diff --git a/.github/workflows/kibana-mitre-update.yml b/.github/workflows/kibana-mitre-update.yml index 5d7b7fe64ca..7a6e165b70b 100644 --- a/.github/workflows/kibana-mitre-update.yml +++ b/.github/workflows/kibana-mitre-update.yml @@ -15,6 +15,7 @@ jobs: uses: actions/checkout@v4 - name: Get MITRE Attack changed files + if: false id: changed-attack-files uses: tj-actions/changed-files@v44 with: diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index bdff598faa5..404d452308a 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -83,6 +83,14 @@ Outlook's integration with the Component Object Model (COM) allows processes to - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the suspicious activity. - Review and update endpoint protection policies to ensure that similar threats are detected and blocked in the future, leveraging the MITRE ATT&CK framework for guidance on email collection techniques.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 2baaf353390..03bd5c386e1 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -100,6 +100,32 @@ process where host.os.type == "windows" and event.type == "start" and process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.command_line : ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index c17e967c850..d5225aa7271 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/11/02" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -62,14 +62,6 @@ references = [ ] risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -112,6 +104,27 @@ process where host.os.type == "windows" and event.type == "start" and "\\Device\\HarddiskVolume?\\Nox\\bin\\Nox.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index a2a98c6bfba..15575dd927f 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -133,6 +133,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and (process.name : "CertReq.exe" or ?process.pe.original_file_name == "CertReq.exe") and process.args : "-Post" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 92cc74f3d42..a25b92434c1 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.investigate]] @@ -298,6 +298,14 @@ network where host.os.type == "windows" and network.protocol == "dns" and "Amazon.com Services LLC")) ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 3083a7f5f74..af6407930f7 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,27 @@ sequence by host.id with maxspan=5m [process where host.os.type == "windows" and event.type == "start" and process.name : "nslookup.exe" and process.args:("-querytype=*", "-qt=*", "-q=*", "-type=*")] with runs = 10 ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 6815716b957..15295d0b16f 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -19,14 +19,6 @@ license = "Elastic License v2" name = "Connection to Commonly Abused Free SSL Certificate Providers" risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -90,6 +82,17 @@ Free SSL certificates, like those from Let's Encrypt, enable secure web traffic - Restore the system from a known good backup if any critical system files or configurations have been altered. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index 81abab1104f..41768001852 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,32 @@ process where host.os.type == "windows" and event.type == "start" and "explorer.exe", "rundll32.exe", "winword.exe", "excel.exe", "onenote.exe", "hh.exe", "powerpnt.exe", "forfiles.exe", "pcalua.exe", "wmiprvse.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index a9db0f9e470..fe5cef2e742 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -85,6 +85,14 @@ Internet Explorer can be manipulated via the Component Object Model (COM) to ini - Restore the affected system from a known good backup if malware is confirmed and cannot be fully removed, ensuring that the backup is free from compromise. - Implement network-level controls to block the identified suspicious domains and IP addresses to prevent future communication attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index 9be47999737..e65fba01b86 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -144,6 +144,14 @@ file where host.os.type == "windows" and event.action == "rename" and "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe" ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index 8e7ba96c2d3..66e275b64a0 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -278,6 +278,17 @@ host.os.type: "windows" and not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index 90f713db53b..0f9c3aab2e9 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,27 @@ The Outlook Home Page feature allows users to set a webpage as the default view - Review and analyze network logs to identify any outbound connections to suspicious domains or IP addresses, and block these at the firewall. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if other systems are affected. - Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and network activity.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index cc1ee407e09..8cb41a62fd0 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -87,6 +87,27 @@ registry where host.os.type == "windows" and registry.path : ( "MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 138ce8e3f7d..0f5b6f7e93f 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -89,6 +89,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "*:3389" and process.args : ("-L", "-P", "-R", "-pw", "-ssh") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 8bb08c1cf17..8823bc2126c 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -168,6 +168,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "desktopimgdownldr.exe" or ?process.pe.original_file_name == "desktopimgdownldr.exe") and process.args : "/lockscreenurl:http*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 2bed2b5a903..97c14254ff3 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -166,6 +166,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "MpCmdRun.exe" or ?process.pe.original_file_name == "MpCmdRun.exe") and process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 3e41e8ec3e5..1c6d54175aa 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -146,6 +146,14 @@ sequence by process.entity_id with maxspan=30s process.name : "powershell.exe" and file.extension : ("exe", "dll", "ps1", "bat") and not file.name : "__PSScriptPolicy*.ps1"] ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 813cad05e4c..3034b326170 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -120,6 +120,17 @@ sequence by host.id, process.entity_id ] [file where host.os.type == "windows" and event.type == "creation" and file.extension : ("exe", "dll")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 25f96b21f0e..a74601f3af9 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -103,6 +103,32 @@ ScreenConnect, a remote access tool, facilitates legitimate remote support but c - Restore the system from a known good backup if any critical system files or configurations have been altered or compromised. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for ScreenConnect and other remote access tools to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 53c16e9ff6d..2b5580da267 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -126,6 +126,14 @@ network where host.os.type == "windows" and event.type == "protocol" and network not http.request.body.content : "*solarwinds.com*" ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 63d8333bd37..506dd4e85e2 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -122,6 +122,22 @@ file where host.os.type == "windows" and event.type == "creation" and process.na ) and process.code_signature.trusted == true ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index d155e29c316..6d2c4b283d6 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ process where host.os.type == "windows" and event.type == "start" and user.id != process.command_line : "*http*" and process.parent.name : ("cmd.exe", "powershell.exe", "rundll32.exe", "explorer.exe", "conhost.exe", "forfiles.exe", "wscript.exe", "cscript.exe", "mshta.exe", "hh.exe", "mmc.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] @@ -102,4 +128,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index 1bc611fa876..a26f24f538c 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -90,6 +90,32 @@ Visual Studio Code (VScode) offers a remote tunnel feature enabling developers t - Restore the system from a known good backup if any unauthorized changes or malware are detected. - Implement network segmentation to limit the ability of similar threats to spread across the environment. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 96caa2b51a0..22521cdb9e2 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -118,6 +118,27 @@ process where host.os.type == "windows" and event.type == "start" and (?process.pe.original_file_name : "diskshadow.exe" or process.name : "diskshadow.exe") and process.args : "/s") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 14e2e20d979..2cc452871de 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -146,6 +146,32 @@ process where host.os.type == "windows" and event.type == "start" and ) and process.command_line : ("*\\ntds.dit*", "*\\config\\SAM*", "*\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*", "*\\User Data\\*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index e6e093b01bb..308ad05d638 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -123,6 +123,17 @@ sequence by process.entity_id [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (?dll.name : ("vaultcli.dll", "SAMLib.DLL") or file.name : ("vaultcli.dll", "SAMLib.DLL"))] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 58d2a58bdf1..d73bd58851c 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -35,6 +35,32 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index f1ccc8b6b77..a1f371a20d7 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -93,6 +93,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("save", "export") and process.args : ("hklm\\sam", "hklm\\security") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 6b1d013fbfe..a250f1ffe09 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,22 @@ Full user-mode dumps are a diagnostic feature in Windows that captures detailed - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly. - Review and update endpoint protection configurations to ensure they are capable of detecting and blocking similar credential dumping techniques.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 3982f2e52c9..5979b84450d 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -93,6 +93,32 @@ Microsoft IIS often stores sensitive connection strings in encrypted form to sec - Restore the IIS server from a known good backup taken before the compromise, ensuring that any webshells or malicious scripts are removed. - Implement enhanced monitoring and alerting for any future unauthorized use of aspnet_regiis.exe, focusing on the specific arguments used in the detection query. - Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the broader impact on the organization.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index 4238e58285e..3d244051195 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,17 @@ Azure AD Sync Service facilitates identity synchronization between on-premises d - Change all credentials that may have been exposed or compromised, focusing on those related to Azure AD and on-premises directory services. - Implement application whitelisting to prevent unauthorized DLLs from being loaded by critical processes like Azure AD Sync. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 7977da3371d..3a34841eb4f 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -166,6 +166,22 @@ network where host.os.type == "windows" and event.type == "start" and network.di ) and destination.address != "127.0.0.1" and destination.address != "::1" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index f1587fef43e..71bcb911127 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -63,6 +63,32 @@ Kirbi files are associated with Kerberos, a network authentication protocol used - Revoke all active Kerberos tickets and force re-authentication for all users to ensure that any stolen tickets are rendered useless. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach. - Implement enhanced monitoring and logging for Kerberos-related activities to detect and respond to similar threats more effectively in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index c3881e95792..a415d4cb05a 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -21,14 +21,6 @@ name = "Suspicious LSASS Access via MalSecLogon" references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"] risk_score = 73 rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index cb444a5b057..3a49e8ef928 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -138,6 +138,14 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for managing s - Implement application whitelisting to prevent unauthorized DLLs from being loaded into critical processes like LSASS in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Update security monitoring tools to enhance detection capabilities for similar threats, ensuring that alerts are generated for any future attempts to load untrusted DLLs into LSASS.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 31610e3dd41..3f2f7b9520d 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -145,6 +145,27 @@ file where host.os.type == "windows" and event.action != "deletion" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index dbf7d310a3e..7cd5845344c 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/02" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -182,6 +182,22 @@ api where host.os.type == "windows" and ) and not ?process.code_signature.trusted == false ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index addbde90c98..8fe626d4fe0 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2024/10/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -58,14 +58,6 @@ This rule looks for the creation of a file named `mimilsa.log`, which is generat references = ["https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -85,6 +77,27 @@ type = "eql" query = ''' file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 7dd04a08fe6..38d6883f69f 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -70,14 +70,6 @@ references = [ ] risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -101,6 +93,22 @@ registry where host.os.type == "windows" and event.type == "creation" and ) and registry.data.strings : ("1", "0x00000001") and not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 8f794a53476..6545c10f304 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -79,6 +79,14 @@ file where host.os.type == "windows" and event.type == "creation" and "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*" ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 6ffc0fe8fc4..470dac851e1 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -143,6 +143,22 @@ registry where host.os.type == "windows" and event.type == "change" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index e3a407c175f..52b81acb1a9 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,14 +20,6 @@ name = "Potential Credential Access via DuplicateHandle in LSASS" references = ["https://github.com/CCob/MirrorDump"] risk_score = 47 rule_id = "02a4576a-7480-4284-9327-548a806b5e48" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_regback_sam_security_hives.toml b/rules/windows/credential_access_regback_sam_security_hives.toml index 45500f46a21..634cdbda09c 100644 --- a/rules/windows/credential_access_regback_sam_security_hives.toml +++ b/rules/windows/credential_access_regback_sam_security_hives.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -75,6 +75,14 @@ file where host.os.type == "windows" and "?:\\Windows\\system32\\taskhostw.exe", "?:\\Windows\\system32\\taskhost.exe" )) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 990d0407c58..25d560ba2f7 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,32 @@ NTLM, a suite of Microsoft security protocols, is often targeted by adversaries - Apply the latest security patches and updates to the Windows Printer Spooler service and related components to mitigate known vulnerabilities. - Implement network segmentation to limit the exposure of critical services and reduce the risk of similar attacks in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index f3fde2b0828..cb39b2f9c53 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -56,16 +56,6 @@ references = [ ] risk_score = 73 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8" -setup = """## Setup - -This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -85,6 +75,14 @@ file where host.os.type == "windows" and file.Ext.header_bytes : "72656766*" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and file.size >= 30000 and file.path : ("?:\\Windows\\system32\\*.tmp", "?:\\WINDOWS\\Temp\\*.tmp") ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index ae548489730..9e20b8ee3e4 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,32 @@ Windows Credential Manager stores credentials for websites, applications, and ne - Implement enhanced monitoring on the affected system and similar endpoints for any further attempts to use VaultCmd.exe or other credential dumping tools. