diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 9dcb2d15929..cdc8c046733 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/10/16" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -68,6 +69,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -76,12 +78,16 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.extension : ("wll","xll","ppa","ppam","xla","xlam") and - file.path : - ( + file.path : ( "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" - ) + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", + + /* Crowdstrike specific condition as it uses NT Object paths */ + "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", + "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", + "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" + ) ''' diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 52490e8946b..a29e42c832e 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/23" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -73,6 +74,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -80,7 +82,8 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and - file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" + file.name : "VbaProject.OTM" and + file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM", "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM") ''' diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index 29f14f2b79d..6be85a0e79a 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/22" -integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -17,6 +17,8 @@ index = [ "logs-m365_defender.event-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", + "logs-windows.sysmon_operational-*", ] language = "eql" license = "Elastic License v2" @@ -71,6 +73,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Sysmon", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index 66781d5c4aa..ea1754b7177 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/29" -integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] +integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -68,6 +69,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index a38642dfefd..419fec79e13 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/10/13" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -45,6 +45,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -120,6 +121,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -127,10 +129,13 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and - file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*", - "?:\\Users\\*\\Documents\\PowerShell\\*", - "?:\\Windows\\System32\\WindowsPowerShell\\*") and - file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") + file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") and + file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*.ps1", + "?:\\Users\\*\\Documents\\PowerShell\\*.ps1", + "?:\\Windows\\System32\\WindowsPowerShell\\*.ps1", + "\\Device\\HarddiskVolume*\\Users\\*\\Documents\\WindowsPowerShell\\*.ps1", + "\\Device\\HarddiskVolume*\\Users\\*\\Documents\\PowerShell\\*.ps1", + "\\Device\\HarddiskVolume*\\Windows\\System32\\WindowsPowerShell\\*.ps1") '''