Merge branch 'main' into web-server-esql-rule-tuning

Author: Aegrah

rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml

@@ -0,0 +1,140 @@
+[metadata]
+creation_date = "2025/12/02"
+integration = ["nginx", "apache", "apache_tomcat", "iis"]
+maturity = "production"
+min_stack_version = "9.2.0"
+min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
+updated_date = "2025/12/02"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects potential Local File Inclusion (LFI) activity on web servers by identifying HTTP GET requests that
+attempt to access sensitive local files through directory traversal techniques or known file paths. Attackers may
+exploit LFI vulnerabilities to read sensitive files, gain system information, or further compromise the server.
+"""
+from = "now-11m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Web Server Local File Inclusion Activity"
+risk_score = 21
+rule_id = "90e4ceab-79a5-4f8e-879b-513cac7fcad9"
+severity = "low"
+tags = [
+    "Domain: Web",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+    "Data Source: IIS",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+query = '''
+from
+  logs-nginx.access-*,
+  logs-apache.access-*,
+  logs-apache_tomcat.access-*,
+  logs-iis.access-*
+| where
+    http.request.method == "GET" and
+    http.response.status_code == 200 and
+    url.original like "*=*"
+
+| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original))
+
+| where
+  /* 1) Relative traversal */
+    Esql.url_original_url_decoded_to_lower like "*../../../../*" or           // Unix-style traversal
+    Esql.url_original_url_decoded_to_lower like "*..\\\\..\\\\..\\\\..*" or           // Windows-style traversal
+    // Potential security check bypassing (enforcing multiple dots and shortening the pattern)
+    Esql.url_original_url_decoded_to_lower like "*..././*" or
+    Esql.url_original_url_decoded_to_lower like "*...\\*" or
+    Esql.url_original_url_decoded_to_lower like "*....\\*" or
+
+  /* 2) Linux system identity / basic info */
+    Esql.url_original_url_decoded_to_lower like "*etc/passwd*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/shadow*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/hosts*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/os-release*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/issue*" or
+
+  /* 3) Linux /proc enumeration */
+    Esql.url_original_url_decoded_to_lower like "*proc/self/environ*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/cmdline*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/fd*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/exe*" or
+
+  /* 4) Linux webroots, configs & logs */
+    Esql.url_original_url_decoded_to_lower like "*var/www*" or               // generic webroot
+    Esql.url_original_url_decoded_to_lower like "*wp-config.php*" or         // classic WP config
+    Esql.url_original_url_decoded_to_lower like "*etc/apache2*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/httpd*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/nginx*" or
+    Esql.url_original_url_decoded_to_lower like "*var/log/apache2*" or
+    Esql.url_original_url_decoded_to_lower like "*var/log/httpd*" or
+    Esql.url_original_url_decoded_to_lower like "*var/log/nginx*" or
+
+  /* 5) Windows core files / identity */
+    Esql.url_original_url_decoded_to_lower like "*windows/panther/*unattend*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/debug/netsetup.log*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/win.ini*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/system32/drivers/etc/hosts*" or
+    Esql.url_original_url_decoded_to_lower like "*boot.ini*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/system32/config/*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/repair/sam*" or
+    Esql.url_original_url_decoded_to_lower like "*windows/system32/license.rtf*" or
+
+  /* 6) Windows IIS / .NET configs, webroots & logs */
+     Esql.url_original_url_decoded_to_lower like "*/inetpub/wwwroot*" or
+     Esql.url_original_url_decoded_to_lower like "*/inetpub/logs/logfiles*" or
+     Esql.url_original_url_decoded_to_lower like "*applicationhost.config*" or
+     Esql.url_original_url_decoded_to_lower like "*/microsoft.net/framework64/*/config/web.config*" or
+     Esql.url_original_url_decoded_to_lower like "*windows/system32/inetsrv/*" or
+
+  /* 7) PHP & protocol wrappers */
+     Esql.url_original_url_decoded_to_lower like "*php://*" or
+     Esql.url_original_url_decoded_to_lower like "*zip://*" or
+     Esql.url_original_url_decoded_to_lower like "*phar://*" or
+     Esql.url_original_url_decoded_to_lower like "*expect://*" or
+     Esql.url_original_url_decoded_to_lower like "*file://*" or
+     Esql.url_original_url_decoded_to_lower like "*data://text/plain;base64*"
+
+| keep
+    @timestamp,
+    Esql.url_original_url_decoded_to_lower,
+    source.ip,
+    agent.id,
+    host.name,
+    http.request.method,
+    http.response.status_code,
+    event.dataset,
+    data_stream.namespace
+
+| stats
+    Esql.event_count = count(),
+    Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
+    Esql.host_name_values = values(host.name),
+    Esql.agent_id_values = values(agent.id),
+    Esql.http_request_method_values = values(http.request.method),
+    Esql.http_response_status_code_values = values(http.response.status_code),
+    Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
+    by source.ip
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1083"
+name = "File and Directory Discovery"
+reference = "https://attack.mitre.org/techniques/T1083/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml

