Merge branch 'main' into forti-endpoint

Author: Samirbous

rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml

@@ -2,11 +2,16 @@
 creation_date = "2021/07/19"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/18"
 
 [rule]
 author = ["Austin Songer"]
-description = "Identifies when an ElastiCache security group has been created."
+description = """
+Identifies when an ElastiCache security group has been created. Amazon EC2-Classic and ElastiCache CacheSecurityGroups
+have been retired. Modern ElastiCache deployments run in a VPC and use standard EC2 security groups instead. This rule
+should be retained only for historical log analysis on legacy CloudTrail data. We recommend relying on "AWS EC2 Security
+Group Configuration Change" rule for network-control changes impacting ElastiCache in VPC-based deployments.
+"""
 false_positives = [
     """
     A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity,
@@ -20,13 +25,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
-name = "AWS ElastiCache Security Group Created"
+name = "Deprecated - AWS ElastiCache Security Group Created"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating AWS ElastiCache Security Group Created
+### Investigating Deprecated - AWS ElastiCache Security Group Created
 
 AWS ElastiCache security groups control access to cache clusters, ensuring only authorized traffic can interact with them. Adversaries might create new security groups to bypass existing restrictions, facilitating unauthorized access or data exfiltration. The detection rule monitors for successful creation events of these groups, signaling potential defense evasion tactics by identifying unusual or unauthorized configurations.
 
@@ -66,7 +71,13 @@ references = [
 risk_score = 21
 rule_id = "7b3da11a-60a2-412e-8aa7-011e1eb9ed47"
 severity = "low"
-tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml

@@ -2,11 +2,17 @@
 creation_date = "2021/07/19"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/18"
 
 [rule]
 author = ["Austin Songer"]
-description = "Identifies when an ElastiCache security group has been modified or deleted."
+description = """
+Identifies when an ElastiCache security group has been modified or deleted. Amazon EC2-Classic and ElastiCache
+CacheSecurityGroups have been retired. Modern ElastiCache deployments run in a VPC and use standard EC2 security groups
+instead. This rule should be retained only for historical log analysis on legacy CloudTrail data. We recommend relying
+on "AWS EC2 Security Group Configuration Change" rule for network-control changes impacting ElastiCache in VPC-based
+deployments.
+"""
 false_positives = [
     """
     A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user
@@ -20,13 +26,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
-name = "AWS ElastiCache Security Group Modified or Deleted"
+name = "Deprecated - AWS ElastiCache Security Group Modified or Deleted"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating AWS ElastiCache Security Group Modified or Deleted
+### Investigating Deprecated - AWS ElastiCache Security Group Modified or Deleted
 
 AWS ElastiCache security groups control inbound and outbound traffic to cache clusters, ensuring only authorized access. Adversaries may modify or delete these groups to bypass security controls, facilitating unauthorized data access or exfiltration. The detection rule monitors specific API actions related to security group changes, flagging successful modifications or deletions as potential defense evasion attempts.
 
@@ -64,7 +70,13 @@ references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference
 risk_score = 21
 rule_id = "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516"
 severity = "low"
-tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/windows/defense_evasion_masquerading_as_svchost.toml

@@ -0,0 +1,96 @@
+[metadata]
+creation_date = "2025/11/12"
+integration = ["windows"]
+maturity = "production"
+updated_date = "2025/11/12"
+min_stack_version = "9.1.0"
+min_stack_comments = "The esql match operator was introduced in version 9.1.0"
+
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempts to masquerade as the Service Host process `svchost.exe` to evade detection and blend in with normal system activity.
+"""
+from = "now-9m"
+interval = "8m"
+language = "esql"
+license = "Elastic License v2"
+name = "Potential Masquerading as Svchost"
+note = """ ## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Masquerading as Svchost
+
+svchost.exe is a legitimate Windows system process responsible for hosting multiple Windows services. Adversaries may attempt to masquerade as svchost.exe to evade detection and blend in with normal system activity. This is often achieved by renaming a malicious executable to svchost.exe, placing it outside of standard Windows directories or running it with unusual parent processes or command-line arguments.
+
+### Possible investigation steps
+
+- Review the process.executable and process.parent.executable fields to confirm the location and unexpected parents..
+- Check the process.command_line field for unusual arguments. Legitimate svchost.exe instances typically use the -k parameter followed by a valid service group name.
+- Investigate the process.code_signature field to determine if the binary is signed by Microsoft. Unsigned or invalid signatures are strong indicators of masquerading.
+- Correlate the event with other telemetry from the same host to identify additional indicators such as file creation, network connections, or registry modifications related to the suspicious process.
+- Review related file creation events to determine how and when the fake svchost.exe was introduced to the system (e.g. dropped by another malware component or downloaded from the network).
+
+### False positive analysis
+
+- Some legitimate third-party applications may use executables named svchost.exe within their own installation paths. Verify the vendor, file hash, and digital signature to determine legitimacy.
+- In virtualized or sandboxed environments, custom service hosts may appear with similar naming conventions. Validate these against known baseline configurations.
+- Ensure that system recovery or diagnostic tools using temporary binaries are not misidentified as malicious. Review event timing and system logs to confirm.
+- Regularly maintain an inventory of known legitimate `svchost.exe` locations and hashes to minimize false positives across managed hosts.
+
+### Response and remediation
+
+- Isolate the affected host immediately to prevent lateral movement or further compromise.
+- Terminate any suspicious svchost.exe processes executing from non-standard locations.
+- Quarantine and remove the rogue binary after verification through hash reputation or sandbox analysis.
+- Perform a full system scan to identify additional malicious files or persistence mechanisms associated with the masqueraded process.
+- Review and reset any credentials used by the compromised process if credential theft or impersonation is suspected.
+- Analyze recent network activity from the affected host for potential data exfiltration or commandand-control communication.
+- Escalate the incident to the security operations or incident response team for deeper investigation and forensic analysis.
+- Implement detections to monitor for future attempts of process masquerading, and update security baselines and EDR exclusions accordingly.
+"""
+risk_score = 73
+rule_id = "32f95776-6498-4f3c-a90c-d4f6083e3901"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide"
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-* metadata _id, _version, _index
+| where event.category == "process" and event.type == "start" and
+  match(process.name, "svchost.exe", { "fuzziness": 1, "max_expansions": 10 }) and
+  not process.executable in ("C:\\Windows\\SysWOW64\\svchost.exe", "C:\\Windows\\System32\\svchost.exe") and
+  not process.executable like """\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe""" and
+  not process.executable like """\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\svchost.exe"""
+| keep event.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.005"
+name = "Match Legitimate Resource Name or Location"
+reference = "https://attack.mitre.org/techniques/T1036/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+