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the breach. - Review and update endpoint protection configurations to ensure that similar threats are detected and blocked in the future, leveraging threat intelligence and MITRE ATT&CK framework insights.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index a92818305b6..e445278a908 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -17,14 +17,6 @@ name = "Suspicious Lsass Process Access" references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"] risk_score = 47 rule_id = "128468bf-cab1-4637-99ea-fdf3780a4609" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 7de6d5c1369..c3c04aaa1aa 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -24,14 +24,6 @@ references = [ ] risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_veeam_backup_dll_imageload.toml b/rules/windows/credential_access_veeam_backup_dll_imageload.toml index 0af9521613a..f1dc825195e 100644 --- a/rules/windows/credential_access_veeam_backup_dll_imageload.toml +++ b/rules/windows/credential_access_veeam_backup_dll_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -73,6 +73,14 @@ Veeam Backup software is crucial for data protection, enabling secure backup and - Restore any affected systems or data from a known good backup to ensure integrity and availability. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar activities, focusing on unauthorized process executions and DLL loads, to improve early detection of future threats.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index cc760955744..40785a638c0 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,32 @@ Veeam credentials stored in MSSQL databases are crucial for managing backup oper - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring on systems storing Veeam credentials to detect similar suspicious activities in the future. - Review and update access controls and permissions for MSSQL databases to ensure only authorized personnel have access to Veeam credentials.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml index 29b5cd8b8eb..dd17e09647b 100644 --- a/rules/windows/credential_access_wbadmin_ntds.toml +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ Wbadmin is a Windows utility for backup and recovery, often used by administrato - Restore the NTDS.dit file from a known good backup if any unauthorized modifications are detected. - Implement enhanced monitoring and logging for wbadmin.exe usage across all domain controllers to detect future unauthorized access attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index 6a4271c9d57..c6b5275b460 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -121,6 +121,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and process.args : "wlan" and process.args : "key*clear" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 6043131dcdd..8948c0c0caf 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -131,6 +131,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "attrib.exe" or ?process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and not (process.parent.name: "cmd.exe" and process.command_line: "attrib +R +H +S +A *.cui") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 726fe74345d..8569302457f 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -139,6 +139,27 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 0edc49a16fd..ce2d66070de 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,27 @@ registry where host.os.type == "windows" and event.type == "change" and HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" */ ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 62cef1d7a1d..f87cc1a73bb 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 3dfe685d34f..2f6186e5d17 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,32 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 4251115b3ca..b8737343222 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -119,6 +119,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name: "bcdedit.exe" or ?process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index aeeb61a20f9..632f7a917d4 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -111,6 +111,27 @@ registry where host.os.type == "windows" and event.type == "change" and "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" */ ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index 149d52717bf..1119640ed0a 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -254,6 +254,14 @@ Communication apps like Slack, WebEx, and Teams are integral to modern workflows - Update the communication app and all related software to the latest versions to patch any known vulnerabilities that may have been exploited. - Implement application whitelisting to ensure only trusted and signed applications can execute, reducing the risk of similar threats. - Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to assess the potential impact on other systems.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 55093bd4d34..3cdc75869a3 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -126,6 +126,27 @@ registry where host.os.type == "windows" and event.type == "change" and registry "?:\\Windows\\WinSxS\\*.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 44c1512773a..4f6d1d66409 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/17" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -100,6 +100,22 @@ registry where host.os.type == "windows" and event.type == "change" and ) and user.id : "S-1-5-18" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 48eb71e0524..9aa0071c4b6 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -106,6 +106,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and process.args : ("*-Exclusion*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index e80066eafb4..0dbec8d63d1 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "fsutil.exe" or ?process.pe.original_file_name == "fsutil.exe") and process.args : "deletejournal" and process.args : "usn" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index ab4dd964e69..f6cd2623279 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/25" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ Network-Level Authentication (NLA) enhances security for Remote Desktop Protocol - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to disable NLA or other suspicious activities. - Review and update endpoint security policies to ensure that registry changes related to NLA are monitored and alerts are generated for any unauthorized modifications.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 67929fe2adc..22d421cd1c2 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ registry where host.os.type == "windows" and event.type == "change" and "MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" ) and registry.data.strings : ("0", "0x00000000") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index e25d77c4ef8..168ac537803 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "advfirewall" and process.args : "off" and process.args : "state") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index c58c50f40fb..ce4c341cd5f 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,32 @@ process where host.os.type == "windows" and event.type == "start" and ) and process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 6d36c13358e..346e9c8b674 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,32 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 6f4320c1a28..891b9389c97 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ DNS-over-HTTPS (DoH) encrypts DNS queries to enhance privacy and security, preve - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring for registry changes related to DNS settings across the organization to detect similar threats in the future. - Review and update security policies to ensure that DNS-over-HTTPS is only enabled through approved channels and for legitimate purposes, reducing the risk of misuse.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 7f932ca3d40..6dc3355eedf 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,32 @@ note = """## Triage and analysis - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. - Implement application whitelisting to prevent unauthorized execution of compilers and scripting engines by non-standard parent processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 56d52cc816f..b06fd3649dc 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and process.args : ("action=allow", "enable=Yes", "enable") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index cc21a55c697..8c804f78a6f 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,32 @@ process where host.os.type == "windows" and event.type == "start" and process.name : "netsh.exe" and process.args : ("firewall", "advfirewall") and process.args : "group=Network Discovery" and process.args : "enable=Yes" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 24dc8f1e23c..2dd86f6f878 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,32 @@ The Control Panel in Windows is a system utility that allows users to view and a - Restore any affected files or system settings from a known good backup to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. - Implement additional monitoring and alerting for similar command-line anomalies to enhance detection and prevent recurrence of this threat.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 56c9510a93e..7a1107d6c9d 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -136,6 +136,32 @@ process where host.os.type == "windows" and event.type == "start" and /* common paths writeable by a standard user where the target DLL can be placed */ process.args : ("C:\\Users\\*.dll", "C:\\ProgramData\\*.dll", "C:\\Windows\\Temp\\*.dll", "C:\\Windows\\Tasks\\*.dll") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index c6ef3c6158d..5b69f0f88f1 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -117,6 +117,32 @@ process where host.os.type == "windows" and event.type == "start" and "powerpnt.exe", "winword.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index c4dd1fecba9..0ed1fcfef2e 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -75,6 +75,17 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for MSBuild and script interpreter activities across the network to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index b235d0cccd2..286403dc0dd 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, ty - Restore the system from a known good backup if any critical system files or applications have been altered or corrupted. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 0dbd8efef6f..449a40fa5d3 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -117,6 +117,22 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name == "MSBuild.exe" and not process.name : "MSBuild.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index bd07774ed21..ed50810a2e7 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,17 @@ The Microsoft Build Engine (MSBuild) is a platform for building applications, of - Escalate the incident to the security operations team for further analysis and to determine if the threat is part of a larger attack campaign. - Implement additional monitoring and logging for MSBuild and related processes to detect any future misuse or anomalies promptly. - Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, ensuring that security controls are effectively blocking unauthorized script execution.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 6c7a52f2e63..7fbe9acde6c 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -20,14 +20,6 @@ license = "Elastic License v2" name = "Potential DLL Side-Loading via Trusted Microsoft Programs" risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -91,6 +83,22 @@ DLL side-loading exploits the DLL search order to load malicious code into trust - Update and patch all software on the affected system, focusing on the trusted Microsoft programs identified in the alert, to mitigate vulnerabilities exploited by DLL side-loading. - Monitor the network for any signs of lateral movement or additional compromised systems, using the indicators of compromise identified during the investigation. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or data have been affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index f47b122f137..0ccd35353f6 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -24,14 +24,6 @@ references = [ ] risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -93,6 +85,22 @@ The Microsoft Antimalware Service Executable, a core component of Windows Defend - Investigate the source of the DLL side-loading attempt to determine if it was part of a broader attack campaign, and gather forensic evidence for further analysis. - Escalate the incident to the security operations center (SOC) or incident response team for a deeper investigation and to assess the need for further containment measures. - Implement additional monitoring and alerting for similar anomalies in process execution paths to enhance detection capabilities and prevent recurrence.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index aafffc95638..505319ddedc 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -76,6 +76,27 @@ In Windows environments, adversaries may exploit file extensions to disguise mal - Review and restore any altered system configurations or files to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities for future incidents.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 2ee0007f97b..30611fd538f 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -174,6 +174,27 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Users\\Public\\Documents\\syspin.exe", "?:\\Users\\Public\\res\\FileWatcher.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 5e37948e8b9..33996491e6b 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -63,6 +63,27 @@ Windows Registry is a hierarchical database storing low-level settings for the O - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning. - Monitor the system and network for any signs of re-infection or similar registry modifications, adjusting detection rules if necessary to enhance future threat identification. - Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 0dc79543403..07867c7432f 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "/dontLog*:*True" and not process.parent.name : "iissetup.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_indirect_exec_forfiles.toml b/rules/windows/defense_evasion_indirect_exec_forfiles.toml index e458499fd12..57a8614aa72 100644 --- a/rules/windows/defense_evasion_indirect_exec_forfiles.toml +++ b/rules/windows/defense_evasion_indirect_exec_forfiles.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -77,6 +77,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and (process.name : "forfiles.exe" or ?process.pe.original_file_name == "forfiles.exe") and process.args : ("/c", "-c") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index d0f651bb220..52e1ffedcda 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,17 @@ InstallUtil.exe is a legitimate Windows utility used for installing and uninstal - Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement network monitoring and alerting for unusual outbound connections from critical systems to enhance detection of similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index bf4b4be6a9d..043ecd5e810 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -91,6 +91,32 @@ The Windows command line debugging utility, cdb.exe, is a legitimate tool used f - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Implement application whitelisting to prevent unauthorized execution of cdb.exe from non-standard paths. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 08fd9150654..5325ebf068d 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -107,6 +107,27 @@ Endpoint security solutions, like Elastic and Microsoft Defender, monitor and pr - Update endpoint security solutions and apply any available patches to address vulnerabilities that may have been exploited by the adversary. - Monitor the network and systems for any signs of re-infection or similar suspicious activities, using enhanced logging and alerting based on the identified threat indicators. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index 4ec3e5ee0e6..611b6a6c2ae 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -200,6 +200,14 @@ Business applications are integral to productivity, often downloaded and install - Review and analyze the process execution logs and any related network activity to understand the scope of the intrusion and identify any other potentially compromised systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement application whitelisting to prevent unauthorized executables from running, ensuring only trusted and signed applications are allowed to execute.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index 9ea0e913d23..91085dd489a 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -126,6 +126,14 @@ Communication apps are integral to modern workflows, facilitating seamless inter - Restore any compromised systems from a known good backup to ensure the integrity of the system and data. - Monitor network traffic and system logs for any signs of lateral movement or further attempts to exploit communication apps. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 15635fea2d0..75d695f4799 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -114,6 +114,22 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 30695cdb25f..d90db864594 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -95,6 +95,27 @@ WerFault.exe is a Windows error reporting tool that handles application crashes. - Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats or remnants of the attack. - Monitor network traffic and system logs for any signs of persistence mechanisms or further attempts to exploit the SilentProcessExit mechanism. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 663acbc611e..a436ef4dce0 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -111,6 +111,32 @@ The Program Files directories in Windows are trusted locations for legitimate so - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or similar tactics. - Update security policies and access controls to prevent unauthorized creation of directories that mimic trusted paths, enhancing defenses against similar masquerading attempts.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index fde26ca2cff..0ac54dd4f48 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -127,6 +127,17 @@ sequence by host.id, process.entity_id with maxspan = 5s network.direction : ("outgoing", "egress") and destination.ip !="::1" and destination.ip !="127.0.0.1" ] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 8d7ee180716..a0b70d7cac0 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -132,6 +132,27 @@ registry where host.os.type == "windows" and event.type == "change" and process. "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SubmitSamplesConsent" */ ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 4e470e8ba1a..2251beaa4e7 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -130,6 +130,17 @@ sequence by process.entity_id "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index f749a8499a2..bef4c65630a 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -108,6 +108,22 @@ registry where host.os.type == "windows" and event.type == "change" and registry ) and registry.data.strings : ("0x00000001", "1") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 6742eb34238..45345612e4d 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -150,6 +150,17 @@ sequence by process.entity_id with maxspan=30s "vortex.data.microsoft.com", "api.nuget.org")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 103bb66acf9..3d28b0d043c 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,17 @@ Mshta.exe is a legitimate Windows utility used to execute Microsoft HTML Applica - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Implement application whitelisting to prevent unauthorized execution of mshta.exe and similar system binaries. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml index dde8076da1a..402a140db36 100644 --- a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml +++ b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -84,6 +84,22 @@ MsiExec is a Windows utility for installing, maintaining, and removing software. - Reset credentials and review access permissions for any accounts that may have been compromised or used during the attack. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and detection rules to identify similar threats in the future, focusing on unusual MsiExec activity and network connections.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 4049b815df4..1dfe40290de 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,17 @@ MsXsl.exe is a legitimate Windows utility used to transform XML data using XSLT - Restore the affected system from a known good backup if any critical system files or configurations have been altered. - Implement network segmentation to limit the ability of msxsl.exe or similar utilities to make unauthorized external connections in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been impacted.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index a8a58c8dbbc..338cd4ac3a8 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -185,6 +185,17 @@ sequence by process.entity_id with maxspan=5m not startswith~(dns.question.name, host.name) ] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 49a6b6d135d..f42562b4017 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -110,6 +110,14 @@ Parent Process PID Spoofing involves manipulating the parent process identifier - Update and patch the affected system to the latest security standards to close any vulnerabilities that may have been exploited by the adversary. - Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of the threat, focusing on process creation events and parent-child process relationships. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index c2a8f625a6d..09292c9c021 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -85,6 +85,27 @@ The LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabl - Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activities or attempts to modify registry settings. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if the threat is part of a larger attack campaign. - Implement additional network segmentation and access controls to limit administrative access to critical systems and reduce the risk of similar threats.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 2521ce2dc82..74cef4f8900 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -104,6 +104,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "*-Enabled*" and process.args : "*False*" and process.args : ("*-All*", "*Public*", "*Domain*", "*Private*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 83c94bfe8c2..47ec0310a43 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -144,6 +144,14 @@ sequence by host.id with maxspan=5s ) ] by file.path ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index d76195296cf..5ac8d4ee02d 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,22 @@ The Microsoft Diagnostics Troubleshooting Wizard (MSDT) is a legitimate tool use - Restore any affected files or system components from a known good backup to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring and logging for msdt.exe and related processes to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index 00de7eaa076..1af806e08b5 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -90,6 +90,27 @@ The DNS Global Query Block List (GQBL) is a security feature in Windows environm - Monitor network traffic for signs of WPAD spoofing or other related attacks, and implement network segmentation to limit the impact of potential threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Update security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List, ensuring rapid detection and response to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_right_to_left_override.toml b/rules/windows/defense_evasion_right_to_left_override.toml index b9666969c39..a68d20efc90 100644 --- a/rules/windows/defense_evasion_right_to_left_override.toml +++ b/rules/windows/defense_evasion_right_to_left_override.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,27 @@ The RTLO character reverses text direction, often used to disguise file extensio - Review and analyze system logs and security alerts to determine the extent of the compromise and identify any lateral movement or additional affected systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. - Implement enhanced monitoring and detection rules to identify future attempts to use RTLO characters for masquerading, ensuring that similar threats are detected promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index 53311fc30f5..2c102ae46e8 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ Alternate Data Streams (ADS) in Windows allow files to contain multiple streams - Restore affected files from a known good backup to ensure system integrity and remove any compromised data. - Monitor network traffic for unusual patterns or connections that may indicate ongoing malicious activity or data exfiltration attempts. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 6979c9fba8b..9a998415f89 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -123,6 +123,17 @@ sequence with maxspan=1h [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "rundll32.exe" ] by process.parent.entity_id ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_sc_sdset.toml b/rules/windows/defense_evasion_sc_sdset.toml index 3bb8cbf9a1c..0f8326f75d1 100644 --- a/rules/windows/defense_evasion_sc_sdset.toml +++ b/rules/windows/defense_evasion_sc_sdset.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/10" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -83,6 +83,32 @@ The `sc.exe` utility in Windows is used to manage services, including modifying - Implement additional monitoring on the affected system and similar systems to detect any further attempts to modify service DACLs, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the attack is part of a larger campaign. - Review and update endpoint protection policies to prevent similar threats in the future, ensuring that all systems are equipped with the latest security patches and configurations.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_sccm_scnotification_dll.toml b/rules/windows/defense_evasion_sccm_scnotification_dll.toml index 2e9bde60d3e..e27bee8632e 100644 --- a/rules/windows/defense_evasion_sccm_scnotification_dll.toml +++ b/rules/windows/defense_evasion_sccm_scnotification_dll.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -70,6 +70,14 @@ CcmExec, part of Microsoft's System Center Configuration Manager, manages client - Investigate the source of the untrusted DLL and remove any unauthorized software or scripts that may have facilitated its introduction. - Implement application whitelisting to prevent unauthorized DLLs from being loaded by SCNotification.exe or other critical processes in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index e809d1593fe..c05dd6bf212 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -80,6 +80,27 @@ The AT command, a legacy Windows utility, schedules tasks for execution, often u - Monitor network traffic and logs for any signs of data exfiltration or communication with known malicious IP addresses or domains. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index efb57856d50..5ad7c442959 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -113,6 +113,22 @@ Microsoft HTML Applications (HTA) allow scripts to run in a trusted environment, - Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated. - Implement network segmentation to limit the ability of similar threats to propagate across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 0afe8f45790..8e68a9fd428 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -71,6 +71,27 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 04bde56d0d8..4af35a3fcad 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ Subject Interface Package (SIP) providers are integral to Windows' cryptographic - Review and update endpoint protection policies to ensure that similar unauthorized modifications are detected and blocked in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 9a2b2cf07ba..a3496cce19c 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,27 @@ SolarWinds software is integral for network management, often requiring deep sys - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach. - Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized registry changes, leveraging data sources like Sysmon and Microsoft Defender for Endpoint. - Review and update access controls and permissions for SolarWinds processes to limit their ability to modify critical system settings, reducing the risk of future exploitation.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index ae8a631e1a4..fd7869206f2 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -138,6 +138,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") and process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 5d6f59d9c2b..5ef8f6517af 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,14 +23,6 @@ references = [ ] risk_score = 47 rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -87,6 +79,17 @@ In Windows environments, script interpreters and signed binaries are essential f - Update and patch the system to close any vulnerabilities that may have been exploited by the attacker. - Monitor for any recurrence of similar activities by enhancing logging and alerting mechanisms, focusing on process execution from non-standard directories. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index f7dc5f1cb3b..b250a6d54b5 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,32 @@ Managed code hosting processes like wscript.exe, cscript.exe, and others are int - Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope and impact of the incident. - Notify the security operations center (SOC) or incident response team to escalate the incident for further investigation and to determine if additional systems are affected. - Implement additional monitoring and detection rules to enhance visibility and prevent similar threats in the future, focusing on the specific processes and behaviors identified in the alert.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 5d6fd9988b6..2d1646465f2 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -104,14 +104,6 @@ references = [ ] risk_score = 73 rule_id = "2dd480be-1263-4d9c-8672-172928f6789a" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index b5b791d4e43..09f070d4b76 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,17 @@ The scrobj.dll is a legitimate Windows library used for executing scriptlets, of - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the processes identified in the detection rule. - Update detection mechanisms to monitor for similar activities across the network, ensuring that any future attempts to exploit scrobj.dll are promptly identified and addressed.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 68ef0312a42..b943ca2a7cf 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -113,6 +113,22 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and length(process.name) > 0 and length(process.name) == 5 and length(process.pe.original_file_name) > 5 ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 1320e4cf3c8..c0795eaff24 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,17 @@ Windows Management Instrumentation Command-line (WMIC) is a powerful tool for ma - Restore the system from a known good backup if any critical system files or configurations have been altered. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 71b4c64cb85..d49dcd24163 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -129,6 +129,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 81e748f1336..63c65d9e21a 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -125,6 +125,27 @@ file where host.os.type == "windows" and event.type != "deletion" and "userinit.exe", "LogonUI.