elastic · Samirbous · Dec 18, 2025 · Dec 16, 2025 · Dec 17, 2025 · Dec 17, 2025
diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/01/19"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ triggered by a user’s shell.
 """
 false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
 from = "now-9m"
-index = ["logs-endpoint.events.*", "auditbeat-*"]
+index = ["logs-endpoint.events.file-*", "auditbeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Bash Shell Profile Modification"
@@ -35,20 +35,12 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.category:file and event.type:change and
+event.category:file and host.os.type:(linux or macos) and event.type:change and not event.action:("rename" or "extended_attributes_delete") and
+  file.name:(".bash_profile" or ".profile" or ".bashrc" or ".zshenv" or ".zshrc") and file.path:(/home/* or /Users/*) and 
   process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or
   launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or
   dnf-automatic or git or dpkg or platform-python)) and
-  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and
-  file.path:(/private/etc/rc.local or
-             /etc/rc.local or
-             /home/*/.profile or
-             /home/*/.profile1 or
-             /home/*/.bash_profile or
-             /home/*/.bash_profile1 or
-             /home/*/.bashrc or
-             /Users/*/.bash_profile or
-             /Users/*/.zshenv)
+  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*)
 '''
 note = """## Triage and analysis
 

diff --git a/...tegrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/...tegrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/10/16"
-integration = ["problemchild", "endpoint", "windows"]
+integration = ["problemchild", "endpoint"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ probability of it being malicious activity. Alternatively, the model's blocklist
 malicious.
 """
 from = "now-10m"
-index = ["logs-endpoint.events.process-*", "winlogbeat-*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score"
@@ -94,7 +94,15 @@ type = "eql"
 
 query = '''
 process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or
-blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
+blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") and
+process.parent.executable != null and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
+not process.parent.name : ("cmd.exe", "powershell.exe", "Perplexity.exe", "vmtoolsd.exe", "Code.exe", "explorer.exe", "git.exe") and
+not (process.name : "msedgewebview2.exe" and process.parent.name : "msedgewebview2.exe") and
+not (process.name : "opera.exe" and process.parent.name : "opera.exe") and
+not (process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and
+     process.name : ("UCPDMgr.exe", "sdbinst.exe", "gpupdate.exe", "rundll32.exe", "taskhostw.exe", "taskeng.exe", "rdpclip.exe", "firefox.exe", "w3wp.exe")) and
+not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") and
+not (process.name : "MpCmdRun.exe" and process.parent.name : ("MsMpEng.exe", "MpCmdRun.exe", "svchost.exe"))
 '''
 
 

diff --git a/...ntegrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml b/...ntegrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ probability of it being malicious activity. Alternatively, the model's blocklist
 malicious.
 """
 from = "now-10m"
-index = ["logs-endpoint.events.process-*", "winlogbeat-*"]
+index = ["logs-endpoint.events.process-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score"
@@ -59,7 +59,26 @@ type = "eql"
 
 query = '''
 process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or
-blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
+blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") and
+process.parent.executable != null and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
+not process.parent.name : ("cmd.exe", "powershell.exe") and
+not (process.name == "net1.exe" and process.parent.name == "net.exe") and
+not (process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and
+     process.name : ("UCPDMgr.exe", "sdbinst.exe", "gpupdate.exe", "rundll32.exe", "taskhostw.exe", "taskeng.exe")) and
+not (process.name: ("powershell.exe", "cmd.exe", "cscript.exe") and
+     process.parent.executable : ("C:\\Program Files\\*.exe",
+                                  "C:\\Program Files (x86)\\*.exe",
+                                  "C:\\Users\\*\\Documents\\scripts\\nssm-2.24\\win64\\nssm.exe",
+                                  "C:\\Windows\\System32\\cmd.exe",
+                                  "C:\\Windows\\SysWOW64\\cmd.exe",
+                                  "C:\\Windows\\CCM\\CcmExec.exe",
+                                  "C:\\Windows\\System32\\svchost.exe",
+                                  "C:\\Windows\\System32\\gpscript.exe",
+                                  "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+                                  "C:\\appian\\java\\bin\\java.exe")) and
+not (process.executable : "C:\\Windows\\System32\\cscript.exe" and process.parent.name : ("node.exe", "MicroStrategy Services.exe")) and
+not (process.name : "MpCmdRun.exe" and process.parent.name : ("MsMpEng.exe", "MpCmdRun.exe", "svchost.exe")) and
+not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe")
 '''
 note = """## Triage and analysis
 

diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/04/01"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -37,13 +37,18 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 sequence by host.id with maxspan=1m
-  [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.entity_id
+  [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0 and
+   process.command_line == "/usr/sbin/sshd -D -R" and process.parent.command_line == "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"] by process.entity_id
   [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
-   process.parent.name == "sshd" and process.parent.args == "-D" and process.parent.args == "-R" and
+   process.parent.name == "sshd" and process.parent.command_line == "/usr/sbin/sshd -D -R" and
    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and
+   not process.executable in ("/usr/sbin/sshd", "/sbin/unix_chkpwd") and
    not (
-     process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*") or
-     process.command_line like ("sh -c /usr/bin/env -i PATH=*", "sh -c -- /usr/bin/env -i PATH=*") 
+     process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*",
+                        "bash -c bash -s", "/usr/lib/ssh/sftp-server", "stat /etc/is_upgrade_install > /dev/null 2>&1",
+                        "stat /opt/qradar/ha/.*", "/usr/bin/env -i PATH=*", "/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key*",
+                        "test -e /*", "md5sum*", "check_mk_agent") or
+     process.command_line like ("sh -c /usr/bin/env -i PATH=*", "sh -c -- /usr/bin/env -i PATH=*", "*/root/.ansible/tmp/ansible-tmp*")
    )] by process.parent.entity_id
 '''
 note = """## Triage and analysis

diff --git a/rules/linux/persistence_web_server_sus_destination_port.toml b/rules/linux/persistence_web_server_sus_destination_port.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/05"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -94,28 +94,22 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and (
-     user.name in (
-      "apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9", "ftp", "ftpuser", "ftpd"
-     ) or
-     user.id in ("99", "33", "498", "48")
-   ) and (
-   process.name in (
-    "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "node", "mongrel_rails", "java", "gunicorn",
-    "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn",
-    "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel"
+  process.name like (
+    "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "php-fpm*", "mongrel_rails", "haproxy",
+    "gunicorn", "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "uvicorn",
+    "tornado", "hypercorn", "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel",
+    "php-cgi", "php-fcgi", "php-cgi.cagefs"
   ) or
-    process.name like ("php-*", "python*", "ruby*", "perl*")
+  user.name in ("apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9", "ftp", "ftpuser", "ftpd") or
+  user.id in ("54321", "33", "498", "48") or
+  (process.name == "java" and process.working_directory like "/u0?/*")
 ) and
 network.direction == "egress" and destination.ip != null and
-not destination.port in (80, 443, 8080, 8443, 8000, 8888, 3128, 3306) and
-not cidrmatch(destination.ip, "127.0.0.0/8", "::1","FE80::/10", "FF00::/8")
+not destination.port in (80, 443, 8080, 8443, 8000, 8888, 3128, 3306, 5432, 8220, 8082) and
 
-/* 
-This rule does not exclude local IP ranges by default. To exclude these, use the following exclusion statement:
-cidrmatch(destination.ip, "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32",
+not cidrmatch(destination.ip, "127.0.0.0/8", "::1","FE80::/10", "FF00::/8", "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32",
 "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24",
 "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4")
-*/
 '''
 
 [[rule.threat]]

diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/08/24"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/11"
+updated_date = "2025/12/16"
 
 [rule]
 author = ["Elastic"]
@@ -118,7 +118,19 @@ host.os.type:windows and event.category:process and event.type:start and process
       "cmd.exe /s /c \"echo '%os%'\"" or
       *.\\install\\awk.exe*
     ) or
-    process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir)
+    process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir) or
+
+    (process.name:cmd.exe and process.parent.args : "c:\\\\xampp\\\\htdocs\\\\open-audit\\\\index.php") or
+
+    (process.name:cmd.exe and process.args:("/V:ON" and "--header-html")) or
+
+    (process.parent.args:"WebCession" and process.args:E\:\\Data\\CLM\\cession\\*.bat) or
+
+    (process.parent.executable :"D:\\AiDKlinik\\php\\php-cgi.exe" and process.args:D\:\\AiDKlinik\\web*) or
+
+    (process.parent.args :"E:/wamp64/bin/apache/apache2.4.62.1" and process.args:node*) or
+
+    (process.parent.name:"php.exe" and process.name:"cmd.exe" and process.args:("/V:ON" and "/E:ON"))
   )
 '''
 
@@ -138,12 +150,6 @@ negate = true
 case_insensitive = true
 value = "*?:\\\\Program Files (x86)\\\\*"
 
-[[rule.filters]]
-[rule.filters.meta]
-negate = true
-[rule.filters.query.wildcard."process.command_line"]
-case_insensitive = true
-value = "*?:\\\\Program Files (x86)\\\\*"
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"