diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index f2aa57f72ee..d1b2b37a7cb 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ triggered by a user’s shell. """ false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."] from = "now-9m" -index = ["logs-endpoint.events.*", "auditbeat-*"] +index = ["logs-endpoint.events.file-*", "auditbeat-*"] language = "kuery" license = "Elastic License v2" name = "Bash Shell Profile Modification" @@ -35,20 +35,12 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and event.type:change and +event.category:file and host.os.type:(linux or macos) and event.type:change and not event.action:("rename" or "extended_attributes_delete") and + file.name:(".bash_profile" or ".profile" or ".bashrc" or ".zshenv" or ".zshrc") and file.path:(/home/* or /Users/*) and process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or dnf-automatic or git or dpkg or platform-python)) and - not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and - file.path:(/private/etc/rc.local or - /etc/rc.local or - /home/*/.profile or - /home/*/.profile1 or - /home/*/.bash_profile or - /home/*/.bash_profile1 or - /home/*/.bashrc or - /Users/*/.bash_profile or - /Users/*/.zshenv) + not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) ''' note = """## Triage and analysis diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index 194742537ba..e4f7721dde4 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/10/16" -integration = ["problemchild", "endpoint", "windows"] +integration = ["problemchild", "endpoint"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ probability of it being malicious activity. Alternatively, the model's blocklist malicious. """ from = "now-10m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" @@ -94,7 +94,15 @@ type = "eql" query = ''' process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or -blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") +blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") and +process.parent.executable != null and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and +not process.parent.name : ("cmd.exe", "powershell.exe", "Perplexity.exe", "vmtoolsd.exe", "Code.exe", "explorer.exe", "git.exe") and +not (process.name : "msedgewebview2.exe" and process.parent.name : "msedgewebview2.exe") and +not (process.name : "opera.exe" and process.parent.name : "opera.exe") and +not (process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and + process.name : ("UCPDMgr.exe", "sdbinst.exe", "gpupdate.exe", "rundll32.exe", "taskhostw.exe", "taskeng.exe", "rdpclip.exe", "firefox.exe", "w3wp.exe")) and +not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") and +not (process.name : "MpCmdRun.exe" and process.parent.name : ("MsMpEng.exe", "MpCmdRun.exe", "svchost.exe")) ''' diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml index fe667dde29d..283a4020daf 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ probability of it being malicious activity. Alternatively, the model's blocklist malicious. """ from = "now-10m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score" @@ -59,7 +59,26 @@ type = "eql" query = ''' process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or -blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") +blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") and +process.parent.executable != null and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and +not process.parent.name : ("cmd.exe", "powershell.exe") and +not (process.name == "net1.exe" and process.parent.name == "net.exe") and +not (process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and + process.name : ("UCPDMgr.exe", "sdbinst.exe", "gpupdate.exe", "rundll32.exe", "taskhostw.exe", "taskeng.exe")) and +not (process.name: ("powershell.exe", "cmd.exe", "cscript.exe") and + process.parent.executable : ("C:\\Program Files\\*.exe", + "C:\\Program Files (x86)\\*.exe", + "C:\\Users\\*\\Documents\\scripts\\nssm-2.24\\win64\\nssm.exe", + "C:\\Windows\\System32\\cmd.exe", + "C:\\Windows\\SysWOW64\\cmd.exe", + "C:\\Windows\\CCM\\CcmExec.exe", + "C:\\Windows\\System32\\svchost.exe", + "C:\\Windows\\System32\\gpscript.exe", + "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "C:\\appian\\java\\bin\\java.exe")) and +not (process.executable : "C:\\Windows\\System32\\cscript.exe" and process.parent.name : ("node.exe", "MicroStrategy Services.exe")) and +not (process.name : "MpCmdRun.exe" and process.parent.name : ("MsMpEng.exe", "MpCmdRun.exe", "svchost.exe")) and +not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") ''' note = """## Triage and analysis diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 9016a08649b..08eac6ad6e2 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -37,13 +37,18 @@ timestamp_override = "event.ingested" type = "eql" query = ''' sequence by host.id with maxspan=1m - [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.entity_id + [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0 and + process.command_line == "/usr/sbin/sshd -D -R" and process.parent.command_line == "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"] by process.entity_id [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and - process.parent.name == "sshd" and process.parent.args == "-D" and process.parent.args == "-R" and + process.parent.name == "sshd" and process.parent.command_line == "/usr/sbin/sshd -D -R" and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and + not process.executable in ("/usr/sbin/sshd", "/sbin/unix_chkpwd") and not ( - process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*") or - process.command_line like ("sh -c /usr/bin/env -i PATH=*", "sh -c -- /usr/bin/env -i PATH=*") + process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*", + "bash -c bash -s", "/usr/lib/ssh/sftp-server", "stat /etc/is_upgrade_install > /dev/null 2>&1", + "stat /opt/qradar/ha/.*", "/usr/bin/env -i PATH=*", "/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key*", + "test -e /*", "md5sum*", "check_mk_agent") or + process.command_line like ("sh -c /usr/bin/env -i PATH=*", "sh -c -- /usr/bin/env -i PATH=*", "*/root/.ansible/tmp/ansible-tmp*") )] by process.parent.entity_id ''' note = """## Triage and analysis diff --git a/rules/linux/persistence_web_server_sus_destination_port.toml b/rules/linux/persistence_web_server_sus_destination_port.toml index 9755dbd1e44..17e43c70bfd 100644 --- a/rules/linux/persistence_web_server_sus_destination_port.toml +++ b/rules/linux/persistence_web_server_sus_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/07" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -94,28 +94,22 @@ timestamp_override = "event.ingested" type = "eql" query = ''' network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and ( - user.name in ( - "apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9", "ftp", "ftpuser", "ftpd" - ) or - user.id in ("99", "33", "498", "48") - ) and ( - process.name in ( - "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "node", "mongrel_rails", "java", "gunicorn", - "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn", - "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel" + process.name like ( + "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "php-fpm*", "mongrel_rails", "haproxy", + "gunicorn", "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "uvicorn", + "tornado", "hypercorn", "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel", + "php-cgi", "php-fcgi", "php-cgi.cagefs" ) or - process.name like ("php-*", "python*", "ruby*", "perl*") + user.name in ("apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9", "ftp", "ftpuser", "ftpd") or + user.id in ("54321", "33", "498", "48") or + (process.name == "java" and process.working_directory like "/u0?/*") ) and network.direction == "egress" and destination.ip != null and -not destination.port in (80, 443, 8080, 8443, 8000, 8888, 3128, 3306) and -not cidrmatch(destination.ip, "127.0.0.0/8", "::1","FE80::/10", "FF00::/8") +not destination.port in (80, 443, 8080, 8443, 8000, 8888, 3128, 3306, 5432, 8220, 8082) and -/* -This rule does not exclude local IP ranges by default. To exclude these, use the following exclusion statement: -cidrmatch(destination.ip, "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", +not cidrmatch(destination.ip, "127.0.0.0/8", "::1","FE80::/10", "FF00::/8", "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4") -*/ ''' [[rule.threat]] diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index d89d4b37729..78b6e8cff1c 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -118,7 +118,19 @@ host.os.type:windows and event.category:process and event.type:start and process "cmd.exe /s /c \"echo '%os%'\"" or *.\\install\\awk.exe* ) or - process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir) + process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir) or + + (process.name:cmd.exe and process.parent.args : "c:\\\\xampp\\\\htdocs\\\\open-audit\\\\index.php") or + + (process.name:cmd.exe and process.args:("/V:ON" and "--header-html")) or + + (process.parent.args:"WebCession" and process.args:E\:\\Data\\CLM\\cession\\*.bat) or + + (process.parent.executable :"D:\\AiDKlinik\\php\\php-cgi.exe" and process.args:D\:\\AiDKlinik\\web*) or + + (process.parent.args :"E:/wamp64/bin/apache/apache2.4.62.1" and process.args:node*) or + + (process.parent.name:"php.exe" and process.name:"cmd.exe" and process.args:("/V:ON" and "/E:ON")) ) ''' @@ -138,12 +150,6 @@ negate = true case_insensitive = true value = "*?:\\\\Program Files (x86)\\\\*" -[[rule.filters]] -[rule.filters.meta] -negate = true -[rule.filters.query.wildcard."process.command_line"] -case_insensitive = true -value = "*?:\\\\Program Files (x86)\\\\*" [[rule.threat]] framework = "MITRE ATT&CK"