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index ba8e90302ae..984c131f13f 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -21,14 +21,6 @@ references = [ ] risk_score = 47 rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -160,6 +152,14 @@ DLL side-loading exploits the trust of signed executables to load malicious DLLs - Review and restore any altered system configurations or settings to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has impacted other systems. - Implement additional monitoring and logging on the affected system and network to detect any recurrence or similar threats in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index cdea35a2d56..9ba62379e30 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -115,6 +115,14 @@ driver where host.os.type == "windows" and process.pid == 4 and dll.code_signature.trusted != true and not dll.code_signature.status : ("errorExpired", "errorRevoked", "errorCode_endpoint:*") ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index c8905c48390..0db516cb4d9 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -160,6 +160,27 @@ file where host.os.type == "windows" and event.type == "creation" and "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 2f097277e2f..be18146dc77 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -75,6 +75,32 @@ Alternate Data Streams (ADS) in Windows allow files to contain multiple data str - Restore any affected files or systems from known good backups to ensure system integrity. - Monitor the network for any unusual outbound traffic from the affected system that may indicate data exfiltration attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 28aae9651a0..21d9a553a45 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,17 @@ Dllhost.exe is a legitimate Windows process used to host DLL services. Adversari - Restore the affected system from a known good backup to ensure that any potential backdoors or persistent threats are removed. - Implement network segmentation to limit the ability of similar threats to spread across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional organizational measures are required.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index f18055065db..078baabc429 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,17 @@ sequence by host.id, process.entity_id with maxspan=1m "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 104bf15fb9a..03140f59319 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,17 @@ sequence by process.entity_id process.name : "rcsi.exe" or process.name : "xwizard.exe")] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index b1eadcddb61..037eb93e474 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ In Windows environments, the System process (PID 4) is a critical component resp - Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated through other means. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected system and similar environments to detect any recurrence of the threat, focusing on process creation events and anomalies related to the System process.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 8abbc414825..a88a06d19ec 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -137,6 +137,22 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index b420a15a18f..8858828a3d5 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,27 @@ process where host.os.type == "windows" and event.type == "start" and "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\control.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index fcad58baebe..3146f857537 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,27 @@ Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on - Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index cd43a1c7678..0967f8815e2 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -108,6 +108,32 @@ Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on - Restore the system from a known good backup if malicious activity has compromised system integrity. - Update and patch the system to ensure all software, including WSL, is up to date to mitigate known vulnerabilities. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index d6481083cd5..56bd5fa1450 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ process where host.os.type == "windows" and event.type : "start" and (process.name : "Dism.exe" or ?process.pe.original_file_name == "DISM.EXE") and process.command_line : "*Microsoft-Windows-Subsystem-Linux*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index f653d30cd3b..2e15bde193e 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,17 @@ Windows Subsystem for Linux (WSL) allows users to run a Linux environment direct - Update and patch the Windows Subsystem for Linux and related components to mitigate any known vulnerabilities that could be exploited. - Monitor for any recurrence of similar activities by setting up alerts for processes and file operations involving "dllhost.exe" and the Plan9FileSystem. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 3c99fb56080..4ea22c290cc 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,32 @@ Windows Subsystem for Linux (WSL) allows users to run Linux distributions on Win - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement additional monitoring and alerting for similar activities across the network, focusing on WSL usage and installation attempts of known penetration testing tools. - Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, leveraging data sources like Microsoft Defender for Endpoint and Sysmon.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 912dbf47093..6b246b4abcc 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ query = ''' registry where host.os.type == "windows" and event.type == "change" and registry.value : "PackageFamilyName" and registry.path : "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\\*\\PackageFamilyName" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index 56600c5238b..2e456a24867 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -79,6 +79,14 @@ Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) o - Implement network segmentation to limit access to the ADWS port (9389) to only trusted systems and users. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Update and enhance monitoring rules to detect similar enumeration attempts in the future, focusing on unusual process behavior and network connections to critical services.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 5f7fdd3601a..9a2f630e44e 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -102,6 +102,32 @@ process where host.os.type == "windows" and event.type == "start" and "objectcategory=attributeschema", "(objectcategory=attributeschema)", "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index c6859be0da9..097fd32d0a5 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -93,6 +93,27 @@ process where host.os.type == "windows" and event.type == "start" and ) ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 6a9ece61262..12e5d4a9201 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -48,14 +48,6 @@ This rule looks for the execution of account discovery utilities using the SYSTE """ risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -81,6 +73,17 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index fd505cadcf7..f41c375ce32 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "dsquery.exe" or ?process.pe.original_file_name: "dsquery.exe") and process.args : "*objectClass=trustedDomain*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 2ae2c9980bd..ef669c65038 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -97,6 +97,27 @@ process where host.os.type == "windows" and event.type == "start" and not process.parent.name : "PDQInventoryScanner.exe" and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 383c06fb8ee..70b0278e5ef 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and (process.name: "gpresult.exe" or ?process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 91b672472ac..0b29888c6c2 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "fsutil.exe" or ?process.pe.original_file_name == "fsutil.exe") and process.args : "fsinfo" and process.args : "drives" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0ec10e4606e..fe0194a6bf1 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -109,6 +109,22 @@ process where host.os.type == "windows" and event.type == "start" and process.na process.parent.name : ("wsmprovhost.exe", "w3wp.exe", "wmiprvse.exe", "rundll32.exe", "regsvr32.exe") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 3cc541369c6..4537953e923 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,32 @@ SolarWinds is a widely used IT management tool that can be targeted by adversari - Update and patch the SolarWinds software and any other vulnerable applications on the affected system to mitigate known vulnerabilities. - Implement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index a3ec450fcf1..32be4d65e6f 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -94,6 +94,22 @@ SolarWinds is a widely used IT management software that operates critical networ - Update all SolarWinds software and related components to the latest versions to patch any known vulnerabilities that could be exploited. - Implement enhanced monitoring on the affected system and similar environments to detect any recurrence of suspicious activity, focusing on unusual child processes spawned by SolarWinds services. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if broader organizational impacts need to be addressed.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 5ae3834e292..819a1dbcec2 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,32 @@ The Windows Component Object Model (COM) facilitates communication between softw - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack. - Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index de4625a0534..017c8b89cd6 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -137,6 +137,17 @@ sequence by process.entity_id "wpad", "localhost", "ocsp.comodoca.com", "ocsp.digicert.com", "ocsp.sectigo.com", "crl.comodoca.com" )] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 00d3e93161d..5693c74ddec 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -127,6 +127,27 @@ host.os.type:windows and event.category:process and event.type:start and process process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.filters]] [rule.filters.meta] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 40d0ede836f..571e99bbdcb 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -16,14 +16,6 @@ license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" @@ -94,6 +86,27 @@ Cmd.exe is a command-line interpreter on Windows systems, often used for legitim - Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for cmd.exe and its parent processes to detect similar anomalies in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index ba8b8c5ee03..85c8895df78 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,27 @@ RunDLL32 is a legitimate Windows utility used to execute functions in DLLs, ofte - Reset credentials for any user accounts that were active on the affected system during the time of the alert to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for rundll32.exe and related processes to detect similar activities in the future and improve response times.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index 906e6cd1566..768deb306d4 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -99,6 +99,14 @@ Ping, a network utility, can be misused by attackers to delay execution of malic - Restore the system from a known good backup if malware removal is not feasible or if the system's integrity is in question. - Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the alert. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index d4347a8e04b..1a8ebb440e9 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -66,6 +66,14 @@ Shortcut files (.lnk) are used in Windows environments to link to executable fil - Restore the system from a known good backup if any critical system files or configurations have been compromised. - Notify the security team and relevant stakeholders about the incident for awareness and further investigation. - Update security policies and rules to block similar phishing attempts in the future, such as restricting the execution of .lnk files from untrusted sources.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index c667ef43f73..1feab15a9eb 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -68,6 +68,14 @@ URL shortcut files, typically used for quick access to web resources, can be exp - Review and analyze the network logs to identify any other systems that may have downloaded similar .url files and apply the same containment measures. - Escalate the incident to the security operations team for further investigation and to determine if there is a broader campaign targeting the organization. - Update security policies and endpoint protection configurations to block the download and execution of .url files from untrusted sources in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 89da740cdd5..78cb3e6c01c 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -97,6 +97,32 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if any malicious activity is confirmed and cannot be remediated through other means. - Implement additional monitoring on the affected system and network to detect any recurrence of similar suspicious activities. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index efa858c22c5..cd2d5a51863 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -234,6 +234,27 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Windows\\System32\\igfxCUIService.exe", "?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe")) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index bcdefc39bd2..5d16e438106 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -136,6 +136,17 @@ sequence by process.entity_id "FE80::/10", "FF00::/8") and not dns.question.name : "localhost"] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index b84a036135b..cad8804dcaf 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -89,6 +89,32 @@ Foxmail, a popular email client, can be exploited by adversaries to gain initial - Apply any available security patches or updates to Foxmail and the operating system to mitigate known vulnerabilities and prevent future exploitation. - Monitor the network and systems for any signs of lateral movement or additional compromise, using indicators of compromise (IOCs) identified during the investigation. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional actions are required based on the scope and impact of the threat.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 38df66142d3..005dc3118c6 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/17" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -66,6 +66,27 @@ process where host.os.type == "windows" and event.type == "start" and process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and not process.parent.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index fb3d4878c02..64b2562208d 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,17 @@ DLL hijacking exploits the way applications load dynamic link libraries (DLLs), - Apply patches or updates for WPS Office to address the vulnerabilities CVE-2024-7262 and CVE-2024-7263, ensuring that the software is up to date and less susceptible to exploitation. - Monitor for any further suspicious activity related to the ksoqing protocol or similar DLL hijacking attempts, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index a20ec6e9ab6..18e01ab272f 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -86,6 +86,27 @@ Mofcomp.exe is a tool used to compile Managed Object Format (MOF) files, which d - Restore the system from a known good backup if unauthorized changes to the WMI repository or system files are detected. - Monitor for any recurrence of similar activity by setting up alerts for unusual mofcomp.exe executions and unauthorized WMI modifications. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 979a2d927a3..7a9cb5ac6ed 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -94,6 +94,14 @@ sequence with maxspan=2h not (process.name : "ShareFileForOutlook-v*.exe" and process.code_signature.subject_name : "Citrix Systems, Inc." and process.code_signature.trusted == true) ] by host.id, process.executable ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e4f0ffccc51..f6b302b8f4a 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -102,6 +102,17 @@ sequence with maxspan=2h ] by host.id, file.path [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index f047239b766..6ffc0e5009d 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -79,6 +79,22 @@ PowerShell, a powerful scripting language in Windows, is often targeted by adver - Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious activity. