elastic
diff --git a/‎rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml‎
Lines changed: 14 additions & 12 deletions b/‎rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml‎
Lines changed: 14 additions & 12 deletions
diff --git a/‎rules/cross-platform/command_and_control_non_standard_ssh_port.toml‎
Lines changed: 3 additions & 3 deletions b/‎rules/cross-platform/command_and_control_non_standard_ssh_port.toml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml‎
Lines changed: 52 additions & 44 deletions b/‎rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml‎
Lines changed: 52 additions & 44 deletions
diff --git a/‎rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml‎
Lines changed: 37 additions & 36 deletions b/‎rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml‎
Lines changed: 37 additions & 36 deletions
diff --git a/‎…sion_processes_with_trailing_spaces.toml‎ ‎…sion_processes_with_trailing_spaces.toml‎rules_building_block/defense_evasion_processes_with_trailing_spaces.toml renamed to rules/cross-platform/defense_evasion_processes_with_trailing_spaces.toml
Lines changed: 4 additions & 10 deletions b/‎…sion_processes_with_trailing_spaces.toml‎ ‎…sion_processes_with_trailing_spaces.toml‎rules_building_block/defense_evasion_processes_with_trailing_spaces.toml renamed to rules/cross-platform/defense_evasion_processes_with_trailing_spaces.toml
Lines changed: 4 additions & 10 deletions
@@ -2,7 +2,7 @@
 creation_date = "2025/09/18"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/11/26"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -105,17 +105,19 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where event.type == "start" and
- event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
- process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
-  (
-    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "cmd.exe", "bash.exe", "powershell.exe") and
-    process.command_line like~ ("*curl*http*", "*wget*http*")
-  ) or 
-  (
-    process.name in ("curl", "wget", "curl.exe", "wget.exe")
-  )
-) and
- not process.command_line like ("*127.0.0.1*", "*localhost*")
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
+(
+  process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "cmd.exe", "bash.exe", "powershell.exe") and
+  process.command_line like~ ("*curl*http*", "*wget*http*")
+) or 
+(
+  process.name in ("curl", "wget", "curl.exe", "wget.exe")
+)
+) and not (
+  process.command_line like ("*127.0.0.1*", "*localhost*", "*/home/*/.claude/shell-snapshots/*", "*/root/.claude/shell-snapshots/snapshot*") or
+  process.parent.executable like ("/*/.cursor-server/*node", "/root/.nvm/*/node", "/*/.vscode-server/*/node", "/home/*/.nvm/*/node", "/home/*/cursor-agent/*/node") 
+)
 '''
 
 [[rule.threat]]
 
@@ -2,7 +2,7 @@
 creation_date = "2022/10/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ from = "now-9m"
 index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Non-Standard Port SSH connection"
+name = "Deprecated - Potential Non-Standard Port SSH connection"
 references = ["https://attack.mitre.org/techniques/T1571/"]
 risk_score = 21
 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
@@ -62,7 +62,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Potential Non-Standard Port SSH connection
+### Investigating Deprecated - Potential Non-Standard Port SSH connection
 
 SSH is a protocol used for secure remote access and management of systems. Typically, it operates over port 22. However, adversaries may exploit non-standard ports to evade detection and bypass network filters. The detection rule identifies unusual SSH activity by monitoring processes and network connections on ports other than 22, excluding common benign use cases, to flag potential threats.
 
 
@@ -2,7 +2,7 @@
 creation_date = "2020/05/04"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -15,46 +15,6 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana
 language = "eql"
 license = "Elastic License v2"
 name = "Tampering of Shell Command-Line History"
-references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
-risk_score = 47
-rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
-severity = "medium"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "OS: macOS",
-    "Use Case: Threat Detection",
-    "Tactic: Defense Evasion",
-    "Data Source: Elastic Defend",
-    "Data Source: Elastic Endgame",
-    "Data Source: Auditd Manager",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-
-query = '''
-process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
- (
-  ((process.args : ("rm", "echo") or
-    (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
-    (process.args : "truncate" and process.args : "-s0"))
-    and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
-                        ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
-  (process.args : "history" and process.args : "-c") or
-  (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
-  (process.args : "unset" and process.args : "HISTFILE") or
-  (process.args : "set" and process.args : "history" and process.args : "+o")
- )
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -89,23 +49,71 @@ Shell command-line history is a crucial feature in Unix-like systems, recording
 - Implement stricter access controls and monitoring on the affected system to prevent unauthorized users from modifying shell history files in the future.
 - Escalate the incident to the security operations team for further investigation and to determine if additional systems may have been compromised.
 - Review and update endpoint detection and response (EDR) configurations to enhance monitoring for similar tampering attempts, ensuring alerts are generated for any future suspicious command patterns."""
+references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
+risk_score = 47
+rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
+setup = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
+events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
+Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
+`event.ingested` to @timestamp.
+For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: Auditd Manager",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
 
