[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025)

* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

* pending adjustments

* Update execution_windows_cmd_shell_susp_args.toml

(cherry picked from commit a31b3a3)

Author: w0rk3r

rules/windows/execution_shared_modules_local_sxs_dll.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/10/28"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/26"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
     "endgame-*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -41,13 +42,19 @@ tags = [
     "Data Source: Sysmon",
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll"
+file where host.os.type == "windows" and file.extension : "dll" and
+  file.path : (
+    "C:\\*\\*.exe.local\\*.dll",
+    /* Crowdstrike specific condition as it uses NT Object paths */
+    "\\Device\\HarddiskVolume*\\*\\*.exe.local\\*.dll"
+  )
 '''
 
 

rules/windows/execution_suspicious_psexesvc.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/08/14"
-integration = ["endpoint", "windows", "m365_defender"]
+integration = ["endpoint", "windows", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/08/26"
 
 [rule]
 author = ["Elastic"]
@@ -17,6 +17,7 @@ index = [
     "logs-windows.sysmon_operational-*",
     "endgame-*",
     "logs-m365_defender.event-*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -61,11 +62,12 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Execution",
     "Tactic: Defense Evasion",
-    "Data Source: Elastic Endgame",
     "Resources: Investigation Guide",
+    "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: Sysmon",
     "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"

rules/windows/execution_windows_cmd_shell_susp_args.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/09/06"
-integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
+integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/01"
 
 [rule]
 author = ["Elastic"]
@@ -12,12 +12,14 @@ is often observed during malware installation.
 """
 from = "now-9m"
 index = [
+    "logs-crowdstrike.fdr*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
     "logs-system.security*",
     "logs-windows.forwarded*",
     "logs-windows.sysmon_operational-*",
     "winlogbeat-*",
+    "endgame-*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -65,76 +67,93 @@ tags = [
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Execution",
+    "Resources: Investigation Guide",
     "Data Source: Windows Security Event Logs",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
     "Data Source: Microsoft Defender for Endpoint",
-    "Resources: Investigation Guide",
+    "Data Source: Elastic Endgame",
+    "Data Source: Crowdstrike",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- process.name : "cmd.exe" and
- (
-
-  process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
-  "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*",  "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
-  "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
-  "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
-  "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
-  "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or
-
-  (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or
-
-  process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or
-
-  (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or
-
-  (process.parent.name : "explorer.exe" and
-   process.command_line :
-           ("*&&S^eT *",
-            "*&& set *&& set *&& set *&& set *&& set *&& call*",
-            "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or
-
-   (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
+  process.name : "cmd.exe" and
+  (
+    process.command_line : (
+        "*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
+        "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*",  "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
+        "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
+        "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
+        "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
+        "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*"
+    ) or
+
+    (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or
+    
+    process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or
+
+    (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or
+
+    (
+      process.parent.name : "explorer.exe" and
+      process.command_line : (
+        "*&&S^eT *",
+        "*&& set *&& set *&& set *&& set *&& set *&& call*",
+        "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*"
+      )
+    ) or
+
+    (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
   ) and
 
   /* false positives */
   not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and
-  not process.parent.executable :
-                ("?:\\Perl64\\bin\\perl.exe",
-                 "?:\\Program Files\\nodejs\\node.exe",
-                 "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
-                 "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
-                 "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
-                 "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
-                 "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
-                 "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
-                 "?:\\Program Files\\Microsoft VS Code\\Code.exe",
-                 "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
-                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
-                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
-                 "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
-                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
-                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
-                 "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
-                 "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
-                 "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
-                 "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
-                 "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
-                 "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
-                 "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
-                 "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
+  not ?process.parent.executable : (
+        "?:\\Perl64\\bin\\perl.exe",
+        "?:\\Program Files\\nodejs\\node.exe",
+        "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
+        "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
+        "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
+        "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
+        "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
+        "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
+        "?:\\Program Files\\Microsoft VS Code\\Code.exe",
+        "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
+        "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
+        "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
+        "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
+        "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
+        "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
+        "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
+        "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
+        "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
+        "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
+        "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
+        "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
+        "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
+        "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
+  not (
+        /* Crowdstrike doesn't populate process.parent.executable */
+        event.dataset == "crowdstrike.fdr" and
+        process.parent.name : (
+          "perl.exe", "node.exe", "pg_dumpall.exe", "PRTG Server.exe", "spiceworks-finder.exe", "leds.exe", "twexec.exe",
+          "SonarScanner.MSBuild.exe", "Code.exe", "netbeans64.exe", "javaw.exe", "Bot Framework Composer.exe", "SessionMgr.exe",
+          "Craneware.Pricing.Shell.exe", "jumpcloud-agent-app.exe", "vimrun.exe"
+        )
+      ) and
   not (process.args :  "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and
-  not process.args :
-            ("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
-             "?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
-             "https://auth.axis.com/oauth2/oauth-authorize*") and
-  not process.command_line :
-               ("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
-                "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and
+  not process.args : (
+        "?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
+        "?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
+        "https://auth.axis.com/oauth2/oauth-authorize*"
+  ) and
+  not process.command_line : (
+    "\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
+    "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\""
+  ) and
   not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and
   not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824")
 '''

rules/windows/execution_windows_powershell_susp_args.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/09/06"
-integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
+integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/04"
+updated_date = "2025/09/01"
 
 [rule]
 author = ["Elastic"]
@@ -12,13 +12,15 @@ installation leveraging PowerShell.
 """
 from = "now-9m"
 index = [
+    "logs-endpoint.events.process-*",
     "logs-crowdstrike.fdr*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
     "logs-system.security*",
     "logs-windows.forwarded*",
     "logs-windows.sysmon_operational-*",
     "winlogbeat-*",
+    "endgame-*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -67,10 +69,12 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Execution",
     "Data Source: Windows Security Event Logs",
+    "Data Source: Elastic Defend",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Crowdstrike",
+    "Data Source: Elastic Endgame",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"

rules/windows/initial_access_rdp_file_mail_attachment.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/11/05"
-integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/26"
 
 [rule]
 author = ["Elastic"]
@@ -20,6 +20,7 @@ index = [
     "logs-windows.forwarded*",
     "logs-windows.sysmon_operational-*",
     "winlogbeat-*",
+    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -79,6 +80,7 @@ tags = [
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -92,7 +94,7 @@ process where host.os.type == "windows" and event.type == "start" and
                  "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.rdp",
                  "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*.rdp",
                  "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*.rdp",
-                 "C:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\*.rdp")
+                 "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\*.rdp")
 '''