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 4b9ca9d1175..92db686b115 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -90,6 +90,17 @@ sequence by process.entity_id not process.parent.executable : "?:\\Program Files (x86)\\Cynet\\Cynet Scanner\\CynetScanner.exe"] [network where host.os.type == "windows" and process.name : "PsExec.exe"] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index fd36af956e9..d5997e8af46 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -139,6 +139,17 @@ sequence by process.entity_id "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8") and network.protocol != "dns"] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 342cf86e9e1..ef15207a340 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -80,6 +80,17 @@ PowerShell, a powerful scripting language in Windows, can automate tasks via the - Reset credentials for any accounts that were used or potentially compromised during the incident to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the attack. - Implement enhanced monitoring for similar PowerShell and scheduled task activities across the network to detect and respond to future threats promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index f492ba75def..351c83651d6 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -44,6 +44,27 @@ type = "eql" query = ''' file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 1e94cbd2b8d..f5f32ede663 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,32 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. - Enhance monitoring and logging for WMI activities across the network to detect similar threats in the future, ensuring that logs are retained for an adequate period for forensic purposes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index be4da0bf53a..df9d1acdce9 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,14 +23,6 @@ references = [ ] risk_score = 21 rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -85,6 +77,17 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if malicious activity has compromised system integrity or data. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for WMI activity and Microsoft Office processes to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 20a79ff7b30..f24e72ade1e 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -111,6 +111,32 @@ process where host.os.type == "windows" and event.type == "start" and "forfiles.exe", "schtasks.exe", "regasm.exe", "regsvcs.exe", "cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "ftp.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 9a59c84b8db..840d7e4ca0b 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -92,6 +92,14 @@ host.os.type:windows and event.category:library and process.code_signature.subject_name:"Chocolatey Software, Inc." and process.code_signature.trusted:true ) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index ba63a982901..19d51845f37 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -70,6 +70,22 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 7e4d4e6316e..1e2ed1eda28 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -143,6 +143,32 @@ process where host.os.type == "windows" and event.type == "start" and process.parent.name : "hh.exe" and process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 0ce73c893f8..35ecdfdec05 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -98,6 +98,27 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\WINDOWS\\system32\\PcaSvc.dll,PcaPatchSdbTask", "?:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie")) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 3dbd41d9eeb..0a23928f2f3 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -96,6 +96,32 @@ Microsoft Management Console (MMC) is a Windows utility that provides a framewor - Restore the system from a known good backup if any unauthorized changes or damage is detected. - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index b3c492dadc3..9b61c068350 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -140,6 +140,22 @@ The Windows Command Shell (cmd.exe) is a critical component for executing comman - Analyze the command-line arguments and parent processes involved in the alert to understand the scope and origin of the threat, and identify any additional compromised systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary. - Implement additional monitoring and detection rules to identify similar suspicious command-line activities in the future, enhancing the organization's ability to detect and respond to such threats promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index 243c923f96d..e9d04a88894 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -4,7 +4,7 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender" maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -142,6 +142,27 @@ PowerShell is a powerful scripting language and command-line shell used for task - Restore any affected files or system components from known good backups to ensure system integrity and functionality. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised. - Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index 828b9b149c2..c25cfeeac42 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Mark of The Web enrichment was added to Elastic Defend file events in 8.15.0." min_stack_version = "8.15.0" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -81,6 +81,14 @@ Windows scripts, often used for legitimate automation tasks, can be exploited by - Review and analyze the origin URL and referrer URL of the downloaded script to identify potential malicious websites or compromised sources, and block these URLs at the network level. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement application whitelisting to restrict the execution of unauthorized scripts and scripting utilities, reducing the risk of similar threats in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 68dd5e0a326..11ef6b694f6 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -115,6 +115,27 @@ Server Message Block (SMB) is a protocol used for sharing files and printers wit - Implement network segmentation to limit SMB traffic to only necessary internal communications, reducing the risk of external exposure. - Enhance monitoring and logging for SMB traffic, particularly for connections to external IPs, to detect and respond to future anomalies more effectively. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 1e0c2a2c735..fc23b943684 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/10" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -62,14 +62,6 @@ This rule identifies file deletions performed by a process that does not belong references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"] risk_score = 47 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -114,6 +106,22 @@ file where host.os.type == "windows" and event.type == "deletion" and "?:\\$RECYCLE.BIN\\*" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index ef7a9c714fb..914c697d345 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "wbadmin.exe" or ?process.pe.original_file_name == "WBADMIN.EXE") and process.args : "catalog" and process.args : "delete" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index f7f1fab038e..f40e43ec810 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/28" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ query = ''' event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index ca19fcf0a17..919843cd528 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -94,6 +94,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "no" and process.args : "recoveryenabled") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 7f585c29ae5..d817b7976b9 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -78,6 +78,14 @@ sequence by host.id with maxspan=1s file.Ext.original.name : ("*.jpg", "*.bmp", "*.png", "*.pdf", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.lnk") and not file.extension : ("jpg", "bmp", "png", "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "*.lnk")] with runs=3 ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 392a87fdba2..5361334694e 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -78,6 +78,14 @@ sequence by host.id with maxspan=1s /* ransom file name keywords */ file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3 ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index e0b021c713f..765e69ed7f9 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system"] min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -78,6 +78,17 @@ event.category:process and host.os.type:windows and event.type:start and process process.args:(stop or pause or delete or "/PID" or "/IM" or "/T" or "/F" or "/t" or "/f" or "/im" or "/pid") and not process.parent.name:osquerybeat.exe ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 9e46ab442d5..f0da58db31c 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -109,6 +109,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "vssadmin.exe" or ?process.pe.original_file_name == "VSSADMIN.EXE") and process.args : ("delete", "resize") and process.args : "shadows*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 7128d3f9782..cc58d18ae47 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -116,6 +116,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : ("*Win32_ShadowCopy*") and process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 69440e7f126..c95dc017cff 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -110,6 +110,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : "WMIC.exe" or ?process.pe.original_file_name == "wmic.exe") and process.args : "delete" and process.args : "shadowcopy" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 83b0ab0edd9..eee5d0fa256 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -54,14 +54,6 @@ HTML files, typically used for web content, can be exploited by adversaries to s This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence.""" risk_score = 47 rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -107,6 +99,14 @@ sequence by user.id with maxspan=2m "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*", "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")] ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index c0d363686dd..b1d5c0bd0df 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -97,6 +97,32 @@ The INetCache folder stores temporary internet files, which can be exploited by - Review and analyze recent email logs and web browsing history to identify potential phishing attempts or malicious downloads that may have led to the initial compromise. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the INetCache directory and related processes to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml index 839778a74ba..b7dd16ae474 100644 --- a/rules/windows/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -76,6 +76,14 @@ Removable media, like USB drives, are often used for data transfer but can be ex - Collect and preserve relevant logs and forensic evidence from the affected system and removable media for further analysis and potential legal action. - Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine if other systems may be affected. - Implement enhanced monitoring and alerting for similar activities, focusing on process executions from removable media and unauthorized network connection attempts.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 313b2343f65..e06c19281c7 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -97,6 +97,14 @@ MSIEXEC, the Windows Installer, facilitates software installation, modification, - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. This includes applying all relevant Windows updates and security patches. - Enhance monitoring and logging on the affected system and network to detect any similar future attempts. Ensure that all relevant security events are being captured and analyzed. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. Provide them with all relevant logs and findings for a comprehensive analysis.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index 153315f0ba3..f29835b5ebd 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -116,6 +116,27 @@ Microsoft Office Add-Ins enhance productivity by integrating additional features - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning alone. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index e1355901be6..640a51593be 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funne min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -84,6 +84,27 @@ Removable devices, like USB drives, are common in Windows environments for data - Notify the security team and relevant stakeholders about the incident, providing details of the device and any identified threats. - Implement a temporary block on the use of removable devices across the network until the threat is fully contained and remediated. - Enhance monitoring and detection capabilities by updating security tools and rules to better identify similar threats in the future, focusing on registry changes and device connections.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index e5635dbfb0b..1062ed8d7c8 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -108,6 +108,27 @@ JetBrains TeamCity is a continuous integration and deployment server used to aut - Restore the affected system from a clean backup taken before the suspicious activity was detected, ensuring no remnants of the exploit remain. - Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on the indicators identified in the detection rule. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index f0bf748ded6..8bb489b5064 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -95,6 +95,27 @@ Remote Desktop Protocol (RDP) allows users to connect to and control a computer - Reset credentials for any accounts that were used to open the suspicious RDP files, ensuring that new passwords are strong and unique. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more effectively in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 58ba10b2d4f..6ee11eeac3d 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,27 @@ process where host.os.type == "windows" and event.type == "start" and process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\DriveMapping.ps1" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 9676c40e1b9..3c1021f9dcd 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -104,6 +104,17 @@ Windows Management Instrumentation (WMI) is a powerful Windows feature that allo - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger campaign. - Implement additional monitoring and alerting for similar activities across the network, focusing on WMI-based script execution and non-standard process launches. - Review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 07be27f4b51..88e9c8162e2 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -76,6 +76,27 @@ file where host.os.type == "windows" and event.type == "creation" and not file.name : "TimeoutLogoff.aspx") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 2ab66ef3731..1c998cb3667 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -118,6 +118,32 @@ Microsoft Exchange Server's Unified Messaging (UM) integrates voice messaging wi - Restore the server from a known good backup taken before the suspicious activity was detected, ensuring that the backup is free from compromise. - Implement enhanced monitoring and alerting for any future suspicious processes spawned by the UM service, using the detection rule as a baseline. - Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 8ed1234cc95..a3310cb8a99 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ Microsoft Exchange Server uses the worker process (w3wp.exe) to handle web reque - Apply the latest security patches and updates to the Microsoft Exchange Server to mitigate known vulnerabilities and prevent exploitation. - Monitor network traffic and server logs for any signs of continued or attempted exploitation, focusing on unusual outbound connections or repeated access attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 98c8386fb66..66fe335a8fe 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -121,6 +121,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "srchadmin.dll" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index d55d70ce628..f1a0a39c823 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -108,6 +108,32 @@ process where host.os.type == "windows" and event.type == "start" and "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", "xwizard.