Merge branch 'main' into dr-tuning-security-file-access-via-common-utility

Samirbous · web-flow · commit e3c953631d6f · 2025-12-12T18:14:54.000Z
diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/07/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/11/13"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ type = "esql"
 
 query = '''
 from logs-endpoint.*  metadata _id
-| where event.agent_id_status is not null 
+| where event.agent_id_status is not null and agent.id is not null
 | stats Esql.count_distinct_host_ids = count_distinct(host.id), Esql.host_id_values = values(host.id), Esql.user_id_values_user_id = values(user.id) by agent.id
 | where Esql.count_distinct_host_ids >= 2
 | keep Esql.count_distinct_host_ids, Esql.host_id_values, Esql.user_id_values_user_id, agent.id
diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/15"
 integration = ["endpoint", "windows", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/12/12"
 
 [transform]
 [[transform.osquery]]
@@ -116,8 +116,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "windows" and event.type == "start" and length(process.name) > 0 and
- length(process.name) == 5 and length(process.pe.original_file_name) > 5
+process where host.os.type == "windows" and event.type == "start" and 
+ process.name regex~ """[a-z0-9]\.exe""" and process.pe.original_file_name != null
 '''
 
 
diff --git a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/10/28"
 integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2025/11/25"
+updated_date = "2025/12/12"
 
 [rule]
 author = ["Elastic"]
@@ -84,10 +84,11 @@ type = "eql"
 query = '''
 sequence by source.port, source.ip with maxspan=3s
  [network where host.os.type == "windows" and destination.port == 88 and
-  process.executable != null and
+  process.executable != null and process.pid != 4 and 
   not process.executable : 
               ("?:\\Windows\\system32\\lsass.exe", 
-               "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe") and
+               "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe", 
+               "\\device\\harddiskvolume*\\windows\\system32\\svchost.exe") and
   not (process.executable : ("C:\\Windows\\System32\\svchost.exe", 
                              "C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe", 
                              "F:\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe") and user.id in ("S-1-5-20", "S-1-5-18")) and   
