Merge branch 'main' into dec_schema_refresh

shashank-elastic · web-flow · commit dc7f00778524 · 2025-12-08T18:10:58.000+05:30
diff --git a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/05"
+updated_date = "2025/12/08"
 
 [rule]
 author = ["Elastic"]
@@ -77,7 +77,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.type == "start" and event.action != "fork" and (
+process where event.type == "start" and event.action in ("exec", "executed", "start", "process_started") and (
     process.name in (
       "sh", "bash", "zsh", "curl", "wget", "id", "whoami", "uname", "cmd.exe", "cat", "powershell.exe", "java", "rundll32.exe", "wget.exe", "certutil.exe",
       "nc", "ncat", "netcat", "nc.openbsd", "nc.traditional", "socat", "busybox", "mkfifo", "nohup", "setsid", "xterm"
diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/11/12"
-integration = ["windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2025/11/12"
+updated_date = "2025/12/05"
 min_stack_version = "9.1.0"
 min_stack_comments = "The esql match operator was introduced in version 9.1.0"
 
@@ -60,13 +60,16 @@ tags = [
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
-    "Resources: Investigation Guide"
+    "Resources: Investigation Guide", 
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Sysmon"
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-* metadata _id, _version, _index
+FROM logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-* metadata _id, _version, _index
 | where event.category == "process" and event.type == "start" and
   match(process.name, "svchost.exe", { "fuzziness": 1, "max_expansions": 10 }) and
   not process.executable in ("C:\\Windows\\SysWOW64\\svchost.exe", "C:\\Windows\\System32\\svchost.exe") and