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index c92b3bf2588..2bdd30a7fec 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -87,6 +87,27 @@ Windows Explorer, a core component of the Windows OS, manages file and folder na - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. - Implement additional monitoring and alerting for similar suspicious activities involving explorer.exe to enhance detection capabilities and prevent recurrence. - Review and update endpoint security policies to restrict the execution of potentially malicious scripts or executables from explorer.exe, especially when initiated via DCOM.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index c3bce1a876a..2a4665c2546 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -90,6 +90,32 @@ ScreenConnect, a remote support tool, allows administrators to control systems r - Apply security patches and updates to the ScreenConnect server and any other vulnerable applications to mitigate exploitation risks. - Restore the system from a known good backup if evidence of compromise is confirmed, ensuring that the backup is free from malicious artifacts. - Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed findings and evidence for further investigation.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index 2a1b8903abd..cc80db346b6 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -78,6 +78,14 @@ The Microsoft.XMLDOM COM interface allows applications to parse and transform XM - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement application whitelisting to restrict the execution of unauthorized scripts and executables, particularly those not located in standard directories. - Enhance monitoring and alerting for similar activities by ensuring that the detection rule is actively deployed and that alerts are configured to notify the appropriate personnel promptly.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 4ad06eacfbe..299e0f8f389 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,17 @@ The Service Control Manager in Windows allows for the management of services, wh - Restore the affected system from a known good backup if any malicious modifications or persistent threats are detected. - Implement network segmentation to limit the ability of adversaries to move laterally across the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index b9061b5cb2c..02276c6a173 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,17 @@ DCOM allows software components to communicate over a network, enabling remote e - Review and restrict DCOM permissions and configurations on the affected host and other critical systems to limit the potential for similar attacks. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems have been compromised. - Update detection mechanisms and threat intelligence feeds to enhance monitoring for similar DCOM-based lateral movement attempts in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index d52089db2a5..7114972f5ce 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,17 @@ Distributed Component Object Model (DCOM) enables software components to communi - Apply patches and updates to the affected systems and any other vulnerable systems in the network to mitigate known vulnerabilities that could be exploited. - Implement network segmentation to limit the ability of threats to move laterally within the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional actions are necessary.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b810f2ddc96..360ced6a66d 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,17 @@ DCOM enables software components to communicate over a network, often used in Wi - Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited during the attack. - Enhance monitoring and logging on the network to detect similar DCOM abuse attempts, ensuring that alerts are configured for high TCP port activity and unusual process spawning by explorer.exe. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment or remediation actions are necessary.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 0b12322e3fe..5a5e539c019 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ The NullSessionPipe registry setting in Windows defines which named pipes can be - Reset credentials for any accounts that may have been compromised or used in conjunction with the unauthorized access to ensure they cannot be reused by adversaries. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected. - Implement enhanced monitoring and alerting for changes to the NullSessionPipes registry key and similar registry paths to detect and respond to future unauthorized modifications promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index b12114c9f3a..4cb9f0d2612 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -136,6 +136,14 @@ sequence by process.entity_id with maxspan=1m /* second sequence to capture network connections over port 445 related to SMB */ [network where host.os.type == "windows" and destination.port == 445 and process.pid != 4] ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 5fc5de9d829..793a71c3227 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,27 @@ Remote Desktop Shadowing allows administrators to view or control active RDP ses - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more quickly in the future. - Review and update RDP access policies and configurations to ensure they align with best practices, such as enforcing multi-factor authentication and limiting RDP access to only necessary users and systems.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 5c039bad93b..dd2ec921758 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -83,6 +83,14 @@ sequence by host.id with maxspan=30s [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll"))] by process.entity_id ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index fefd0ad1ad7..476c4d20d94 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ The TSClient mountpoint is a feature of the Remote Desktop Protocol (RDP) that a - Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface for similar threats. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index b92e8e796b4..9529664a940 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/05" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -162,6 +162,14 @@ sequence with maxspan=1m ) ] by host.id, process.executable ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 5997eaad182..db56d1164c9 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,17 @@ Windows Remote Management (WinRM) is a protocol that allows for remote managemen - Restore the affected system from a known good backup if any malicious activity or unauthorized changes are confirmed. - Implement network segmentation to limit the ability of threats to move laterally across the network, focusing on restricting access to critical systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 20f3b01c567..380b61b69b0 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -95,6 +95,17 @@ Windows Management Instrumentation (WMI) is a core Windows feature enabling remo - Apply patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation methods, ensuring that all security updates are current. - Enhance monitoring and logging for WMI activity across the network to detect and respond to similar threats more quickly in the future. This includes setting up alerts for unusual WMI usage patterns. - If the threat is confirmed to be part of a larger attack, escalate the incident to the appropriate security team or authority for further investigation and potential legal action.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 3489b44f56e..6f60450e9a3 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,32 @@ WebDav and hidden remote shares facilitate file sharing and collaboration across - Implement network segmentation to limit access to critical systems and sensitive data, reducing the risk of lateral movement. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Enhance monitoring and alerting for similar activities by ensuring that all relevant security tools are configured to detect and alert on suspicious use of net.exe and net1.exe.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 86d159976c9..78d2a460beb 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,17 @@ PowerShell Remoting enables administrators to execute commands on remote Windows - Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited. - Enhance monitoring on the network for unusual activity on ports 5985 and 5986 to detect any future attempts at unauthorized PowerShell Remoting. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index be8f3779dbc..7097c357f21 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -87,6 +87,27 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Windows\\WinSxS\\*\\TiWorker.exe", "?:\\Windows\\system32\\svchost.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 2ba965eb464..e025306fd17 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -86,6 +86,14 @@ Remote Desktop Protocol (RDP) enables users to connect to and control remote sys - Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent further unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for RDP connections and registry changes to detect and respond to similar threats more effectively in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 31ed56556a6..d6851a01dd6 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -91,6 +91,32 @@ In Windows environments, hidden network shares are often used for legitimate adm - Review and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access. - Monitor network traffic for any further suspicious activity related to hidden shares and lateral movement attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index bd46ed742ba..05956aaa23c 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -159,6 +159,17 @@ sequence with maxspan=1s "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" )] by host.id, process.parent.entity_id ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 962d7dc4f30..83f99a2461d 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -73,6 +73,17 @@ sequence by host.id, process.entity_id with maxspan = 1m [registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 49b26a6d28e..bedd5b70443 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,14 +23,6 @@ references = [ ] risk_score = 47 rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -103,6 +95,17 @@ The Remote Desktop Services ActiveX Client, mstscax.dll, facilitates remote desk - Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Implement network segmentation to limit the ability of adversaries to move laterally within the network in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 805ca9ee914..72355da7b99 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and not process.name : "conhost.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 6518800cbef..3393113ab51 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/17" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -54,6 +54,17 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type /* DNS logs with custom names, header converts to "DNS Server log" */ not ?file.Ext.header_bytes : "444e5320536572766572206c6f67*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 51f0b83aabc..622e3d932fb 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ The Windows Startup folder is a mechanism that allows programs to run automatica - Review and reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for RDP and SMB activities, focusing on unusual file creation events in Startup folders, to improve detection of similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 0b3bbc35872..10808148488 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -90,6 +90,32 @@ Windows Server Update Services (WSUS) is a system that manages updates for Micro - Reset credentials for any accounts that may have been compromised or used in the lateral movement attempt, especially those with administrative privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been affected. - Implement enhanced monitoring and logging for WSUS activities and PsExec executions to detect and respond to similar threats more effectively in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 9861af7bf42..25bb07ffcd3 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -92,14 +92,6 @@ Attackers can replace the `RdrCEF.exe` executable with their own to maintain the references = ["https://twitter.com/pabraeken/status/997997818362155008"] risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" @@ -111,6 +103,27 @@ file where host.os.type == "windows" and event.type == "creation" and "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and not process.name : "msiexec.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index caae92210c6..779de232e32 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -84,6 +84,27 @@ Application Compatibility Shim databases are used in Windows to ensure older app - Review and restore any altered system configurations or files to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the specified registry paths and associated processes to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 6a6a98051b5..6b81ea62112 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -19,14 +19,6 @@ license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"] timestamp_override = "event.ingested" @@ -75,6 +67,27 @@ AppCert DLLs are dynamic link libraries that can be configured to load with ever - Review and restore any system files or configurations that may have been altered by the malicious DLLs to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the specific registry paths and related process creation activities to detect any future unauthorized changes promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index b0ae3c89326..036ec505ef6 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -135,6 +135,27 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index b4876433481..b19b84c7951 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -96,6 +96,27 @@ Browser extensions enhance functionality in web browsers but can be exploited by - Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 71504064689..f367818c630 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -75,6 +75,27 @@ registry where host.os.type == "windows" and event.type == "change" and "MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 94f25c785e8..5317a793a5b 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -93,6 +93,27 @@ Image File Execution Options (IFEO) is a Windows feature allowing developers to - Review and restore any altered or deleted system files from a known good backup to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for registry changes related to IFEO to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 56a73df3705..5ea8a79e8f5 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -148,6 +148,27 @@ registry where host.os.type == "windows" and event.type == "change" and "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index d6ffe953c3e..477636d58db 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -76,6 +76,27 @@ Scheduled jobs in Windows environments allow tasks to be automated by executing - Review and audit other scheduled tasks on the system to ensure no additional unauthorized or suspicious jobs are present. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected. - Implement enhanced monitoring and alerting for scheduled job creation activities across the network to detect similar threats in the future, leveraging the specific query fields used in the detection rule.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index d8d21c6d8ab..1989806841b 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,17 @@ Scheduled tasks in Windows automate routine tasks, but adversaries exploit them - Analyze the user account involved in the task creation for signs of compromise, and reset credentials if necessary to prevent further unauthorized access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for scheduled task creation events to detect similar threats in the future, ensuring alerts are configured to notify the appropriate teams promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index caa7c4dfb56..e245a61602b 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -55,6 +55,17 @@ sequence by host.id with maxspan = 30s "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions" )] ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index b85c801827d..88a6ec351ae 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,27 @@ Microsoft Office AddIns enhance productivity by allowing custom functionalities - Review and restore any altered system configurations or settings to their default state to ensure system integrity. - Monitor the affected system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 5ce927e6f48..c48f5720abb 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -77,6 +77,27 @@ Microsoft Outlook supports VBA scripting to automate tasks, which can be exploit - Conduct a full antivirus and antimalware scan on the affected endpoint using tools like Microsoft Defender for Endpoint to identify and remove any additional threats. - Review and update endpoint security policies to restrict unauthorized modifications to Outlook VBA files, leveraging application whitelisting or similar controls. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml index 67b1a2b8cf3..0615d07ac3e 100644 --- a/rules/windows/persistence_msi_installer_task_startup.toml +++ b/rules/windows/persistence_msi_installer_task_startup.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -85,6 +85,14 @@ Windows Installer, through msiexec.exe, facilitates software installation and co - Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or processes. - Review and update security policies to restrict the use of msiexec.exe for non-administrative users, reducing the risk of exploitation. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index ac992d40a27..a8596f9ad1c 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." @@ -77,6 +77,27 @@ The Office Test Registry key in Windows environments allows specifying a DLL to - Review recent user activity and system logs to identify any unauthorized access or changes that may have led to the registry modification, and reset credentials if necessary. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for similar registry modifications across the network to detect and respond to future attempts promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index 508ccf74a61..d2af1034f39 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -77,6 +77,27 @@ Netsh, a command-line utility in Windows, allows for network configuration and d - Review and restore any altered system configurations to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for registry changes related to Netsh Helper DLLs to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index d43d6d6685d..43132f0e122 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -92,6 +92,32 @@ ActiveSync is a protocol enabling mobile devices to synchronize with Exchange ma - Notify the security team and relevant stakeholders about the incident for further investigation and potential escalation. - Implement additional monitoring on the affected account and similar accounts for any unusual activity or further attempts to add unauthorized devices. - Review and update the organization's security policies and procedures related to mobile device access and PowerShell usage to prevent recurrence.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 429be36cbb6..3e352cdb884 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -127,6 +127,27 @@ file where host.os.type == "windows" and event.type != "deletion" and "?:\\Windows\\System32\\WindowsPowerShell\\*") and file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 6e23f13d359..ef32ea0a98b 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -148,6 +148,22 @@ process where host.os.type == "windows" and event.type == "start" and /* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */ /* and process.code_signature.subject_name == "Microsoft Windows" and process.code_signature.status == "trusted" */ ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index bdfb1d87180..9df36e2118b 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -151,6 +151,17 @@ Windows Registry is a critical system database storing configuration settings. A - Review and update endpoint protection policies to ensure that similar registry changes are monitored and alerted on in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 989c93c945a..a27f536872f 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -306,6 +306,14 @@ registry where host.os.type == "windows" and event.type == "change" and ) ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 9c3d573ec62..841b93aa518 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -87,6 +87,17 @@ Persistent programs, like scripts or rundll32, are often used by adversaries to - Review and restore any modified system configurations or registry settings to their default or secure state. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected host and similar systems to detect any recurrence or related suspicious activities.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index cbd24408d74..a371018ad9d 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -163,6 +163,14 @@ Svchost.exe is a critical Windows process that hosts multiple services, allowing - Review and restore any modified system configurations or settings to their original state to ensure system integrity. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for svchost.exe and DLL loading activities to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 45a0fd20e7b..cd3b0bd1b5b 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,27 @@ Windows services are crucial for running background processes. Adversaries may e - Review and update endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 8a9b9603c59..fe53157cade 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -145,6 +145,27 @@ file where host.os.type == "windows" and event.type != "deletion" and "iexplore.exe", "InstallUtil.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 12ea89d5a27..3b5fe2dabcd 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -127,6 +127,14 @@ sequence by host.id, process.entity_id with maxspan=5s "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") ] ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 84bfe1d5aba..3e89c8b6613 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -136,6 +136,27 @@ file where host.os.type == "windows" and event.type != "deletion" and "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index e436e53ec15..7c37a3ecf1c 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -61,14 +61,6 @@ references = [ ] risk_score = 47 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "medium" tags = [ "Domain: Endpoint", @@ -137,6 +129,14 @@ registry where host.os.type == "windows" and event.type == "change" and "?:\\Windows\\System32\\DriverStore\\FileRepository\\*.exe", "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe") ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 380f74446f4..51c08d5340e 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -116,14 +116,6 @@ references = [ ] risk_score = 21 rule_id = "baa5d22c-5e1c-4f33-bfc9-efa73bb53022" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "low" tags = [ "Domain: Endpoint", @@ -145,6 +137,17 @@ any where host.os.type == "windows" and process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and (?dll.name : "taskschd.dll" or file.name : "taskschd.dll") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index ddea5aed90f..9e1af140f88 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -108,6 +108,14 @@ Scheduled tasks in Windows automate routine tasks, but adversaries exploit them - Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for scheduled tasks and the flagged executables to detect similar threats in the future.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index ff5705b38f7..3e68e830256 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,27 @@ Windows services are crucial for running background processes. Adversaries explo - Review and restore any modified system files or configurations to their original state to ensure system integrity. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar registry changes and suspicious service creations to detect and respond to future threats promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index c8428323a3a..c74643a13d1 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/02" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.15.0" min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0." @@ -80,6 +80,17 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Review and reset any compromised credentials, especially if SYSTEM privileges were potentially accessed or escalated. - Monitor the network for any signs of similar activity or attempts to recreate the WMI event subscription, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 2e166e46f76..758c2c36ce3 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -117,6 +117,32 @@ process where host.os.type == "windows" and event.type == "start" and /* Third party FP's */ not process.args : "NVDisplay.ContainerLocalSystem" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 015261644dd..5832d8a3dee 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -130,6 +130,27 @@ registry where host.os.type == "windows" and event.type == "change" and ) and not registry.data.strings : "C:\\Windows\\SYSTEM32\\w32time.DLL" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index dc9761a2517..cfed86de6ee 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -85,6 +85,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : ("net.exe", "net1.exe") and not process.parent.name : "net.exe") and (process.args : "user" and process.args : ("/ad", "/add")) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 96d9b8692fb..57a4c12acf3 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ Application shimming is a Windows feature designed to ensure software compatibil - Review and restore any altered system configurations or registry settings to their default or secure state. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and logging for `sdbinst.exe` executions across the network to detect and respond to future attempts at application shimming.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 426b95c70fa..d44c3f86543 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -76,6 +76,27 @@ Background Intelligent Transfer Service (BITS) is a Windows service that facilit - Update and run a full antivirus and anti-malware scan on the affected system to ensure no additional threats are present. - Review and enhance endpoint protection policies to prevent unauthorized use of BITS for persistence, ensuring that only trusted applications can create or modify BITS jobs. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 293ceeb1f54..5a9e00b4f6c 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -23,14 +23,6 @@ references = [ ] risk_score = 73 rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -98,6 +90,17 @@ The Windows Registry is a critical system database that stores configuration set - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and process execution. - Update and reinforce endpoint security configurations to prevent similar persistence techniques, such as enabling registry auditing and restricting access to critical registry paths.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 3c6f26520bd..9682fa9b246 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ Security Support Providers (SSPs) in Windows environments facilitate authenticat - Review and update access controls and permissions to ensure that only authorized personnel can modify critical registry paths related to Security Support Providers. - Monitor the affected system and network for any signs of re-infection or further suspicious activity, focusing on registry changes and process executions. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 84273532709..90f3537b0cc 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -94,6 +94,32 @@ The Microsoft Compatibility Appraiser, part of Windows telemetry, uses scheduled - Analyze the system for any unauthorized changes to user accounts or privileges, and revert any modifications to ensure that only legitimate users have access. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the affected system and similar scheduled tasks across the network to detect any future attempts at hijacking or unauthorized modifications.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index d13d6375a2e..eb850d01e23 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -145,6 +145,27 @@ process where host.os.type == "windows" and event.type == "start" and "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") and not process.name : ("MoUsoCoreWorker.exe", "OfficeC2RClient.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 43ae1cc412f..796703a42c8 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,32 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through manual remediation. - Update and patch the system to the latest security standards to mitigate any vulnerabilities that may have been exploited. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index df5ba00f618..9dfe0da5523 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -166,6 +166,14 @@ registry where host.os.type == "windows" and event.type == "change" and "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script" ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index dd9983e07a8..ff270ec4518 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -95,6 +95,32 @@ process where host.os.type == "windows" and event.type == "start" and process.pa (process.name : "bitsadmin.exe" or ?process.pe.original_file_name == "bitsadmin.exe") ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 4178b2f6460..14c38d2ad2d 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/02/21" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -114,6 +114,32 @@ process where host.os.type == "windows" and event.type == "start" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 799049a573b..0a8b0628184 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -78,6 +78,27 @@ Werfault, the Windows Error Reporting service, can be manipulated by attackers t - Review and restore any system or application configurations that may have been altered by the attacker to their original state. - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for registry changes in the specified paths to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml index ab8e8584da6..5a5568dbfd0 100644 --- a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -94,6 +94,14 @@ In Windows environments, tokens are used to represent user credentials and permi - Review recent file modifications and system logs to identify any additional indicators of compromise or unauthorized activities that may have occurred. - Restore any altered or corrupted system files from a known good backup to ensure system integrity and functionality. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been compromised.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 430416e2605..fd5bfc857e1 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -106,6 +106,27 @@ registry where host.os.type == "windows" and event.type == "change" and ) and registry.data.strings : ("0", "0x00000000") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 00b8597b887..436771b4e2e 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -80,6 +80,17 @@ The DNS service in Windows environments is crucial for resolving domain names to - Review and update the system's security patches and configurations to address any vulnerabilities that may have been exploited, particularly those related to privilege escalation. - Monitor the system and network for any signs of continued or repeated unauthorized activity, focusing on similar indicators of compromise. - Report the incident to the appropriate internal security team or external authorities if required, providing details of the threat and actions taken for further investigation and response.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index cec1e42a855..b641817723d 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -114,6 +114,14 @@ type = "new_terms" query = ''' event.category:"driver" and host.os.type:windows and event.action:"load" ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index d96ccf10bfe..d01bb64dbb2 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -71,6 +71,14 @@ In Windows environments, drivers facilitate communication between the OS and har - Apply the latest security patches and driver updates to close any vulnerabilities that may have been exploited. - Restore the system from a known good backup if any unauthorized changes or persistent threats are detected. - Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 760a2e136ca..5dd4f5b8281 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -79,6 +79,27 @@ CVE-2022-38028 targets the Windows Print Spooler service, a core component manag - Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized privilege escalations. - Monitor the network and system logs for any signs of further exploitation attempts or related suspicious activities, using enhanced detection rules. - Report the incident to the appropriate internal security team or external authorities if required, providing detailed information about the exploitation attempt and actions taken.