From c765f8708743676616e8c75bb816c76d6c6685ff Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 26 Aug 2025 20:38:25 -0300 Subject: [PATCH 1/2] [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 --- ...n_lanman_nullsessionpipe_modification.toml | 16 ++++----- ...vement_incoming_winrm_shell_execution.toml | 6 ++-- ...l_movement_powershell_remoting_target.toml | 6 ++-- ...lateral_movement_rdp_enabled_registry.toml | 33 +++++++++++-------- .../persistence_adobe_hijack_persistence.toml | 24 +++++++------- 5 files changed, 48 insertions(+), 37 deletions(-) diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 815a43f51b1..71fee26be79 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/03/22" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -74,6 +75,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -81,12 +83,10 @@ type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and -registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", - "MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes" -) and length(registry.data.strings) > 0 and -not registry.data.strings : "(empty)" + registry.value : "NullSessionPipes" and + registry.path : "*\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes" and + length(registry.data.strings) > 0 and + not registry.data.strings : "(empty)" ''' diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index fe6449c22bc..da41ef5f328 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/24" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ index = [ "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -72,6 +73,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide", + "Data Source: SentinelOne", ] type = "eql" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index d5d097426a5..39f0f961dc7 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/24" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ index = [ "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", + "logs-sentinel_one_cloud_funnel.*", ] language = "eql" license = "Elastic License v2" @@ -75,6 +76,7 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: SentinelOne", "Resources: Investigation Guide", ] type = "eql" diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index d0b2102f5d4..88ec867f93b 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/25" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -73,24 +74,30 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and - registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections", - "MACHINE\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" - ) and + registry.value : "fDenyTSConnections" and + registry.path : "*\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and registry.data.strings : ("0", "0x00000000") and - not process.executable : ("?:\\Windows\\System32\\SystemPropertiesRemote.exe", - "?:\\Windows\\System32\\SystemPropertiesComputerName.exe", - "?:\\Windows\\System32\\SystemPropertiesAdvanced.exe", - "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", - "?:\\Windows\\WinSxS\\*\\TiWorker.exe", - "?:\\Windows\\system32\\svchost.exe") + not process.executable : ( + "?:\\Windows\\System32\\SystemPropertiesRemote.exe", + "?:\\Windows\\System32\\SystemPropertiesComputerName.exe", + "?:\\Windows\\System32\\SystemPropertiesAdvanced.exe", + "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", + "?:\\Windows\\WinSxS\\*\\TiWorker.exe", + "?:\\Windows\\system32\\svchost.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\SystemPropertiesRemote.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\SystemPropertiesComputerName.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\SystemPropertiesAdvanced.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\SystemSettingsAdminFlows.exe", + "\\Device\\HarddiskVolume?\\Windows\\WinSxS\\*\\TiWorker.exe", + "\\Device\\HarddiskVolume?\\Windows\\system32\\svchost.exe" + ) ''' diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 119541284dd..0b207dacfbd 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -41,6 +41,7 @@ index = [ "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -97,14 +98,6 @@ Attackers can replace the `RdrCEF.exe` executable with their own to maintain the references = ["https://twitter.com/pabraeken/status/997997818362155008"] risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -117,14 +110,21 @@ tags = [ "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "windows" and event.type == "creation" and - file.path : ("?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", - "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and + file.path : ( + "?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", + "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", + + /* Crowdstrike specific condition as it uses NT Object paths */ + "\\Device\\HarddiskVolume?\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", + "\\Device\\HarddiskVolume?\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe" + ) and not process.name : "msiexec.exe" ''' From 0bee0a75b72b39f03059d0bc766d1154f9e51735 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 28 Aug 2025 07:42:10 -0700 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...evasion_lanman_nullsessionpipe_modification.toml | 1 - .../lateral_movement_rdp_enabled_registry.toml | 13 ++++++------- .../persistence_adobe_hijack_persistence.toml | 2 +- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 71fee26be79..6ddfe3c7e4b 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -84,7 +84,6 @@ type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and registry.value : "NullSessionPipes" and - registry.path : "*\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes" and length(registry.data.strings) > 0 and not registry.data.strings : "(empty)" ''' diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 88ec867f93b..76936f15511 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -82,7 +82,6 @@ type = "eql" query = ''' registry where host.os.type == "windows" and event.type == "change" and registry.value : "fDenyTSConnections" and - registry.path : "*\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and registry.data.strings : ("0", "0x00000000") and not process.executable : ( "?:\\Windows\\System32\\SystemPropertiesRemote.exe", @@ -91,12 +90,12 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", "?:\\Windows\\WinSxS\\*\\TiWorker.exe", "?:\\Windows\\system32\\svchost.exe", - "\\Device\\HarddiskVolume?\\Windows\\System32\\SystemPropertiesRemote.exe", - "\\Device\\HarddiskVolume?\\Windows\\System32\\SystemPropertiesComputerName.exe", - "\\Device\\HarddiskVolume?\\Windows\\System32\\SystemPropertiesAdvanced.exe", - "\\Device\\HarddiskVolume?\\Windows\\System32\\SystemSettingsAdminFlows.exe", - "\\Device\\HarddiskVolume?\\Windows\\WinSxS\\*\\TiWorker.exe", - "\\Device\\HarddiskVolume?\\Windows\\system32\\svchost.exe" + "\\Device\\HarddiskVolume*\\Windows\\System32\\SystemPropertiesRemote.exe", + "\\Device\\HarddiskVolume*\\Windows\\System32\\SystemPropertiesComputerName.exe", + "\\Device\\HarddiskVolume*\\Windows\\System32\\SystemPropertiesAdvanced.exe", + "\\Device\\HarddiskVolume*\\Windows\\System32\\SystemSettingsAdminFlows.exe", + "\\Device\\HarddiskVolume*\\Windows\\WinSxS\\*\\TiWorker.exe", + "\\Device\\HarddiskVolume*\\Windows\\system32\\svchost.exe" ) ''' diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 0b207dacfbd..2ad4d296b67 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -125,7 +125,7 @@ file where host.os.type == "windows" and event.type == "creation" and "\\Device\\HarddiskVolume?\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", "\\Device\\HarddiskVolume?\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe" ) and - not process.name : "msiexec.exe" + not process.name : ("msiexec.exe", "AdobeARM.exe") '''