\HarddiskVolume?\\system32\\deviceenroller.exe", - "\\Device\\HarddiskVolume?\\system32\\omadmclient.exe" + "\\Device\\HarddiskVolume*\\system32\\deviceenroller.exe", + "\\Device\\HarddiskVolume*\\system32\\omadmclient.exe" ) ''' diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 83565ade197..fd9dfc674b5 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -81,7 +81,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and + (?process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and ( process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or @@ -94,13 +94,13 @@ process where host.os.type == "windows" and event.type == "start" and (process.pe.original_file_name == "msdt.exe" and not process.name : "msdt.exe" and process.name != null) or ( - process.pe.original_file_name == "msdt.exe" and + ?process.pe.original_file_name == "msdt.exe" and not process.executable : ( "?:\\Windows\\system32\\msdt.exe", "?:\\Windows\\SysWOW64\\msdt.exe", /* Crowdstrike specific exclusion as it uses NT Object paths */ - "\\Device\\HarddiskVolume?\\Windows\\system32\\msdt.exe", - "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\msdt.exe" + "\\Device\\HarddiskVolume*\\Windows\\system32\\msdt.exe", + "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\msdt.exe" ) ) ) diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 60cfde08eec..baa9ab7adee 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -82,7 +82,6 @@ type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and registry.value : "EnableAt" and - registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and registry.data.strings : ("1", "0x00000001") ''' From f686dd1ab29525ce311a13dbc493a7f2f99552b7 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 28 Aug 2025 10:57:34 -0300 Subject: [PATCH 3/3] Update defense_evasion_proxy_execution_via_msdt.toml --- rules/windows/defense_evasion_proxy_execution_via_msdt.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index fd9dfc674b5..aba8cb7d42e 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2022/05/31" -integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] +integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" updated_date = "2025/08/26" @@ -18,6 +18,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -74,6 +75,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: Crowdstrike", + "Data Source: SentinelOne", "Resources: Investigation Guide", ] timestamp_override = "event.ingested"