+query = '''
+process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
+(
+  (
+    (process.args : ("rm", "echo") or
+    (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
+    (process.args : "truncate" and process.args : "-s0")
+  )
+    and process.args : (
+      ".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
+      ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history"
+    )
+  ) or
+  (process.args : "history" and process.args : "-c") or
+  (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
+  (process.args : "unset" and process.args : "HISTFILE") or
+  (process.args : "set" and process.args : "history" and process.args : "+o")
+) and not (
+  process.executable like (
+    "/usr/bin/timeout", "/usr/bin/kubectl", "/usr/bin/psql", "/usr/lib/postgresql/*/bin/psql", "/usr/bin/bazel", "/usr/bin/git",  "/usr/bin/jq", "/bin/grep"
+  ) or
+  process.command_line == "stat -c %s history"
+)
+'''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1070.003"
 name = "Clear Command History"
 reference = "https://attack.mitre.org/techniques/T1070/003/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
 
@@ -2,7 +2,7 @@
 creation_date = "2022/10/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -18,41 +18,6 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Masquerading Space After Filename"
-references = [
-    "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading",
-]
-risk_score = 47
-rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
-severity = "medium"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "OS: macOS",
-    "Use Case: Threat Detection",
-    "Tactic: Defense Evasion",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-query = '''
-process where host.os.type:("linux","macos") and event.type == "start" and
-process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""" and not (
-  process.name in ("ls", "find", "grep", "xkbcomp") or
-  process.executable like ("/opt/nessus_agent/*", "/opt/gitlab/sv/gitlab-exporter/*", "/tmp/ansible-admin/*") or
-  process.parent.args in (
-    "./check_rubrik", "/usr/bin/check_mk_agent", "/etc/rubrik/start_stop_bootstrap.sh", "/etc/rubrik/start_stop_agent.sh"
-  )
-)
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -87,6 +52,42 @@ In Linux and macOS environments, file execution is determined by the file's true
 - Review and update endpoint protection settings to block execution of files with suspicious naming conventions, such as those ending with a space.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess potential impacts on other systems.
 - Implement additional monitoring for similar masquerading attempts by enhancing logging and alerting mechanisms to detect files with unusual naming patterns."""
+references = [
+    "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading",
+]
+risk_score = 47
+rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002"
+setup = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
+events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
+Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
+`event.ingested` to @timestamp.
+For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type:("linux","macos") and event.type == "start" and
+process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""" and not (
+  process.name in ("ls", "find", "grep", "xkbcomp") or
+  process.executable like ("/opt/nessus_agent/*", "/opt/gitlab/sv/gitlab-exporter/*", "/tmp/ansible-admin/*") or
+  process.parent.args in (
+    "./check_rubrik", "/usr/bin/check_mk_agent", "/etc/rubrik/start_stop_bootstrap.sh", "/etc/rubrik/start_stop_agent.sh"
+  ) or
+  process.args == "runc"
+)
+'''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -2,18 +2,16 @@
 creation_date = "2023/08/24"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/24"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity
 to evade default file handling mechanisms.
 """
-from = "now-119m"
+from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
-interval = "60m"
 language = "eql"
 license = "Elastic License v2"
 name = "Processes with Trailing Spaces"
@@ -26,35 +24,31 @@ tags = [
     "OS: macOS",
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
-    "Rule Type: BBR",
     "Data Source: Elastic Defend",
     "Data Source: Elastic Endgame",
     "Data Source: Auditd Manager",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
 process.name : "* "
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1036"
 name = "Masquerading"
 reference = "https://attack.mitre.org/techniques/T1036/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1036.006"
 name = "Space after Filename"
 reference = "https://attack.mitre.org/techniques/T1036/006/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-