diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index cfac5ff60e8..760413874e8 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/27" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ process where host.os.type == "windows" and event.type == "start" and "mshta.exe", "hh.exe", "mmc.exe" ) and not ( - user.id == "S-1-5-18" and + ?user.id == "S-1-5-18" and /* Don't apply the user.id exclusion to Sysmon for compatibility */ not event.dataset : ("windows.sysmon_operational", "windows.sysmon") ) and diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index e2f700f34fa..25fd9f2d7c8 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/13" +updated_date = "2025/08/27" [rule] author = ["Elastic"] @@ -90,13 +90,11 @@ registry where host.os.type == "windows" and event.type == "change" and "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging", "MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" ) and registry.data.strings : ("0", "0x00000000") and - not ( - process.executable : ( + not process.executable : ( "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\DeviceEnroller.exe", "?:\\Windows\\system32\\omadmclient.exe", "?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe" - ) and user.id == "S-1-5-18" ) ''' diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index a1f0d3d8726..445c8897378 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/08/27" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.", ] from = "now-9m" -index = ["logs-endpoint.events.file-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.file-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Third-party Backup Files Deleted via Unexpected Process" @@ -60,14 +60,6 @@ This rule identifies file deletions performed by a process that does not belong references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"] risk_score = 47 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -75,7 +67,6 @@ tags = [ "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", - "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", ]