Merge branch 'main' into 4977-bug-rule-toml-write-formatting-wrongly-formats-x

Author: eric-forte-elastic

rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml

@@ -0,0 +1,130 @@
+[metadata]
+creation_date = "2025/06/30"
+integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
+maturity = "production"
+updated_date = "2025/06/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies process execution events where the command line value contains a long sequence of whitespace characters or
+multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding
+their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious
+behavior.
+"""
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Command Line Obfuscation via Whitespace Padding"
+note = """## Triage and analysis
+
+### Investigating Command Line Obfuscation via Whitespace Padding
+
+This rule identifies process execution events where the command line value contains a long sequence of whitespace
+characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections
+by padding their malicious command with unnecessary whitespace characters.
+
+#### Possible investigation steps
+
+- Analyze the command line of the process in question for evidence of malicious code execution.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
+modifications, and any spawned child processes.
+- Retrieve the process executable and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- Alerts derived from this rule are not inherently malicious. Analysts can dismiss the alert if they don't find enough
+evidence of further suspicious activity.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove the malicious certificate from the root certificate store.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+"""
+risk_score = 47
+rule_id = "5a876e0d-d39a-49b9-8ad8-19c9b622203b"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "OS: macOS",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Tactic: Execution",
+    "Resources: Investigation Guide"
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-* metadata _id, _version, _index 
+| where event.category == "process" and event.type == "start" and event.action != "fork"
+// more than 100 spaces in process.command_line
+| eval multi_spaces = LOCATE(process.command_line, space(100)) 
+| where multi_spaces > 0 
+| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+[[rule.threat.technique]]
+id = "T1140"
+name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml

@@ -2,15 +2,16 @@
 creation_date = "2025/05/08"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/07/31"
+
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies potential session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs
-in and subsequently accesses Microsoft Graph from a different IP address using the same session ID within a short time
-window. This may indicate the use of a stolen refresh/access token or session cookie to impersonate the user and
-interact with Microsoft services.
+in and subsequently accesses Microsoft Graph from a different IP address using the same session ID. This may indicate a
+successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session
+cookie or refresh/access token and is impersonating the user from an alternate host or location.
 """
 false_positives = [
     """
@@ -20,40 +21,39 @@ false_positives = [
     are involved.
     """,
 ]
-from = "now-1h"
+from = "now-31m"
+interval = "30m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Session Reuse with Suspicious Graph Access"
+name = "Microsoft Entra ID Suspicious Session Reuse to Graph Access"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Session Reuse with Suspicious Graph Access
+### Investigating Microsoft Entra ID Suspicious Session Reuse to Graph Access
 
-This rule identifies when Microsoft Graph is accessed from a different IP than the one used for the original sign-in,
-but using the same session ID within 5 minutes. This may suggest an adversary has stolen a session cookie or refresh/access
-token and is impersonating the user from an alternate host or location.
+Identifies potential session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID. This may indicate a successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session cookie or refresh/access token and is impersonating the user from an alternate host or location.
 
 This rule uses ESQL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be
 performed to the original sign-in and Graph events for further context.
 
 ### Investigation Steps
 
-- Review the `user_id`, `session_id`, and `source_ip_list`. Confirm whether both IPs belong to the same user and geography.
-- Check for inconsistencies in `client_id_list` (e.g., unknown apps) or user agents across correlated events.
-- Investigate recent phishing reports or device infections for the `user_id`.
-- Pivot to Entra ID `auditlogs` to see if a device was registered or privileges were modified.
-- Review `graph_time` to determine what action was taken after the sign-in.
-- Use the `session_id` to correlate with other logs in the same time window to identify any additional suspicious activity.
+- This rule relies on an aggregation-based ESQL query, therefore the alert document will contain dynamically generated fields.
+    - To pivot into the original events, it is recommended to use the values captured to filter in timeline or discovery for the original sign-in and Graph events.
+- Review the session ID and user ID to identify the user account involved in the suspicious activity.
+- Check the source addresses involved in the sign-in and Graph access to determine if they are known or expected locations for the user.
+    - The sign-in source addresses should be two, one for the initial phishing sign-in and the other when exchanging the auth code for a token by the adversary.
+    - The Graph API source address should identify the IP address used by the adversary to access Microsoft Graph.
+- Review the user agent strings for the sign-in and Graph access events to identify any anomalies or indicators of compromise.
+- Check the timestamp difference between the sign-in and Graph access events to determine if they occurred within a reasonable time frame that would suggest successful phishing to token issuance and then Graph access.
+- Identify the original sign-in event to investigation if conditional access policies were applied, such as requiring multi-factor authentication or blocking access from risky locations. In phishing scenarios, these policies likely were applied as the victim user would have been prompted to authenticate.
 
 ### False Positive Analysis
-- This pattern may occur if the user is switching between networks (e.g., corporate to mobile) or using a VPN.
-- Developers or power users leveraging multiple environments may also trigger this detection if session persistence spans IP ranges.
-- However, this behavior is rare and warrants investigation when rapid IP switching and Graph access are involved.
-- If the user is a developer or automation engineer, validate if this behavior was for testing purposes.
-- If the user is a system administrator, validate if this behavior was for administrative purposes.
+- This pattern may occur during legitimate device switching or roaming between networks (e.g., corporate to mobile).
+- Developers or power users leveraging multiple environments may also trigger this detection if session persistence spans IP ranges. Still, this behavior is rare and warrants investigation when rapid IP switching and Graph access are involved.
 