@@ -0,0 +1,100 @@
+[metadata]
+creation_date = "2025/12/02"
+integration = ["nginx", "apache", "apache_tomcat", "iis"]
+maturity = "production"
+min_stack_version = "9.2.0"
+min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
+updated_date = "2025/12/02"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that
+attempt to access sensitive remote files through directory traversal techniques or known file paths. Attackers may
+exploit RFI vulnerabilities to read sensitive files, gain system information, or further compromise the server.
+"""
+from = "now-11m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Web Server Potential Remote File Inclusion Activity"
+risk_score = 21
+rule_id = "45d099b4-a12e-4913-951c-0129f73efb41"
+severity = "low"
+tags = [
+    "Domain: Web",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+    "Tactic: Command and Control",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+    "Data Source: IIS",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+query = '''
+from
+  logs-nginx.access-*,
+  logs-apache.access-*,
+  logs-apache_tomcat.access-*,
+  logs-iis.access-*
+| where
+    http.request.method == "GET" and
+    http.response.status_code == 200 and
+    url.original like "*=*"
+
+| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original))
+
+| where
+    Esql.url_original_url_decoded_to_lower like "*=http://*" or
+    Esql.url_original_url_decoded_to_lower like "*=https://*" or
+    Esql.url_original_url_decoded_to_lower like "*=ftp://*" or
+    Esql.url_original_url_decoded_to_lower like "*=smb://*" or
+    Esql.url_original_url_decoded_to_lower like "*=file://*" or
+    Esql.url_original_url_decoded_to_lower rlike """.*=.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*"""
+
+| keep
+    @timestamp,
+    Esql.url_original_url_decoded_to_lower,
+    source.ip,
+    agent.id,
+    host.name,
+    http.request.method,
+    http.response.status_code,
+    event.dataset,
+    data_stream.namespace
+
+| stats
+    Esql.event_count = count(),
+    Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
+    Esql.host_name_values = values(host.name),
+    Esql.agent_id_values = values(agent.id),
+    Esql.http_request_method_values = values(http.request.method),
+    Esql.http_response_status_code_values = values(http.response.status_code),
+    Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
+    by source.ip
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1083"
+name = "File and Directory Discovery"
+reference = "https://attack.mitre.org/techniques/T1083/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

rules/cross-platform/initial_access_execution_susp_react_serv_child.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/04"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -77,14 +77,43 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.type == "start" and event.action in ("exec", "executed", "process_started", "start", "ProcessRollup2") and
-process.name in ("sh", "bash", "zsh", "curl", "wget", "id", "whoami", "uname", "cmd.exe", "cat", "powershell.exe") and
-(
- ?process.working_directory : ("*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*/app/*", "*next/dist/server*", "*react-scripts*") or
- 
- (process.parent.name in ("node", "bun", "node.exe", "bun.exe") and
-  process.parent.command_line : ("*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*next start*", "*next dev*", "*react-scripts start*", "*next/dist/server*"))
- )
+process where event.type == "start" and event.action != "fork" and (
+    process.name in (
+      "sh", "bash", "zsh", "curl", "wget", "id", "whoami", "uname", "cmd.exe", "cat", "powershell.exe", "java", "rundll32.exe", "wget.exe", "certutil.exe",
+      "nc", "ncat", "netcat", "nc.openbsd", "nc.traditional", "socat", "busybox", "mkfifo", "nohup", "setsid", "xterm"
+    ) or
+    (process.name : "python*" and process.args : "-c" and process.args : (
+     "*import*pty*spawn*", "*import*subprocess*call*"
+    )) or
+    (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : (
+     "*exec*", "*system*"
+    )) or
+    (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : (
+     "*TCPSocket.new*", "*TCPSocket.open*"
+     )) or
+    (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : (
+     "*io.popen*", "*os.execute*"
+    )) or
+    (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or 
+    (process.name == "node" and process.args == "-e" and process.args : "*spawn*sh*" and process.args : "*connect*") or
+    (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
+    (process.name in ("rvim", "vim", "vimdiff", "rview", "view") and process.args == "-c" and process.args : "*socket*")
+)
+and (
+  ?process.working_directory : (
+    "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*bin/next*", "*--experimental-https*", "*app/server*",
+    "*.pnpm/next*", "*/app/*", "*next/dist/server*", "*react-scripts*") or
+  (
+    process.parent.name in ("node", "bun", "node.exe", "bun.exe") and
+    process.parent.command_line : (
+      "*react-dom*", "*.next*", "*node_modules/next*", "*react-server*", "*next-server*", "*server.js*", "*bin/next*",
+      "*--experimental-https*", "*app/server*", "*.pnpm/next*", "*next start*", "*next dev*", "*react-scripts start*", "*next/dist/server*"
+    )
+  )
+) and not (
+  ?process.parent.executable in ("./runc", "/opt/google/chrome/chrome") or
+  process.command_line like "/bin/sh -c git config*"
+)
 '''
 
 [[rule.threat]]

rules/integrations/fim/persistence_suspicious_file_modifications.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/03"
 integration = ["fim"]
 maturity = "production"
-updated_date = "2025/01/22"
+updated_date = "2025/12/04"
 
 [rule]
 author = ["Elastic"]
@@ -21,6 +21,10 @@ name = "Potential Persistence via File Modification"
 references = [
     "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
     "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
+    "https://www.elastic.co/security-labs/continuation-on-persistence-mechanisms",
+    "https://www.elastic.co/security-labs/approaching-the-summit-on-persistence",
+    "https://www.elastic.co/security-labs/the-grand-finale-on-linux-persistence",
+    "https://slayer0x.github.io/awscli/",
 ]
 risk_score = 21
 rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
@@ -94,6 +98,10 @@ file.path : (
   "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
   "/home/*/.kshrc", "/root/.kshrc",
 
+  // Alias files
+  "/home/*/.bash_aliases", "/root/.bash_aliases", "/home/*/.zsh_aliases", "/root/.zsh_aliases",
+  "/home/*/.aws/cli/alias", "/root/.aws/cli/alias", 
+
   // runtime control
   "/etc/rc.common", "/etc/rc.local",
 

rules/windows/defense_evasion_posh_obfuscation_backtick.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -104,8 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.name,
     file.directory,
     file.path,

rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -103,8 +103,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     file.name,
     powershell.sequence,

rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -105,8 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,