Merge branch 'main' into terrancedejesus/issue5353

Author: terrancedejesus

detection_rules/config.py

@@ -227,7 +227,7 @@ def parse_rules_config(path: Path | None = None) -> RulesConfig:  # noqa: PLR091
             raise ValueError(f"rules config file does not exist: {path}")
         loaded = yaml.safe_load(path.read_text())
     elif CUSTOM_RULES_DIR:
-        path = Path(CUSTOM_RULES_DIR) / "_config.yaml"
+        path = Path(CUSTOM_RULES_DIR).expanduser() / "_config.yaml"
         if not path.exists():
             raise FileNotFoundError(
                 """

detection_rules/etc/non-ecs-schema.json

@@ -145,7 +145,7 @@
     "kibana.alert.rule.threat.tactic.id": "keyword",
     "kibana.alert.workflow_status": "keyword",
     "kibana.alert.rule.rule_id": "keyword",
-    "kibana.alert.rule.name": "keyword", 
+    "kibana.alert.rule.name": "keyword",
     "kibana.alert.risk_score": "long",
     "kibana.alert.rule.type": "keyword",
     "kibana.alert.rule.threat.tactic.name": "keyword"
@@ -237,7 +237,8 @@
      "o365.audit.ExtendedProperties.ResultStatusDetail": "keyword",
      "o365.audit.OperationProperties.Name": "keyword",
      "o365.audit.OperationProperties.Value": "keyword",
-     "o365.audit.OperationCount": "long"
+     "o365.audit.OperationCount": "long",
+     "o365.audit.AppAccessContext.AADSessionId": "keyword"
   },
   "logs-okta*": {
     "okta.debug_context.debug_data.flattened.requestedScopes": "keyword",

detection_rules/schemas/definitions.py

@@ -76,7 +76,9 @@ def validator_wrapper(value: Any) -> Any:
 CONDITION_VERSION_PATTERN = re.compile(rf"^\^{_version}$")
 VERSION_PATTERN = f"^{_version}$"
 MINOR_SEMVER = re.compile(r"^\d+\.\d+$")
-FROM_SOURCES_REGEX = re.compile(r"^\s*FROM\s+(?P<sources>.+?)\s*(?:\||\bmetadata\b|//|$)", re.IGNORECASE | re.MULTILINE)
+FROM_SOURCES_REGEX = re.compile(
+    r"^\s*FROM\s+(?P<sources>(?:.+?(?:,\s*)?\n?)+?)\s*(?:\||\bmetadata\b|//|$)", re.IGNORECASE | re.MULTILINE
+)
 BRANCH_PATTERN = f"{VERSION_PATTERN}|^master$"
 ELASTICSEARCH_EQL_FEATURES = {
     "allow_negation": (Version.parse("8.9.0"), None),

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.17"
+version = "1.5.19"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

…l_curl_wget_spawn_via_nodejs_parent.toml …l_curl_wget_spawn_via_nodejs_parent.tomlrules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml renamed to rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml renamed to rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/09/18"
-integration = ["endpoint", "crowdstrike"]
+integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/11/26"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,18 @@ command and control behavior. Adversaries may use Node.js to download additional
 the system.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+    "auditbeat-*",
+    "logs-auditd_manager.auditd-*"
+]
 language = "eql"
 license = "Elastic License v2"
 name = "Curl or Wget Spawned via Node.js"
@@ -46,7 +57,7 @@ This rule flags Node.js launching curl or wget, directly or via a shell, a commo
 - Rebuild and redeploy the workload from a known-good image, remove the malicious child_process code path from the Node.js application, restore validated configs/data, rotate any keys or tokens used by that service, and verify no further curl/wget spawns occur post-recovery.
 - Harden by removing curl/wget from runtime images where not required, enforcing egress allowlists for the service, constraining execution with AppArmor/SELinux/seccomp and least-privilege service accounts, and adding CI/CD checks to block package.json postinstall scripts or code that shells out to downloaders.
 """
-risk_score = 21
+risk_score = 47
 rule_id = "d9af2479-ad13-4471-a312-f586517f1243"
 setup = """## Setup
 
@@ -73,28 +84,38 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
   "Domain: Endpoint",
   "OS: Linux",
+  "OS: Windows",
+  "OS: macOS",
   "Use Case: Threat Detection",
   "Tactic: Command and Control",
-  "Data Source: Elastic Defend",
   "Resources: Investigation Guide",
+  "Data Source: Elastic Defend",
+  "Data Source: Elastic Endgame",
+  "Data Source: Windows Security Event Logs",
+  "Data Source: Sysmon",
+  "Data Source: SentinelOne",
   "Data Source: Crowdstrike",
+  "Data Source: Auditd Manager",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node" and (
+process where event.type == "start" and
+ event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+ process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
   (
-    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
-    process.args == "-c" and process.command_line like~ ("*curl*", "*wget*")
+    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "cmd.exe", "bash.exe", "powershell.exe") and
+    process.command_line like~ ("*curl*http*", "*wget*http*")
   ) or 
   (
-    process.name in ("curl", "wget")
+    process.name in ("curl", "wget", "curl.exe", "wget.exe")
   )
-)
+) and
+ not process.command_line like ("*127.0.0.1*", "*localhost*")
 '''
 
