diff --git a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml index 06eacbf8b12..3898796f2ef 100644 --- a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +++ b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/08/21" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Detects the use of the AWS CLI with the `--endpoint-url` argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations. """ from = "now-9m" -index = ["logs-endpoint.events.process-*"] +index = ["logs-endpoint.events.process-*", "logs-crowdstrike.fdr*"] language = "kuery" license = "Elastic License v2" name = "AWS CLI Command with Custom Endpoint URL" @@ -21,12 +21,13 @@ risk_score = 47 rule_id = "349276c0-5fcf-11ef-b1a9-f661ea17fbce" severity = "medium" tags = [ - "Data Source: Elastic Defend", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] type = "new_terms" timestamp_override = "event.ingested" diff --git a/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index 5152c093ab4..b89451ba4c4 100644 --- a/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/09/18" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/06" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ command and control behavior. Adversaries may use Node.js to download additional the system. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Curl or Wget Spawned via Node.js" @@ -75,17 +75,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "node" and ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node" and ( ( process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and process.command_line like~ ("*curl*", "*wget*") diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index 34d8b13e7ff..5b2be331515 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/11/04" -integration = ["endpoint", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ forwarding can be used to route network traffic between different network interf pivot between networks, exfiltrate data, or establish command and control channels. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "IPv4/IPv6 Forwarding Activity" @@ -55,21 +55,22 @@ risk_score = 21 rule_id = "5a138e2e-aec3-4240-9843-56825d0bc569" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and -process.parent.executable != null and process.command_line like ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event", "ProcessRollup2") and +?process.parent.executable != null and process.command_line like ( "*net.ipv4.ip_forward*", "*/proc/sys/net/ipv4/ip_forward*", "*net.ipv6.conf.all.forwarding*", "*/proc/sys/net/ipv6/conf/all/forwarding*" ) and ( diff --git a/rules/linux/command_and_control_telegram_api_request.toml b/rules/linux/command_and_control_telegram_api_request.toml index 0963067a23d..6f9d44ccde8 100644 --- a/rules/linux/command_and_control_telegram_api_request.toml +++ b/rules/linux/command_and_control_telegram_api_request.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/29" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This rule detects when a process executes the curl or wget command with an argum api.telegram.org domain. This may indicate command and control behavior. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Linux Telegram API Request" @@ -91,17 +91,18 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name in ("curl", "wget") and process.command_line like "*api.telegram.org*" ''' diff --git a/rules/linux/credential_access_gh_auth_via_nodejs.toml b/rules/linux/credential_access_gh_auth_via_nodejs.toml index 1af65c5416e..cb8eb06c211 100644 --- a/rules/linux/credential_access_gh_auth_via_nodejs.toml +++ b/rules/linux/credential_access_gh_auth_via_nodejs.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/09/18" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ may use this technique to access GitHub repositories and potentially exfiltrate perform malicious actions. This activity was observed in the wild as part of the Shai-Hulud worm. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "GitHub Authentication Token Access via Node.js" @@ -49,18 +49,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "node" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node" and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "gh auth token" ''' diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml index cf8c1783952..72fd94b7f6f 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/29" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This rule detects when a process executes a command line containing hexadecimal hexadecimal encoding to obfuscate their payload and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Potential Hex Payload Execution via Command-Line" @@ -78,19 +78,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and -process.parent.executable != null and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and +?process.parent.executable != null and process.command_line : "*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*" and length(process.command_line) > 50 ''' diff --git a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml index 1fefad94398..b71dd1ee395 100644 --- a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml +++ b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/02/21" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/04/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ base64 encoding to obfuscate data and pipe it to an interpreter to execute malic be used to evade detection by host- or network-based security controls. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Base64 Decoded Payload Piped to Interpreter" @@ -81,19 +81,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=3s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and ( (process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and process.command_line like~ "*-*d*") or (process.name == "openssl" and process.args == "enc" and process.args in ("-d", "-base64", "-a")) or (process.name like "python*" and @@ -103,7 +104,7 @@ sequence by host.id, process.parent.entity_id with maxspan=3s (process.name like "perl*" and process.command_line like~ "*decode_base64*") or (process.name like "ruby*" and process.args == "-e" and process.command_line like~ "*Base64.decode64*") )] - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name like~ ( + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name like~ ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl*", "ruby*", "lua*", "php*" )] ''' diff --git a/rules/linux/defense_evasion_ld_preload_cmdline.toml b/rules/linux/defense_evasion_ld_preload_cmdline.toml index c5286236a2f..770cbee448b 100644 --- a/rules/linux/defense_evasion_ld_preload_cmdline.toml +++ b/rules/linux/defense_evasion_ld_preload_cmdline.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/30" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ This behavior is unusual and may indicate an attempt to hijack the execution flo this technique to evade defenses, escalate privileges, or maintain persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "kuery" license = "Elastic License v2" name = "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments" @@ -80,18 +80,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:linux and event.category:process and event.type:start and event.action:exec and +host.os.type:linux and event.category:process and event.type:start and event.action:(exec or ProcessRollup2) and process.parent.name:(* and not ( awk or bwrap or cylancesvc or dbus-run-session or java or julia or make or matlab_helper or ninja or noproc_sandbox or nxrunner or nxserver or perl or rear or sapcontrol or setsid or spoold or sshd or steam or su or sudo or titanagent or diff --git a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml index 498fe04f3e6..78abee0c706 100644 --- a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml +++ b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/29" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -14,7 +14,8 @@ NMI watchdog by setting kernel.nmi_watchdog to 0. These changes may be used to i """ from = "now-9m" index = [ - "logs-endpoint.events.process*", + "logs-endpoint.events.process*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -59,18 +60,19 @@ risk_score = 21 rule_id = "3aff6ab1-18bd-427e-9d4c-c5732110c261" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.command_line : ( "*/etc/sysctl.conf*", "*/etc/sysctl.d/*", "*/proc/sys/kernel/nmi_watchdog*", "*/proc/sys/vm/nr_hugepages*", "*/proc/sys/kernel/yama/ptrace_scope*", @@ -80,7 +82,7 @@ process.command_line : ( "*kernel.nmi_watchdog*", "*vm.nr_hugepages*", "*vm.drop_caches*", "*kernel.sysrq*" ) and -process.parent.executable != null and +?process.parent.executable != null and ( (process.name == "tee" and process.args like "-*a*") or // also detects --append (process.name == "cat" and not process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) or diff --git a/rules/linux/discovery_kubectl_permission_discovery.toml b/rules/linux/discovery_kubectl_permission_discovery.toml index 08eb9cfd8fa..e50f1a77a15 100644 --- a/rules/linux/discovery_kubectl_permission_discovery.toml +++ b/rules/linux/discovery_kubectl_permission_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/06/17" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -13,7 +13,8 @@ them to gain unauthorized access or escalate privileges. """ from = "now-9m" index = [ - "logs-endpoint.events.process*", + "logs-endpoint.events.process*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -85,19 +86,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "Domain: Container", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "Domain: Container", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name == "kubectl" and process.args == "auth" and process.args == "can-i" ''' diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 395d90f67f5..67706d07b72 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/27" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*"] language = "kuery" license = "Elastic License v2" name = "Virtual Machine Fingerprinting" @@ -63,13 +63,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml index 1c8a89cd072..be8c06d5c71 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/09/27" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co initiated. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Printer User (lp) Shell Execution" @@ -99,20 +99,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Use Case: Vulnerability", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event") and user.name == "lp" and + event.action in ("exec", "exec_event", "ProcessRollup2") and user.name == "lp" and process.parent.name in ("cupsd", "foomatic-rip", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not ( process.command_line like ( diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 6aa0c5830f8..7c1e4547b4c 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/04/16" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a si interactive tty after obtaining initial access to a host. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*"] language = "kuery" license = "Elastic License v2" name = "Interactive Terminal Spawned via Perl" @@ -56,13 +56,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_suspicious_mkfifo_execution.toml b/rules/linux/execution_suspicious_mkfifo_execution.toml index a662869e7e0..c44de2d1dc1 100644 --- a/rules/linux/execution_suspicious_mkfifo_execution.toml +++ b/rules/linux/execution_suspicious_mkfifo_execution.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/30" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ rule type, this rule can identify uncommon process command lines that may indica named pipe. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Named Pipe Creation" @@ -81,18 +81,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:mkfifo and +host.os.type:linux and event.category:process and event.type:start and event.action:(exec or ProcessRollup2) and process.name:mkfifo and process.parent.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and process.args:((/dev/shm/* or /tmp/* or /var/tmp/*) and not /*fifo*) ''' diff --git a/rules/linux/execution_unusual_kthreadd_execution.toml b/rules/linux/execution_unusual_kthreadd_execution.toml index f63aa7975fa..fb453b1a848 100644 --- a/rules/linux/execution_unusual_kthreadd_execution.toml +++ b/rules/linux/execution_unusual_kthreadd_execution.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/30" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ kernel space via kthreadd to perform actions on the host and evade detection. Th rule can identify uncommon child processes that may indicate the presence of a malicious process. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "kuery" license = "Elastic License v2" name = "Unusual Execution from Kernel Thread (kthreadd) Parent" @@ -82,17 +82,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.parent.name:kthreadd and ( +host.os.type:linux and event.category:process and event.type:start and event.action:(exec or ProcessRollup2) and process.parent.name:kthreadd and ( process.executable:(/dev/shm/* or /tmp/* or /var/tmp/* or /var/www/*) or process.name:(bash or csh or curl or dash or fish or id or ksh or nohup or setsid or sh or tcsh or wget or whoami or zsh) ) and diff --git a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml index 791949db551..af84bb408a3 100644 --- a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/29" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ actors have been seen utilizing curl to upload this archive file with the collec way while not inherently malicious should be considered highly abnormal and suspicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Potential Data Exfiltration Through Curl" @@ -95,18 +95,19 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and -process.parent.executable != null and (process.args in ("-F", "-T", "-d") or process.args like "--data*") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name == "curl" and +?process.parent.executable != null and (process.args in ("-F", "-T", "-d") or process.args like "--data*") and process.command_line like~ ("*@/*.zip*", "*@/*.gz*", "*@/*.tgz*", "*b64=@*", "*=<*") and process.command_line like~ "*http*" ''' diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index f97a7adf9ab..d9ed4608c92 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/04/11" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ command. The rule monitors for the "end" event type, which signifies the termina interfere with the virtualized environment on the targeted system. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Suspicious Termination of ESXI Process" @@ -49,13 +49,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index b0dd5c06c53..c4ea95a48d8 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/11/04" -integration = ["endpoint", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ the system's memory and potentially impact the system's performance. This behavi deploys miner software such as XMRig. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Memory Swap Modification" @@ -82,22 +82,23 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and -process.parent.executable != null and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +?process.parent.executable != null and process.name in ("swapon", "swapoff") or ( process.command_line like ("*vm.swappiness*", "*/proc/sys/vm/swappiness*") and ( (process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 3115bb5696b..cdf0a394550 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2022/07/27" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/10/17" [rule] author = ["Elastic"] description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n" from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"] language = "kuery" license = "Elastic License v2" name = "High Number of Process Terminations" @@ -74,14 +74,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 4e477752c24..2c8f3af0999 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/02/01" -integration = ["endpoint", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ repositories. Attackers can backdoor APT to gain persistence by injecting malici thereby ensuring continued unauthorized access or control each time APT is used for package management. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Execution" @@ -84,26 +84,27 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.parent.name == "apt" and process.args == "-c" and process.name in ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" ) and not process.executable == "/usr/lib/venv-salt-minion/bin/python.original" ] by process.entity_id - [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and process.name : ( + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.name : ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk" ) diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index afd3c5fe188..1db36eee719 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/07/15" -integration = ["endpoint", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executes before or after events such as: commit, push, and receive. An attacker commands on the system and establish persistence. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Git Hook Command Execution" @@ -84,25 +84,26 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] type = "eql" query = ''' sequence by host.id with maxspan=3s - [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.parent.name == "git" and process.args : ".git/hooks/*" and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] by process.entity_id - [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' diff --git a/rules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml b/rules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml index a705be9afd9..7ec8d9e8dc2 100644 --- a/rules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml +++ b/rules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/09/18" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ this technique to execute arbitrary commands on the system and establish persist was observed in the wild as part of the Shai-Hulud worm. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Node.js Pre or Post-Install Script Execution" @@ -47,20 +47,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] type = "eql" query = ''' sequence by host.id with maxspan=10s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "node" and process.args == "install"] by process.entity_id - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "node"] by process.parent.entity_id + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name == "node" and process.args == "install"] by process.entity_id + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node"] by process.parent.entity_id ''' [[rule.threat]] diff --git a/rules/linux/persistence_pluggable_authentication_module_source_download.toml b/rules/linux/persistence_pluggable_authentication_module_source_download.toml index 5ef5cecbeb0..e41295538df 100644 --- a/rules/linux/persistence_pluggable_authentication_module_source_download.toml +++ b/rules/linux/persistence_pluggable_authentication_module_source_download.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/12/16" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.", ] from = "now-9m" -index = ["logs-endpoint.events.process*", "endgame-*"] +index = ["logs-endpoint.events.process*", "endgame-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Pluggable Authentication Module (PAM) Source Download" @@ -29,19 +29,20 @@ risk_score = 21 rule_id = "53ef31ea-1f8a-493b-9614-df23d8277232" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "ProcessRollup2") and process.name in ("curl", "wget") and process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/Linux-PAM-*.tar.xz" ''' diff --git a/rules/linux/persistence_unusual_sshd_child_process.toml b/rules/linux/persistence_unusual_sshd_child_process.toml index cb4a17f7bcf..10ff1a228ee 100644 --- a/rules/linux/persistence_unusual_sshd_child_process.toml +++ b/rules/linux/persistence_unusual_sshd_child_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/12/16" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Attackers may abuse SSH to maintain persistence on a compromised system, or to e potentially resulting in an unusual SSHD child process being created. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "kuery" license = "Elastic License v2" name = "Unusual SSHD Child Process" @@ -21,17 +21,18 @@ risk_score = 47 rule_id = "4c3c6c47-e38f-4944-be27-5c80be973bd7" severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:process and host.os.type:linux and event.type:start and event.action:exec and +event.category:process and host.os.type:linux and event.type:start and event.action:(exec or ProcessRollup2) and process.parent.name:(ssh or sshd) and process.args_count:2 and not ( process.command_line:(-bash or -zsh or -sh) or diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index cf3c4082eaf..925c7387c2e 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/01/15" -integration = ["endpoint", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ within a container is capable of mounting the root file system of the host, and containarized environment. This behavior pattern is very uncommon and should be investigated. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Potential Chroot Container Escape via Mount" @@ -93,23 +93,24 @@ For more information about the additional fields collected when this setting is """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=5m - [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.name == "mount" and process.args : "/dev/sd*" and process.args_count >= 3 and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] - [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.name == "chroot"] ''' diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index 99c6f5add45..84f45499005 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/07/28" -integration = ["endpoint", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ vulnerability where attackers manipulate commands or input containing wildcards operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Potential Shell via Wildcard Injection Detected" @@ -82,26 +82,27 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] type = "eql" query = ''' sequence by host.id with maxspan=1s - [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and ( + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and ( (process.name == "tar" and process.args : "--checkpoint=*" and process.args : "--checkpoint-action=*") or (process.name == "rsync" and process.args : "-e*") or (process.name == "zip" and process.args == "--unzip-command") ) and not process.executable : "/tmp/newroot/*" ] by process.entity_id - [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.parent.name : ("tar", "rsync", "zip") and process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] by process.parent.entity_id diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index d295882bb9d..7b9152ef549 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/07/25" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ sockets may be able to create and run a container that allows them to escalate p the host file system. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation through Writable Docker Socket" @@ -49,19 +49,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and ( (process.name == "docker" and process.args : "run" and process.args : "-it" and process.args : ("unix://*/docker.sock", "unix://*/dockershim.sock")) or diff --git a/rules_building_block/discovery_getconf_execution.toml b/rules_building_block/discovery_getconf_execution.toml index 20a0db5da2e..654a8c3b3b7 100644 --- a/rules_building_block/discovery_getconf_execution.toml +++ b/rules_building_block/discovery_getconf_execution.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/01/07" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/01/07" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -13,7 +13,13 @@ variables and system limits. Adversaries may use this command to gather informat of open files, and other system limits, to aid in further exploration and exploitation of the system. """ from = "now-119m" -index = ["logs-endpoint.events.process*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = [ + "logs-endpoint.events.process*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", +] interval = "60m" language = "eql" license = "Elastic License v2" @@ -23,19 +29,20 @@ risk_score = 21 rule_id = "90e5976d-ed8c-489a-a293-bfc57ff8ba89" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started", "ProcessRollup2") and process.name == "getconf" ''' diff --git a/rules_building_block/discovery_kubectl_configuration_discovery.toml b/rules_building_block/discovery_kubectl_configuration_discovery.toml index 56f413afcea..2228efa5bb6 100644 --- a/rules_building_block/discovery_kubectl_configuration_discovery.toml +++ b/rules_building_block/discovery_kubectl_configuration_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/06/19" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/06/19" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ such as configmaps. In environments where kubectl is not expected to be used, th activity by an adversary. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -23,22 +23,23 @@ risk_score = 21 rule_id = "98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b" severity = "low" tags = [ - "Domain: Container", - "Domain: Endpoint", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", + "Domain: Container", + "Domain: Endpoint", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and -event.action in ("exec", "exec_event", "executed", "process_started") and +event.action in ("exec", "exec_event", "executed", "process_started", "ProcessRollup2") and process.name == "kubectl" and process.args in ("get", "describe") and process.args in ("configmap", "configmaps") ''' diff --git a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml index 3a6daa630d8..c03159fd99c 100644 --- a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml +++ b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/06/19" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/06/19" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ resources. In environments where kubectl is not expected to be used, this could reconnaissance activity by an adversary. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -24,22 +24,23 @@ risk_score = 21 rule_id = "74e5241e-c1a1-4e70-844e-84ee3d73eb7d" severity = "low" tags = [ - "Domain: Container", - "Domain: Endpoint", - "Domain: Kubernetes", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", + "Domain: Container", + "Domain: Endpoint", + "Domain: Kubernetes", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and -event.action in ("exec", "exec_event", "executed", "process_started") and +event.action in ("exec", "exec_event", "executed", "process_started", "ProcessRollup2") and process.name == "kubectl" and ( (process.args in ("cluster-info", "api-resources", "api-versions", "version")) or (process.args in ("get", "describe") and process.args in ( diff --git a/rules_building_block/discovery_linux_system_information_discovery.toml b/rules_building_block/discovery_linux_system_information_discovery.toml index 431c60f4301..78366054544 100644 --- a/rules_building_block/discovery_linux_system_information_discovery.toml +++ b/rules_building_block/discovery_linux_system_information_discovery.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2023/07/10" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/10/17" [rule] author = ["Elastic"] building_block_type = "default" description = "Enrich process events with uname and other command lines that imply Linux system information discovery." from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -18,20 +18,21 @@ risk_score = 21 rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( +process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started", "ProcessRollup2") and ( process.name: "uname" or ( process.name: ("cat", "more", "less") and process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*") ) diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml index 2e2c8d3def8..f69c581a5f4 100644 --- a/rules_building_block/discovery_linux_system_owner_user_discovery.toml +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/07/10" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the use of built-in tools which adversaries may use to enumerate the system. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -21,20 +21,21 @@ risk_score = 21 rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and +process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started", "ProcessRollup2") and process.name : ("whoami", "w", "who", "users", "id") ''' diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index 6a1122dd0d6..c64491dcc33 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/10/17" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the execution of Linux built-in commands related to account or group and group information to orient themselves before deciding how to act. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -21,20 +21,21 @@ risk_score = 21 rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started", "ProcessRollup2") and ( process.name in ("ldapsearch", "dscacheutil") or (process.name == "dscl" and process.args : "*-list*") )