diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 0cbdbc6a134..5c69812f65b 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -60,14 +60,6 @@ references = [ ] risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -89,8 +81,8 @@ process where host.os.type == "windows" and event.type == "start" and ( ( ( - process.name:"rar.exe" or ?process.code_signature.subject_name == "win.rar GmbH" or - ?process.pe.original_file_name == "Command line RAR" + process.name : ("rar.exe", "WinRAR.exe") or ?process.code_signature.subject_name == "win.rar GmbH" or + ?process.pe.original_file_name == "WinRAR.exe" ) and process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*") ) or diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 79cee43c602..f6901a2a127 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Austin Songer"] @@ -86,7 +86,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and ( process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and ( process.args : "*Clear-History*" or diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 35eb79556b9..c2f04f5a873 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and process.args : "Clear-EventLog" ) diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 6f3582fccc9..0666acac376 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -100,7 +100,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")) and process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and process.args : ("*-Exclusion*") ''' diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 01560dd1aeb..5d0fb532865 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and ( process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") ''' diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 73fa5e6be83..8a2c924a761 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -90,7 +90,7 @@ process where host.os.type == "windows" and event.type == "start" and ( ( process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("pwsh.exe", "powershell.exe", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled" ) or diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 583d589cba8..772ec9c6030 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Austin Songer"] @@ -96,7 +96,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and ( process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe") + ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE") ) and process.args : "*Set-NetFirewallProfile*" and process.args : "*-Enabled*" and process.args : "*False*" and diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index e28f18a8063..28e435a3737 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -85,8 +85,10 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and - (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or - ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + ( + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")) + ) ''' diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index 0c62157581f..fbe76f594f5 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/09/12" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "ScreenConnect.Service.exe" and (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or - ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")) '''