 [[rule.threat]]

rules/cross-platform/credential_access_gitleaks_execution.toml

@@ -0,0 +1,114 @@
+[metadata]
+creation_date = "2025/11/28"
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
+maturity = "production"
+updated_date = "2025/11/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the execution of Gitleaks, a tool used to search for high-entropy strings and secrets in code
+repositories, which may indicate an attempt to access credentials.
+"""
+false_positives = [
+    """
+    Gitleaks is a legitimate open-source tool used by security professionals and developers to search for sensitive
+    information, such as passwords, API keys, and other secrets, within code repositories. It is commonly employed
+    during security assessments and code reviews to identify potential vulnerabilities.
+    """,
+]
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+    "auditbeat-*",
+    "logs-auditd_manager.auditd-*"
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Secret Scanning via Gitleaks"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Secret Scanning via Gitleaks
+
+This alert fires when a host launches Gitleaks, a secret-scanning utility that hunts high-entropy strings and credentials in source code and repositories, signaling potential credential harvesting. An attacker may clone internal repos or traverse local workspace directories, drop a portable gitleaks binary in /tmp or %TEMP%, run recursive scans with wide rule sets and JSON output, then archive the results to exfiltrate tokens, API keys, and passwords for lateral movement and service impersonation.
+
+### Possible investigation steps
+
+- Review the full command line to identify --path/--repo/--report/--format flags, which reveal scope and whether results are being written for exfiltration.
+- Examine parent and ancestry plus user session to determine if it was launched by CI/dev tooling versus an interactive shell, and note execution from temp or unusual directories suggesting a dropped portable binary.
+- Locate and inspect newly created artifacts (gitleaks.json, .sarif, .csv, zip archives) near the event time, confirm the presence of secrets, and map their sensitivity to affected systems.
+- Correlate with network and data movement around the event for clones to internal repos and outbound transfers to cloud storage, paste sites, or email, and capture repository URLs or destinations if present.
+- Trace how the binary arrived by checking recent downloads and file writes (curl/wget, package managers, GitHub releases), verify the binary’s hash and signer, and compare against known-good sources.
+
+### False positive analysis
+
+- A developer or security team member intentionally runs gitleaks to audit internal code for secrets during routine hygiene, producing local report artifacts and showing normal parent processes without exfiltration behavior.
+- A user invokes gitleaks with --version or --help to validate installation or review usage, which generates a process start event but performs no scanning or credential access.
+
+### Response and remediation
+
+- If the run was unauthorized or executed from /tmp, %TEMP%, or a user profile, terminate gitleaks.exe/gitleaks, isolate the host from the network, and capture the binary path and hash for forensics.
+- Quarantine report artifacts produced by the run (gitleaks.json, .sarif, .csv, and any zip archives) by securing copies for evidence, removing world-readable permissions, and deleting residual copies from the working directory, Downloads, repo folders, and CI workspaces after collection.
+- Eradicate tooling by removing the dropped gitleaks binary and any wrapper scripts or CI job steps that invoke it, and enforce execution blocking for gitleaks in user-writable paths via application control or EDR policy.
+- Immediately revoke and rotate any secrets confirmed in the reports or repository (cloud API keys, service tokens, SSH keys, credentials), purge them from repo history (git filter-repo/BFG) if present, redeploy updated secrets from the vault, and force password resets for affected accounts.
+- Review git activity and data movement around the event for repo clones and exports, and inspect outbound transfers of report files to cloud storage, paste sites, or email; escalate to Incident Response and Legal if any report left the device or if production/customer credentials are exposed.
+- Harden going forward by enabling approved server-side and CI secret scanning, enforcing pre-commit hooks, prohibiting PATs with broad scopes, restricting egress to paste/file-sharing sites, and blocking execution of portable binaries from temp and user-writable locations."""
+references = [
+    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
+    "https://socket.dev/blog/shai-hulud-strikes-again-v2",
+]
+risk_score = 47
+rule_id = "f92171ed-a4d3-4baa-98f9-4df1652cb11b"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+    "Data Source: Auditd Manager",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where event.type == "start" and event.action like ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started", "Process Create*") and
+process.name : ("gitleaks.exe", "gitleaks")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"