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 422f24a07d1..96cf91e670a 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -81,6 +81,27 @@ Group Policy Objects (GPOs) are crucial for centralized management in Windows en - Notify the security operations center (SOC) and escalate the incident to the incident response team for further investigation and to determine the scope of the compromise. - Implement additional monitoring on GPO paths and domain admin activities to detect any further unauthorized changes or suspicious behavior. - Review and strengthen access controls and auditing policies for GPO management to prevent unauthorized modifications in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 52bf1177ba3..d21347726f4 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -99,14 +99,6 @@ This rule detects the default execution of the PoC, which overwrites the `elevat references = ["https://github.com/klinix5/InstallerFileTakeOver"] risk_score = 73 rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -139,6 +131,14 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name == null ) ''' +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 24dcc87b0fe..e8a6ac6f09b 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -75,6 +75,22 @@ The Local Security Authority (LSA) in Windows manages authentication and securit - Review and reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for registry changes, particularly those involving LSA authentication packages, to detect and respond to similar threats in the future.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml index 962de6246e1..8da88901d78 100644 --- a/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +++ b/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel", "m365_defender", "window maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -86,6 +86,27 @@ Windows Installer (MSI) is a service used for software installation and maintena - Restore the affected system from a known good backup if unauthorized changes or persistent threats are detected that cannot be easily remediated. - Monitor the network for any signs of similar exploitation attempts or related suspicious activities, using enhanced detection rules and threat intelligence feeds. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation and recovery efforts.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- SentinelOne Cloud Funnel +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index b75be0c1682..a639207bb64 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -133,6 +133,32 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : ("Cmd.Exe", "PowerShell.EXE") or ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE")) and process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 6ae392c415a..41d6333759f 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -68,14 +68,6 @@ references = [ ] risk_score = 73 rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" severity = "high" tags = [ "Domain: Endpoint", @@ -160,6 +152,17 @@ any where host.os.type == "windows" and ) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 507d5cfaa98..aaef8aab417 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -79,6 +79,22 @@ Port monitors and print processors are integral to Windows printing, managing da - Review and reset credentials for any accounts that may have been compromised, especially those with elevated privileges, to prevent unauthorized access. - Implement application whitelisting to prevent unauthorized DLLs from executing, focusing on the paths identified in the alert. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected, ensuring comprehensive threat containment and eradication.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 410f3e64a76..b556bbb0429 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -88,6 +88,17 @@ The Windows Print Spooler service manages print jobs and is integral to printing - Apply the latest security patches and updates from Microsoft to address CVE-2020-1030 and other known vulnerabilities in the Print Spooler service. - Monitor the network for any signs of similar exploitation attempts, focusing on the registry paths and data patterns specified in the detection rule. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 30d052601d3..da679ae6a23 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ The Print Spooler service in Windows manages print jobs, but vulnerabilities lik - Conduct a thorough review of user accounts and privileges on the affected system to ensure no unauthorized privilege escalation has occurred. - Monitor the network for any signs of similar exploitation attempts or related suspicious activity, using enhanced logging and alerting mechanisms. - Report the incident to the appropriate internal security team or external authorities if required, providing details of the exploit and actions taken for further investigation and response.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.filters]] [rule.filters.meta] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index a4d9dff6d29..6dfc2572a5c 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ The Print Spooler service in Windows manages print jobs and interactions with pr - Apply the latest security patches and updates to the Print Spooler service and related components to mitigate known vulnerabilities. - Monitor the affected system and network for any signs of further suspicious activity, focusing on similar file deletion patterns or privilege escalation attempts. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for broader organizational response measures.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index baf7f5ac53e..31fab27e822 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" [transform] [[transform.osquery]] @@ -138,6 +138,22 @@ file where host.os.type == "windows" and event.type != "deletion" and "?:\\PROGRA~2\\*.exe", "?:\\Windows\\System32\\rundll32.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index 12a9f06a241..bf6076f9b99 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -123,6 +123,17 @@ Windows services are crucial for system operations, often running with high priv - Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index fb4436a95de..845b662b174 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -89,6 +89,27 @@ The Windir environment variable points to the Windows directory, crucial for sys - Reset passwords for any user accounts that may have been compromised, especially those with elevated privileges. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to alter critical environment variables or other suspicious activities.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 1ab090ec688..af56c805088 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -118,6 +118,27 @@ process where host.os.type == "windows" and event.type == "start" and /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */ not user.id : "S-1-5-18" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index db3e02e1630..40206e87956 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -79,6 +79,27 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Update and patch the operating system and all installed software to the latest versions to mitigate known vulnerabilities. - Implement application whitelisting to prevent unauthorized programs from executing, focusing on blocking non-standard paths for critical system executables. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 37eb6ce566f..a1009963f9c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -82,6 +82,27 @@ User Account Control (UAC) is a security feature in Windows designed to prevent - Update and patch the affected system to the latest security updates to mitigate known vulnerabilities that could be exploited for UAC bypass. - Implement application whitelisting to prevent unauthorized executables from running, particularly those in temporary directories. - Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 336f80f317d..4e7d4bd66e4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -77,6 +77,22 @@ The ICMLuaUtil Elevated COM Interface is a Windows component that facilitates Us - Update and patch the operating system and all installed software to mitigate any known vulnerabilities that could be exploited for UAC bypass. - Implement application whitelisting to prevent unauthorized applications from executing, focusing on blocking the execution of `dllhost.exe` with suspicious arguments. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index d7cc1793a86..a4aa13a8011 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -97,6 +97,32 @@ User Account Control (UAC) is a security feature in Windows that helps prevent u - Update and patch the affected system to the latest security updates to mitigate any known vulnerabilities that could be exploited for UAC bypass. - Monitor the affected system and network for any signs of recurring unauthorized activity or similar UAC bypass attempts. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index dc35aabe197..180f2315f82 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -83,6 +83,27 @@ The IFileOperation COM interface is a Windows component used for file operations - Apply any pending security patches and updates to the operating system and installed software to mitigate known vulnerabilities. - Monitor the network for any signs of similar activity or attempts to exploit the IFileOperation COM interface on other systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index f2c7c23ecd7..14f7e2fc296 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -140,6 +140,32 @@ process where host.os.type == "windows" and event.type == "start" and "?\\Device\\HarddiskVolume?\\Windows\\Sys?????\\WerFault.exe" ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 41c0ca0acb8..a8f188ff7b9 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -132,6 +132,32 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe") ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 64b893efdb8..c586e1ddade 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -123,6 +123,27 @@ process where host.os.type == "windows" and event.type == "start" and /* args of the Windows Firewall SnapIn */ process.parent.args == "WF.msc" and process.name != "WerFault.exe" ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index e833d27561b..90f91cb4aa4 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -86,6 +86,27 @@ Unquoted service paths in Windows can be exploited by adversaries to escalate pr - Restore the affected system from a known good backup if malicious activity is confirmed and system integrity is compromised. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar suspicious activities across the network to detect and respond to future attempts promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index f5bc7027f9c..cd132dc01d3 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -160,6 +160,32 @@ process.parent.name != null and (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe")) ) ''' +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel +- CrowdStrike + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Crowdstrike FDR Setup + +This rule is compatible with telemetry generated by Crowdstrike FDR. For setup instructions, refer to the Crowdstrike FDR integration [documentation](https://www.elastic.co/guide/en/integrations/current/crowdstrike.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 1818cfcba80..82fc9d5d737 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -94,6 +94,17 @@ The Print Spooler service, integral to Windows environments, manages print jobs - Restore the system from a clean backup if any unauthorized changes or malicious activities are confirmed. - Monitor the system closely for any recurrence of similar suspicious activities, ensuring enhanced logging and alerting are in place for spoolsv.exe and its child processes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index d2e8805865a..bef306dbde7 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -101,6 +101,27 @@ Service Host (svchost.exe) is a critical Windows process that hosts multiple ser - Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement enhanced monitoring and logging for svchost.exe and related processes to detect similar anomalies in the future, ensuring that alerts are configured to notify the appropriate personnel promptly.""" +setup = """## Setup + +This rule requires data from one of the following integrations: +- Elastic Defend +- M365 Defender +- SentinelOne Cloud Funnel + +Note: This detection rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### SentinelOne Cloud Funnel Setup + +This rule is compatible with telemetry generated by the SentinelOne XDR platform. For setup instructions, refer to the SentinelOne Cloud Funnel integration [documentation](https://www.elastic.co/guide/en/integrations/current/sentinel_one_cloud_funnel.html). + +### Microsoft Defender for Endpoint Setup + +This rule is compatible with telemetry generated by Microsoft Defender for Endpoint and collected via the Streaming API using the Microsoft M365 Defender integration. For setup instructions, refer to the Microsoft M365 Defender integration [documentation](https://www.elastic.co/guide/en/integrations/current/m365_defender.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index c46205436f9..22a245081f3 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -131,6 +131,14 @@ Parent Process ID (PPID) spoofing is a technique where adversaries manipulate th - Restore the system from a known good backup if necessary, ensuring that all malicious artifacts are removed and system integrity is maintained. - Implement additional monitoring and logging on the affected system and network to detect any recurrence of similar activities. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index bcb02117785..5bee7725e4e 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -28,12 +28,6 @@ setup = """## Setup Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings: `condition equal "contains" and keyword equal "pipe"` - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" tags = [ diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index 115e4a75c6e..a713396cbfd 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -135,6 +135,14 @@ In Windows environments, processes can be created with elevated tokens to perfor - Implement additional monitoring on the affected system and network to detect any further attempts at privilege escalation or token manipulation. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems. - Review and update endpoint protection and detection capabilities to ensure they are configured to detect similar threats in the future, leveraging the MITRE ATT&CK framework for guidance on Access Token Manipulation (T1134).""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]] diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 3720a8cc335..079682a7dd3 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "development" -updated_date = "2025/01/15" +updated_date = "2025/02/24" [rule] author = ["Elastic"] @@ -72,6 +72,14 @@ The Web Proxy Auto-Discovery Protocol (WPAD) helps devices on a network automati - Apply security patches and updates to the operating system and all software to mitigate known vulnerabilities that could be exploited by similar attacks. - Monitor network traffic for any further suspicious DNS queries or unusual outbound connections, particularly those involving the WPAD service, to detect any ongoing or new threats. - Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to ensure comprehensive remediation and recovery efforts.""" +setup = """## Setup + +This rule requires data from the Elastic Defend integration. + +### Elastic Defend Setup + +Elastic Defend seamlessly integrates with Elastic Agent through Fleet. Once set up, it enables endpoint prevention and remediation capabilities and sends data that powers detection rules. For setup instructions, refer to our [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" [[rule.threat]]