Skip to content

[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 #5019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 28, 2025
Merged

[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 #5019

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6fa292e
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4
w0rk3r Aug 26, 2025
056e631
Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
w0rk3r Aug 28, 2025
74b9892
Merge branch 'main' into 3rd_party_edr_4
w0rk3r Aug 28, 2025
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/05/27"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/05/27"
updated_date = "2025/08/26"

[rule]
author = ["Elastic"]
Expand All @@ -18,6 +18,7 @@ index = [
"endgame-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -73,13 +74,14 @@ tags = [
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Control\\Lsa\\RunAsPPL", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Control\\Lsa\\RunAsPPL") and
registry.value : "RunAsPPL" and registry.path : "*\\SYSTEM\\*ControlSet*\\Control\\Lsa\\RunAsPPL" and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@w0rk3r CS reg event is \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Control\\Lsa\\RunAsPPL why using wildcard here ?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To simplify the logic, the performance should be ok as I added the registry.value condition
not registry.data.strings : ("1", "0x00000001", "2", "0x00000002")
'''

Expand Down
5 changes: 3 additions & 2 deletions rules/windows/defense_evasion_masquerading_business_apps_installer.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2023/09/01"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/05/05"
updated_date = "2025/08/26"

[rule]
author = ["Elastic"]
Expand All @@ -12,7 +12,7 @@ developer. Attackers may trick users into downloading malicious executables that
via malicious ads, forum posts, and tutorials, effectively gaining initial access.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
index = ["logs-endpoint.events.process-*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Masquerading as Business App Installer"
Expand All @@ -31,6 +31,7 @@ tags = [
"Tactic: Initial Access",
"Tactic: Execution",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "eql"
Expand Down
28 changes: 15 additions & 13 deletions rules/windows/defense_evasion_masquerading_communication_apps.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/05/05"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/05/05"
updated_date = "2025/08/26"

[rule]
author = ["Elastic"]
Expand All @@ -11,7 +11,7 @@ Identifies suspicious instances of communications apps, both unsigned and rename
conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
index = ["logs-endpoint.events.process-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Masquerading as Communication Apps"
Expand All @@ -25,6 +25,8 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
"Data Source: SentinelOne",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "eql"
Expand All @@ -35,40 +37,40 @@ process where host.os.type == "windows" and
(
/* Slack */
(process.name : "slack.exe" and not
(process.code_signature.subject_name in (
(process.code_signature.subject_name : (
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI for the reviewers, changing this to be case insensitive as S1 populates this field with all uppercase
"Slack Technologies, Inc.",
"Slack Technologies, LLC"
) and process.code_signature.trusted == true)
) or

/* WebEx */
(process.name : "WebexHost.exe" and not
(process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
(process.code_signature.subject_name : ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
) or

/* Teams */
(process.name : "Teams.exe" and not
(process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
(process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
) or

/* Discord */
(process.name : "Discord.exe" and not
(process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
(process.code_signature.subject_name : "Discord Inc." and process.code_signature.trusted == true)
) or

/* RocketChat */
(process.name : "Rocket.Chat.exe" and not
(process.code_signature.subject_name == "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
(process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
) or

/* Mattermost */
(process.name : "Mattermost.exe" and not
(process.code_signature.subject_name == "Mattermost, Inc." and process.code_signature.trusted == true)
(process.code_signature.subject_name : "Mattermost, Inc." and process.code_signature.trusted == true)
) or

/* WhatsApp */
(process.name : "WhatsApp.exe" and not
(process.code_signature.subject_name in (
(process.code_signature.subject_name : (
"WhatsApp LLC",
"WhatsApp, Inc",
"24803D75-212C-471A-BC57-9EF86AB91435"
Expand All @@ -77,17 +79,17 @@ process where host.os.type == "windows" and

/* Zoom */
(process.name : "Zoom.exe" and not
(process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
(process.code_signature.subject_name : "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
) or

/* Outlook */
(process.name : "outlook.exe" and not
(process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
(process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
) or

/* Thunderbird */
(process.name : "thunderbird.exe" and not
(process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
(process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true)
)
)
'''
Expand Down
6 changes: 4 additions & 2 deletions rules/windows/defense_evasion_masquerading_renamed_autoit.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/09/01"
integration = ["endpoint", "windows", "m365_defender"]
integration = ["endpoint", "windows", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2025/05/05"
updated_date = "2025/08/26"

[transform]
[[transform.osquery]]
Expand Down Expand Up @@ -43,6 +43,7 @@ index = [
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-m365_defender.event-*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -110,6 +111,7 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Crowdstrike",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI - this rule scope will be expanded by this PR https://github.com/elastic/detection-rules/pull/5001/files#diff-144ed12542ec43b6381b1bb6ec737eae308465ef0f213f9444e87f187bfa0b7dR121 (no action required)
]
timestamp_override = "event.ingested"
type = "eql"
Expand Down
12 changes: 9 additions & 3 deletions rules/windows/defense_evasion_microsoft_defender_tampering.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2021/10/18"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/03/27"
updated_date = "2025/08/26"

[rule]
author = ["Austin Songer"]
Expand All @@ -19,6 +19,7 @@ index = [
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"endgame-*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
Expand Down Expand Up @@ -85,6 +86,7 @@ tags = [
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
Expand All @@ -109,7 +111,11 @@ registry where host.os.type == "windows" and event.type == "change" and process.
"?:\\Windows\\system32\\svchost.exe",
"?:\\Windows\\CCM\\CcmExec.exe",
"?:\\Windows\\System32\\DeviceEnroller.exe",
"?:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmuninst.exe"
"?:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmuninst.exe",
"\\Device\\HarddiskVolume*\\Windows\\system32\\svchost.exe",
"\\Device\\HarddiskVolume*\\Windows\\CCM\\CcmExec.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\DeviceEnroller.exe",
"\\Device\\HarddiskVolume*\\Program Files (x86)\\Trend Micro\\Security Agent\\tmuninst.exe"
)

/*
Expand Down
Loading