 ### Response Recommendations
 
-- If confirmed malicious, revoke all refresh/access tokens for the `user_id`.
+- If confirmed malicious, revoke all refresh/access tokens for the user principal.
 - Block the source IP(s) involved in the Graph access.
 - Notify the user and reset credentials.
 - Review session control policies and conditional access enforcement.
@@ -65,14 +65,16 @@ references = [
     "https://github.com/dirkjanm/ROADtools",
     "https://attack.mitre.org/techniques/T1078/004/",
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "0d3d2254-2b4a-11f0-a019-f661ea17fbcc"
 setup = """#### Required Microsoft Entra ID Sign-In and Graph Activity Logs
 This rule requires the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs integration to be enabled and configured to collect audit and activity logs via Azure Event Hub.
 """
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: Cloud",
+    "Domain: Identity",
+    "Domain: API",
     "Data Source: Azure",
     "Data Source: Microsoft Entra ID",
     "Data Source: Microsoft Entra ID Sign-In Logs",
@@ -88,7 +90,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-azure.*
+from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _version, _index
 | where
     (event.dataset == "azure.signinlogs"
      and source.`as`.organization.name != "MICROSOFT-CORP-MSN-as-BLOCK"

rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/20"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/08/15"
 
 [rule]
 author = ["Elastic"]
@@ -33,11 +33,12 @@ This rule fires when an Okta user account has MFA deactivated and no subsequent
 
 #### Possible investigation steps:
 
-- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.
-- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.
-- Using the `okta.actor.alternate_id` field, search  for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.
-- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.
+- Identify the entity related to the alert by reviewing `okta.target.alternate_id`, `okta.target.id` or `user.target.full_name` fields. This should give the username of the account being targeted. Verify if MFA is deactivated for the target entity.
+- Using the `okta.target.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`. Note if MFA re-activation attempts were made against the target.
+- Identify the actor performing the deactivation by reviewing `okta.actor.alternate_id`, `okta.actor.id` or `user.full_name` fields. This should give the username of the account performing the action. Determine if deactivation was performed by a separate user. 
+- Review events where `okta.event_type` is `user.authenticate*` to determine if the actor or target accounts had suspicious login activity.
     - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.
+- Examine related administrative activity by the actor for privilege misuse or suspicious changes.
 
 #### False positive steps:
 
@@ -75,7 +76,7 @@ tags = [
 type = "eql"
 
 query = '''
-sequence by okta.actor.id with maxspan=12h
+sequence by okta.target.id with maxspan=12h
     [any where event.dataset == "okta.system" and okta.event_type in ("user.mfa.factor.deactivate", "user.mfa.factor.reset_all")
         and okta.outcome.reason != "User reset SECURITY_QUESTION factor" and okta.outcome.result == "SUCCESS"]
     ![any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"]

rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/01/31"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/13"
 
 [rule]
 author = ["Elastic"]
@@ -89,7 +89,15 @@ registry where host.os.type == "windows" and event.type == "change" and
         "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging",
         "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging",
         "MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging"
-    ) and registry.data.strings : ("0", "0x00000000")
+    ) and registry.data.strings : ("0", "0x00000000") and
+    not (
+        process.executable : (
+          "?:\\Windows\\System32\\svchost.exe",
+          "?:\\Windows\\System32\\DeviceEnroller.exe",
+          "?:\\Windows\\system32\\omadmclient.exe",
+          "?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe"
+        ) and user.id == "S-1-5-18"
+    )
 '''
 
 

rules/windows/defense_evasion_posh_obfuscation_backtick.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -107,6 +107,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     powershell.file.script_block_text,
     powershell.file.script_block_id,
     file.name,
+    file.directory,
     file.path,
     powershell.sequence,
     powershell.total,
@@ -119,11 +120,16 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 // Filter for scripts that match the pattern at least 10 times
 | where Esql.script_block_pattern_count >= 10
 
-// Filter FPs, and due to the behavior of the like operator, allow null values
-| where (file.name not like "TSS_*.psm1" or file.name is null)
+| where file.name not like "TSS_*.psm1"
+  // ESQL requires this condition, otherwise it only returns matches where file.name exists.
+  or file.name is null
 
 // VSCode Shell integration
 | where not powershell.file.script_block_text like "*$([char]0x1b)]633*"
+
+| where not file.directory == "C:\\Program Files\\MVPSI\\JAMS\\Agent\\Temp"
+  // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
+  or file.directory is null
 '''
 
 

rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -108,6 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    file.directory,
     file.path,
     powershell.sequence,
     powershell.total,
@@ -120,8 +121,15 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 // Filter for scripts with high numeric character ratio
 | where Esql.script_block_ratio > 0.30
 
-// Exclude noisy patterns such as 64-character hash lists
-| where not powershell.file.script_block_text rlike """.*\"[a-fA-F0-9]{64}\"\,.*"""
+// Exclude Windows Defender Noisy Patterns
+| where not (
+    file.directory == "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads" or
+    file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*"
+  )
+  // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
+  or file.directory is null
+| where not powershell.file.script_block_text like "*[System.IO.File]::Open('C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection*"
+| where not powershell.file.script_block_text : "26a24ae4-039d-4ca4-87b4-2f64180311f0"
 '''
 
 

rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/14"
 
 [rule]
 author = ["Elastic"]
@@ -50,7 +50,7 @@ PowerShell's Invoke-Expression (IEX) command is a powerful tool for executing st
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Implement additional monitoring for unusual PowerShell activity and environment variable manipulations to enhance detection of similar threats in the future.
 """
-risk_score = 21
+risk_score = 47
 rule_id = "b0c98cfb-0745-4513-b6f9-08dddb033490"
 setup = """## Setup
 
@@ -70,7 +70,7 @@ Steps to implement the logging policy via registry:
 reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
 ```
 """
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",