Skip to content

[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 #5026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 28, 2025
Merged

[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 #5026

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c765f87
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11
w0rk3r Aug 26, 2025
0bee0a7
Apply suggestions from code review
w0rk3r Aug 28, 2025
9b33ec9
Merge branch 'main' into 3rd_party_edr_11
w0rk3r Aug 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 7 additions & 8 deletions rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2021/03/22"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/08/26"

[rule]
author = ["Elastic"]
Expand All @@ -18,6 +18,7 @@ index = [
"winlogbeat-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -74,19 +75,17 @@ tags = [
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
"MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes"
) and length(registry.data.strings) > 0 and
not registry.data.strings : "(empty)"
registry.value : "NullSessionPipes" and
length(registry.data.strings) > 0 and
not registry.data.strings : "(empty)"
'''


Expand Down
6 changes: 4 additions & 2 deletions rules/windows/lateral_movement_incoming_winrm_shell_execution.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/11/24"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/05/20"
updated_date = "2025/08/26"

[rule]
author = ["Elastic"]
Expand All @@ -22,6 +22,7 @@ index = [
"logs-endpoint.events.process-*",
"logs-endpoint.events.network-*",
"logs-windows.sysmon_operational-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -72,6 +73,7 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Resources: Investigation Guide",
"Data Source: SentinelOne",
]
type = "eql"

Expand Down
6 changes: 4 additions & 2 deletions rules/windows/lateral_movement_powershell_remoting_target.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/11/24"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/05/20"
updated_date = "2025/08/26"

[rule]
author = ["Elastic"]
Expand All @@ -22,6 +22,7 @@ index = [
"logs-endpoint.events.process-*",
"logs-endpoint.events.network-*",
"logs-windows.sysmon_operational-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -75,6 +76,7 @@ tags = [
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Resources: Investigation Guide",
]
type = "eql"
Expand Down
32 changes: 19 additions & 13 deletions rules/windows/lateral_movement_rdp_enabled_registry.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/11/25"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/08/26"

[rule]
author = ["Elastic"]
Expand All @@ -18,6 +18,7 @@ index = [
"endgame-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -73,24 +74,29 @@ tags = [
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections",
"MACHINE\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections"
) and
registry.value : "fDenyTSConnections" and
registry.data.strings : ("0", "0x00000000") and
not process.executable : ("?:\\Windows\\System32\\SystemPropertiesRemote.exe",
"?:\\Windows\\System32\\SystemPropertiesComputerName.exe",
"?:\\Windows\\System32\\SystemPropertiesAdvanced.exe",
"?:\\Windows\\System32\\SystemSettingsAdminFlows.exe",
"?:\\Windows\\WinSxS\\*\\TiWorker.exe",
"?:\\Windows\\system32\\svchost.exe")
not process.executable : (
"?:\\Windows\\System32\\SystemPropertiesRemote.exe",
"?:\\Windows\\System32\\SystemPropertiesComputerName.exe",
"?:\\Windows\\System32\\SystemPropertiesAdvanced.exe",
"?:\\Windows\\System32\\SystemSettingsAdminFlows.exe",
"?:\\Windows\\WinSxS\\*\\TiWorker.exe",
"?:\\Windows\\system32\\svchost.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\SystemPropertiesRemote.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\SystemPropertiesComputerName.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\SystemPropertiesAdvanced.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\SystemSettingsAdminFlows.exe",
"\\Device\\HarddiskVolume*\\Windows\\WinSxS\\*\\TiWorker.exe",
"\\Device\\HarddiskVolume*\\Windows\\system32\\svchost.exe"
)
'''


Expand Down
26 changes: 13 additions & 13 deletions rules/windows/persistence_adobe_hijack_persistence.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/08/26"

[transform]
[[transform.osquery]]
Expand Down Expand Up @@ -41,6 +41,7 @@ index = [
"endgame-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -97,14 +98,6 @@ Attackers can replace the `RdrCEF.exe` executable with their own to maintain the
references = ["https://twitter.com/pabraeken/status/997997818362155008"]
risk_score = 21
rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86"
setup = """## Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "low"
tags = [
"Domain: Endpoint",
Expand All @@ -117,15 +110,22 @@ tags = [
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
file where host.os.type == "windows" and event.type == "creation" and
file.path : ("?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe",
"?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and
not process.name : "msiexec.exe"
file.path : (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@w0rk3r this rule tbh needs to be deprecated (very narrow scenario and require to write to admin protected folder 🤦 )

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++ agree, will handle it in a separated PR tho

"?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe",
"?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe",

/* Crowdstrike specific condition as it uses NT Object paths */
"\\Device\\HarddiskVolume?\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe",
"\\Device\\HarddiskVolume?\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe"
) and
not process.name : ("msiexec.exe", "AdobeARM.exe")
'''


Expand Down
Loading