elastic
diff --git a/‎detection_rules/etc/non-ecs-schema.json‎
Lines changed: 2 additions & 1 deletion b/‎detection_rules/etc/non-ecs-schema.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎rules/integrations/aws/impact_iam_deactivate_mfa_device.toml‎
Lines changed: 17 additions & 1 deletion b/‎rules/integrations/aws/impact_iam_deactivate_mfa_device.toml‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml‎
Lines changed: 106 additions & 0 deletions b/‎rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎rules/windows/collection_winrar_encryption.toml‎
Lines changed: 19 additions & 5 deletions b/‎rules/windows/collection_winrar_encryption.toml‎
Lines changed: 19 additions & 5 deletions
diff --git a/‎rules/windows/command_and_control_certreq_postdata.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/windows/command_and_control_certreq_postdata.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml‎
Lines changed: 4 additions & 3 deletions b/‎rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml‎
Lines changed: 4 additions & 3 deletions b/‎rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎rules/windows/credential_access_dump_registry_hives.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/windows/credential_access_dump_registry_hives.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎rules/windows/credential_access_iis_connectionstrings_dumping.toml‎
Lines changed: 4 additions & 2 deletions b/‎rules/windows/credential_access_iis_connectionstrings_dumping.toml‎
Lines changed: 4 additions & 2 deletions
@@ -150,7 +150,8 @@
   "logs-aws.cloudtrail-*": {
     "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword",
     "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword"
+    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword"
   },
   "logs-azure.signinlogs-*": {
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword"
 
@@ -2,7 +2,7 @@
 creation_date = "2020/05/26"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/25"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -80,6 +80,7 @@ tags = [
     "Data Source: AWS IAM",
     "Resources: Investigation Guide",
     "Tactic: Impact",
+    "Tactic: Persistence",
 ]
 timestamp_override = "event.ingested"
 type = "query"
@@ -101,4 +102,19 @@ reference = "https://attack.mitre.org/techniques/T1531/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+[[rule.threat.technique.subtechnique]]
+id = "T1556.006"
+name = "Multi-Factor Authentication"
+reference = "https://attack.mitre.org/techniques/T1556/006/"
 
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
@@ -0,0 +1,106 @@
+[metadata]
+creation_date = "2024/10/25"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2024/10/25"
+
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a user has assumed a role using a new MFA device. Users can assume a role to obtain temporary credentials and access AWS resources using the AssumeRole API of AWS Security Token Service (STS). 
+While a new MFA device is not always indicative of malicious behavior it should be verified as adversaries can use this technique for persistence and privilege escalation.
+"""
+false_positives = [
+    "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes and to perform periodic tasks such as data backups, updates, or deployments.",
+]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS STS AssumeRole with New MFA Device"
+note = """## Setup
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html",
+    "https://github.com/RhinoSecurityLabs/cloudgoat/blob/d5863b80afd082d853f2e8df1955c6393695a4da/scenarios/iam_privesc_by_key_rotation/README.md",
+]
+risk_score = 21
+rule_id = "a22f566b-5b23-4412-880d-c6c957acd321"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS STS",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Privilege Escalation",
+    "Tactic: Persistence",
+    "Tactic: Lateral Movement",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:aws.cloudtrail
+    and event.provider:sts.amazonaws.com
+    and event.action:(AssumeRole or AssumeRoleWithSAML or AssumeRoleWithWebIdentity)
+    and event.outcome:success
+    and user.id:* 
+    and aws.cloudtrail.flattened.request_parameters.serialNumber:*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+[[rule.threat.technique.subtechnique]]
+id = "T1556.006"
+name = "Multi-Factor Authentication"
+reference = "https://attack.mitre.org/techniques/T1556/006/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.id", "aws.cloudtrail.flattened.request_parameters.serialNumber"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
+
+
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/12/04"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -13,7 +13,14 @@ Identifies use of WinRar or 7z to create an encrypted files. Adversaries will of
 preparation for exfiltration.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
+index = [
+  "logs-endpoint.events.process-*",
+  "winlogbeat-*",
+  "logs-windows.sysmon_operational-*",
+  "endgame-*",
+  "logs-m365_defender.event-*",
+  "logs-sentinel_one_cloud_funnel.*"
+]
 language = "eql"
 license = "Elastic License v2"
 name = "Encrypting Files with WinRar or 7z"
@@ -72,6 +79,9 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne"
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -87,15 +97,19 @@ process where host.os.type == "windows" and event.type == "start" and
     process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*")
   ) or
   (
-    ?process.pe.original_file_name in ("7z.exe", "7za.exe") and
+    (process.name : ("7z.exe", "7za.exe") or ?process.pe.original_file_name in ("7z.exe", "7za.exe")) and
     process.args == "a" and process.args : "-p*"
   )
 ) and
   not process.parent.executable : (
         "C:\\Program Files\\*.exe",
         "C:\\Program Files (x86)\\*.exe",
         "?:\\ManageEngine\\*\\jre\\bin\\java.exe",
-        "?:\\Nox\\bin\\Nox.exe"
+        "?:\\Nox\\bin\\Nox.exe",
+        "\\Device\\HarddiskVolume?\\Program Files\\*.exe",
+        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*.exe",
+        "\\Device\\HarddiskVolume?\\ManageEngine\\*\\jre\\bin\\java.exe",
+        "\\Device\\HarddiskVolume?\\Nox\\bin\\Nox.exe"
       )
 '''
 
 
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/01/13"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -48,6 +48,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -122,6 +123,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/09/03"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -70,7 +70,7 @@ Identifies the desktopimgdownldr utility being used to download a remote file. A
 download arbitrary files as an alternative to certutil.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via Desktopimgdownldr Utility"
@@ -148,6 +148,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: SentinelOne",
     "Data Source: Sysmon",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/09/03"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -67,7 +67,7 @@ providers = [
 author = ["Elastic"]
 description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via MpCmdRun"
@@ -146,6 +146,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/24"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -48,6 +48,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -129,6 +130,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: SentinelOne",
     "Data Source: Sysmon",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/11/23"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -19,6 +19,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -81,6 +82,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: SentinelOne",
     "Data Source: Sysmon",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/08/18"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/10/15"
+updated_date = "2024/11/02"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -23,6 +23,7 @@ index = [
     "logs-system.security*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -46,6 +47,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"