Skip to content

Commit 41acd2b

Browse files
w0rk3rw0rk3r
committed
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13
1 parent fbfc696 commit 41acd2b

File tree

5 files changed

+36
-19
lines changed

5 files changed

+36
-19
lines changed

rules/windows/persistence_ms_office_addins_file.toml

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2020/10/16"
3-
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
3+
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/26"
66

77
[rule]
88
author = ["Elastic"]
@@ -15,6 +15,7 @@ index = [
1515
"endgame-*",
1616
"logs-m365_defender.event-*",
1717
"logs-sentinel_one_cloud_funnel.*",
18+
"logs-crowdstrike.fdr*",
1819
]
1920
language = "eql"
2021
license = "Elastic License v2"
@@ -68,6 +69,7 @@ tags = [
6869
"Data Source: Sysmon",
6970
"Data Source: Microsoft Defender for Endpoint",
7071
"Data Source: SentinelOne",
72+
"Data Source: Crowdstrike",
7173
"Resources: Investigation Guide",
7274
]
7375
timestamp_override = "event.ingested"
@@ -76,12 +78,16 @@ type = "eql"
7678
query = '''
7779
file where host.os.type == "windows" and event.type != "deletion" and
7880
file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
79-
file.path :
80-
(
81+
file.path : (
8182
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
8283
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
83-
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
84-
)
84+
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*",
85+
86+
/* Crowdstrike specific condition as it uses NT Object paths */
87+
"\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
88+
"\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
89+
"\\Device\\HarddiskVolume?\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
90+
)
8591
'''
8692

8793

rules/windows/persistence_ms_outlook_vba_template.toml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2020/11/23"
3-
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
3+
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/26"
66

77
[rule]
88
author = ["Elastic"]
@@ -16,6 +16,7 @@ index = [
1616
"endgame-*",
1717
"logs-m365_defender.event-*",
1818
"logs-sentinel_one_cloud_funnel.*",
19+
"logs-crowdstrike.fdr*",
1920
]
2021
language = "eql"
2122
license = "Elastic License v2"
@@ -73,14 +74,16 @@ tags = [
7374
"Data Source: Sysmon",
7475
"Data Source: Microsoft Defender for Endpoint",
7576
"Data Source: SentinelOne",
77+
"Data Source: Crowdstrike",
7678
"Resources: Investigation Guide",
7779
]
7880
timestamp_override = "event.ingested"
7981
type = "eql"
8082

8183
query = '''
8284
file where host.os.type == "windows" and event.type != "deletion" and
83-
file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM"
85+
file.name : "VbaProject.OTM" and
86+
file.path : "*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM"
8487
'''
8588

8689

rules/windows/persistence_msoffice_startup_registry.toml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2023/08/22"
3-
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"]
3+
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "windows"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/26"
66

77
[rule]
88
author = ["Elastic"]
@@ -17,6 +17,8 @@ index = [
1717
"logs-m365_defender.event-*",
1818
"endgame-*",
1919
"logs-sentinel_one_cloud_funnel.*",
20+
"logs-crowdstrike.fdr*",
21+
"logs-windows.sysmon_operational-*",
2022
]
2123
language = "eql"
2224
license = "Elastic License v2"
@@ -71,6 +73,8 @@ tags = [
7173
"Data Source: Elastic Endgame",
7274
"Data Source: Microsoft Defender for Endpoint",
7375
"Data Source: SentinelOne",
76+
"Data Source: Crowdstrike",
77+
"Data Source: Sysmon",
7478
"Resources: Investigation Guide",
7579
]
7680
timestamp_override = "event.ingested"

rules/windows/persistence_netsh_helper_dll.toml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2023/08/29"
3-
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
3+
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/26"
66

77
[rule]
88
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = [
1818
"logs-m365_defender.event-*",
1919
"logs-sentinel_one_cloud_funnel.*",
2020
"logs-windows.sysmon_operational-*",
21+
"logs-crowdstrike.fdr*",
2122
]
2223
language = "eql"
2324
license = "Elastic License v2"
@@ -68,6 +69,7 @@ tags = [
6869
"Data Source: Microsoft Defender for Endpoint",
6970
"Data Source: SentinelOne",
7071
"Data Source: Sysmon",
72+
"Data Source: Crowdstrike",
7173
"Resources: Investigation Guide",
7274
]
7375
timestamp_override = "event.ingested"

rules/windows/persistence_powershell_profiles.toml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2022/10/13"
3-
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
3+
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
44
maturity = "production"
5-
updated_date = "2025/03/20"
5+
updated_date = "2025/08/26"
66

77
[transform]
88
[[transform.osquery]]
@@ -45,6 +45,7 @@ index = [
4545
"endgame-*",
4646
"logs-m365_defender.event-*",
4747
"logs-sentinel_one_cloud_funnel.*",
48+
"logs-crowdstrike.fdr*",
4849
]
4950
language = "eql"
5051
license = "Elastic License v2"
@@ -120,17 +121,18 @@ tags = [
120121
"Data Source: Sysmon",
121122
"Data Source: Microsoft Defender for Endpoint",
122123
"Data Source: SentinelOne",
124+
"Data Source: Crowdstrike",
123125
"Resources: Investigation Guide",
124126
]
125127
timestamp_override = "event.ingested"
126128
type = "eql"
127129

128130
query = '''
129131
file where host.os.type == "windows" and event.type != "deletion" and
130-
file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*",
131-
"?:\\Users\\*\\Documents\\PowerShell\\*",
132-
"?:\\Windows\\System32\\WindowsPowerShell\\*") and
133-
file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1")
132+
file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") and
133+
file.path : ("*\\Documents\\WindowsPowerShell\\*",
134+
"*\\Documents\\PowerShell\\*",
135+
"*\\Windows\\System32\\WindowsPowerShell\\*")
134136
'''
135137

136138

0 commit comments

Comments
 (0)