From 41acd2bf5f9b25dfdb8b706f6a989c36df1e19db Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 27 Aug 2025 09:40:09 -0300 Subject: [PATCH 1/2] [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 --- .../persistence_ms_office_addins_file.toml | 18 ++++++++++++------ .../persistence_ms_outlook_vba_template.toml | 9 ++++++--- .../persistence_msoffice_startup_registry.toml | 8 ++++++-- .../windows/persistence_netsh_helper_dll.toml | 6 ++++-- .../persistence_powershell_profiles.toml | 14 ++++++++------ 5 files changed, 36 insertions(+), 19 deletions(-) diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 9dcb2d15929..e80480b594a 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/10/16" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -68,6 +69,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -76,12 +78,16 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.extension : ("wll","xll","ppa","ppam","xla","xlam") and - file.path : - ( + file.path : ( "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", - "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" - ) + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", + + /* Crowdstrike specific condition as it uses NT Object paths */ + "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", + "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", + "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" + ) ''' diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 52490e8946b..a254d0fbcb6 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/23" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -73,6 +74,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -80,7 +82,8 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and - file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" + file.name : "VbaProject.OTM" and + file.path : "*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" ''' diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index 29f14f2b79d..6be85a0e79a 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/22" -integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -17,6 +17,8 @@ index = [ "logs-m365_defender.event-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", + "logs-windows.sysmon_operational-*", ] language = "eql" license = "Elastic License v2" @@ -71,6 +73,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Sysmon", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index 66781d5c4aa..ea1754b7177 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/29" -integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] +integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -68,6 +69,7 @@ tags = [ "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index a38642dfefd..3adcd871be1 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/10/13" -integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/26" [transform] [[transform.osquery]] @@ -45,6 +45,7 @@ index = [ "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -120,6 +121,7 @@ tags = [ "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -127,10 +129,10 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and - file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*", - "?:\\Users\\*\\Documents\\PowerShell\\*", - "?:\\Windows\\System32\\WindowsPowerShell\\*") and - file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") + file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") and + file.path : ("*\\Documents\\WindowsPowerShell\\*", + "*\\Documents\\PowerShell\\*", + "*\\Windows\\System32\\WindowsPowerShell\\*") ''' From 25f23ef0810bfef53b90c5030e6d7c52becc7dbe Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 28 Aug 2025 12:42:08 -0700 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- rules/windows/persistence_ms_office_addins_file.toml | 6 +++--- rules/windows/persistence_ms_outlook_vba_template.toml | 2 +- rules/windows/persistence_powershell_profiles.toml | 9 ++++++--- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index e80480b594a..cdc8c046733 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -84,9 +84,9 @@ file where host.os.type == "windows" and event.type != "deletion" and "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", /* Crowdstrike specific condition as it uses NT Object paths */ - "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", - "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", - "\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" + "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", + "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", + "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" ) ''' diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index a254d0fbcb6..a29e42c832e 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -83,7 +83,7 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.name : "VbaProject.OTM" and - file.path : "*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" + file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM", "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM") ''' diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 3adcd871be1..419fec79e13 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -130,9 +130,12 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") and - file.path : ("*\\Documents\\WindowsPowerShell\\*", - "*\\Documents\\PowerShell\\*", - "*\\Windows\\System32\\WindowsPowerShell\\*") + file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*.ps1", + "?:\\Users\\*\\Documents\\PowerShell\\*.ps1", + "?:\\Windows\\System32\\WindowsPowerShell\\*.ps1", + "\\Device\\HarddiskVolume*\\Users\\*\\Documents\\WindowsPowerShell\\*.ps1", + "\\Device\\HarddiskVolume*\\Users\\*\\Documents\\PowerShell\\*.ps1", + "\\Device\\HarddiskVolume*\\Windows\\System32\\WindowsPowerShell\\*.ps1") '''