Batch 2

Author: Aegrah

rules/linux/command_and_control_aws_cli_endpoint_url_used.toml

@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2024/08/21"
-integration = ["endpoint"]
+integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/10/17"
 
 [rule]
 author = ["Elastic"]
 description = """
 Detects the use of the AWS CLI with the `--endpoint-url` argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*"]
+index = ["logs-endpoint.events.process-*", "logs-crowdstrike.fdr*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CLI Command with Custom Endpoint URL"
@@ -21,12 +21,13 @@ risk_score = 47
 rule_id = "349276c0-5fcf-11ef-b1a9-f661ea17fbce"
 severity = "medium"
 tags = [
-    "Data Source: Elastic Defend",
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Command and Control",
-    "Resources: Investigation Guide",
+  "Data Source: Elastic Defend",
+  "Domain: Endpoint",
+  "OS: Linux",
+  "Use Case: Threat Detection",
+  "Tactic: Command and Control",
+  "Resources: Investigation Guide",
+  "Data Source: Crowdstrike",
 ]
 type = "new_terms"
 timestamp_override = "event.ingested"

rules/linux/defense_evasion_ld_preload_cmdline.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/04/30"
-integration = ["endpoint"]
+integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/07/07"
+updated_date = "2025/10/17"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ This behavior is unusual and may indicate an attempt to hijack the execution flo
 this technique to evade defenses, escalate privileges, or maintain persistence on a system.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*"]
+index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments"
@@ -80,18 +80,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 """
 severity = "low"
 tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Defense Evasion",
-    "Tactic: Persistence",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
+  "Domain: Endpoint",
+  "OS: Linux",
+  "Use Case: Threat Detection",
+  "Tactic: Defense Evasion",
+  "Tactic: Persistence",
+  "Data Source: Elastic Defend",
+  "Resources: Investigation Guide",
+  "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
-host.os.type:linux and event.category:process and event.type:start and event.action:exec and
+host.os.type:linux and event.category:process and event.type:start and event.action:(exec or ProcessRollup2) and
 process.parent.name:(* and not (
   awk or bwrap or cylancesvc or dbus-run-session or java or julia or make or matlab_helper or ninja or noproc_sandbox or
   nxrunner or nxserver or perl or rear or sapcontrol or setsid or spoold or sshd or steam or su or sudo or titanagent or

rules/linux/discovery_virtual_machine_fingerprinting.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/04/27"
-integration = ["endpoint"]
+integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/10/17"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Virtual Machine Fingerprinting"
@@ -63,13 +63,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
 """
 severity = "high"
 tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Discovery",
-    "Data Source: Elastic Endgame",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
+  "Domain: Endpoint",
+  "OS: Linux",
+  "Use Case: Threat Detection",
+  "Tactic: Discovery",
+  "Data Source: Elastic Endgame",
+  "Data Source: Elastic Defend",
+  "Resources: Investigation Guide",
+  "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "query"

rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/09/27"
-integration = ["endpoint"]
+integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/10/17"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co
 initiated.
 """
 from = "now-9m"
-index = ["endgame-*", "logs-endpoint.events.process*"]
+index = ["endgame-*", "logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Printer User (lp) Shell Execution"
@@ -99,20 +99,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 """
 severity = "high"
 tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Use Case: Vulnerability",
-    "Tactic: Execution",
-    "Data Source: Elastic Defend",
-    "Data Source: Elastic Endgame",
-    "Resources: Investigation Guide",
+  "Domain: Endpoint",
+  "OS: Linux",
+  "Use Case: Threat Detection",
+  "Use Case: Vulnerability",
+  "Tactic: Execution",
+  "Data Source: Elastic Defend",
+  "Data Source: Elastic Endgame",
+  "Resources: Investigation Guide",
+  "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-  event.action in ("exec", "exec_event") and user.name == "lp" and
+  event.action in ("exec", "exec_event", "ProcessRollup2") and user.name == "lp" and
   process.parent.name in ("cupsd", "foomatic-rip", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
   process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not (
     process.command_line like (

rules/linux/execution_perl_tty_shell.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/04/16"
-integration = ["endpoint"]
+integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/10/17"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a si
 interactive tty after obtaining initial access to a host.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Interactive Terminal Spawned via Perl"
@@ -56,13 +56,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
 """
 severity = "high"
 tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Execution",
-    "Data Source: Elastic Endgame",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
+  "Domain: Endpoint",
+  "OS: Linux",
+  "Use Case: Threat Detection",
+  "Tactic: Execution",
+  "Data Source: Elastic Endgame",
+  "Data Source: Elastic Defend",
+  "Resources: Investigation Guide",
+  "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "query"

rules/linux/execution_suspicious_mkfifo_execution.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/04/30"
-integration = ["endpoint"]
+integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/07/07"
+updated_date = "2025/10/17"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ rule type, this rule can identify uncommon process command lines that may indica
 named pipe.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*"]
+index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Suspicious Named Pipe Creation"
@@ -81,18 +81,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 """
 severity = "low"
 tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Execution",
-    "Tactic: Command and Control",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
+  "Domain: Endpoint",
+  "OS: Linux",
+  "Use Case: Threat Detection",
+  "Tactic: Execution",
+  "Tactic: Command and Control",
+  "Data Source: Elastic Defend",
+  "Resources: Investigation Guide",
+  "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
-host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:mkfifo and
+host.os.type:linux and event.category:process and event.type:start and event.action:(exec or ProcessRollup2) and process.name:mkfifo and
 process.parent.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and
 process.args:((/dev/shm/* or /tmp/* or /var/tmp/*) and not /*fifo*)
 '''

rules/linux/execution_unusual_kthreadd_execution.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/04/30"
-integration = ["endpoint"]
+integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/07/07"
+updated_date = "2025/10/17"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ kernel space via kthreadd to perform actions on the host and evade detection. Th
 rule can identify uncommon child processes that may indicate the presence of a malicious process.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*"]
+index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Unusual Execution from Kernel Thread (kthreadd) Parent"
@@ -82,17 +82,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 """
 severity = "medium"
 tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Execution",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
+  "Domain: Endpoint",
+  "OS: Linux",
+  "Use Case: Threat Detection",
+  "Tactic: Execution",
+  "Data Source: Elastic Defend",
+  "Resources: Investigation Guide",
+  "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
-host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.parent.name:kthreadd and (
+host.os.type:linux and event.category:process and event.type:start and event.action:(exec or ProcessRollup2) and process.parent.name:kthreadd and (
   process.executable:(/dev/shm/* or /tmp/* or /var/tmp/* or /var/www/*) or
   process.name:(bash or csh or curl or dash or fish or id or ksh or nohup or setsid or sh or tcsh or wget or whoami or zsh)
 ) and

rules/linux/impact_process_kill_threshold.toml

@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2022/07/27"
-integration = ["endpoint", "auditd_manager"]
+integration = ["endpoint", "auditd_manager", "crowdstrike"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2025/10/17"
 
 [rule]
 author = ["Elastic"]
 description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n"
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "High Number of Process Terminations"
@@ -74,14 +74,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 """
 severity = "medium"
 tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Impact",
-    "Resources: Investigation Guide",
-    "Data Source: Elastic Endgame",
-    "Data Source: Elastic Defend",
-    "Data Source: Auditd Manager",
+  "Domain: Endpoint",
+  "OS: Linux",
+  "Use Case: Threat Detection",
+  "Tactic: Impact",
+  "Resources: Investigation Guide",
+  "Data Source: Elastic Endgame",
+  "Data Source: Elastic Defend",
+  "Data Source: Auditd Manager",
+  "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "threshold"