nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

nldcsc_elastic_rules/__init__.py

@@ -1 +1 @@
-__version__ = "d10dc0809"
+__version__ = "56574c99c"

nldcsc_elastic_rules/rules/{linux → cross-platform}/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/09/18"
-integration = ["endpoint", "crowdstrike"]
+integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/11/26"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,18 @@ command and control behavior. Adversaries may use Node.js to download additional
 the system.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+    "auditbeat-*",
+    "logs-auditd_manager.auditd-*"
+]
 language = "eql"
 license = "Elastic License v2"
 name = "Curl or Wget Spawned via Node.js"
@@ -46,7 +57,7 @@ This rule flags Node.js launching curl or wget, directly or via a shell, a commo
 - Rebuild and redeploy the workload from a known-good image, remove the malicious child_process code path from the Node.js application, restore validated configs/data, rotate any keys or tokens used by that service, and verify no further curl/wget spawns occur post-recovery.
 - Harden by removing curl/wget from runtime images where not required, enforcing egress allowlists for the service, constraining execution with AppArmor/SELinux/seccomp and least-privilege service accounts, and adding CI/CD checks to block package.json postinstall scripts or code that shells out to downloaders.
 """
-risk_score = 21
+risk_score = 47
 rule_id = "d9af2479-ad13-4471-a312-f586517f1243"
 setup = """## Setup
 
@@ -73,28 +84,38 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
   "Domain: Endpoint",
   "OS: Linux",
+  "OS: Windows",
+  "OS: macOS",
   "Use Case: Threat Detection",
   "Tactic: Command and Control",
-  "Data Source: Elastic Defend",
   "Resources: Investigation Guide",
+  "Data Source: Elastic Defend",
+  "Data Source: Elastic Endgame",
+  "Data Source: Windows Security Event Logs",
+  "Data Source: Sysmon",
+  "Data Source: SentinelOne",
   "Data Source: Crowdstrike",
+  "Data Source: Auditd Manager",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node" and (
+process where event.type == "start" and
+ event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+ process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
   (
-    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
-    process.args == "-c" and process.command_line like~ ("*curl*", "*wget*")
+    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "cmd.exe", "bash.exe", "powershell.exe") and
+    process.command_line like~ ("*curl*http*", "*wget*http*")
   ) or 
   (
-    process.name in ("curl", "wget")
+    process.name in ("curl", "wget", "curl.exe", "wget.exe")
   )
-)
+) and
+ not process.command_line like ("*127.0.0.1*", "*localhost*")
 '''
 
 [[rule.threat]]

nldcsc_elastic_rules/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml

@@ -0,0 +1,134 @@
+[metadata]
+creation_date = "2025/12/04"
+integration = ["endpoint", "windows"]
+maturity = "production"
+updated_date = "2025/12/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when GenAI tools connect to domains using suspicious TLDs commonly abused for malware C2 infrastructure. TLDs
+like .top, .xyz, .ml, .cf, .onion are frequently used in phishing and malware campaigns. Legitimate GenAI services use
+well-established domains (.com, .ai, .io), so connections to suspicious TLDs may indicate compromised tools, malicious
+plugins, or AI-generated code connecting to attacker infrastructure.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "GenAI Process Connection to Suspicious Top Level Domain"
+note = """## Triage and analysis
+
+### Investigating GenAI Process Connection to Suspicious Top Level Domain
+
+This rule detects GenAI tools connecting to domains with TLDs commonly abused by malware. The suspicious TLD filter makes this a high-signal rule with low expected volume.
+
+### Possible investigation steps
+
+- Review the GenAI process command line to identify which tool is running and verify if it's an expected/authorized tool.
+- Examine the network connection details (destination IP, port, protocol) to understand the nature of the communication.
+- Check the process execution chain to identify the full attack path and initial entry point.
+- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
+- Review network traffic patterns to identify data exfiltration or command and control communications.
+- Check for other alerts or suspicious activity on the same host around the same time.
+- Verify if the GenAI tool is from a trusted source and if it's authorized for use in your environment.
+- Confirm whether the suspicious domain is used by package registries, CDN mirrors, or AI plugin repos.
+- Check if the GenAI tool attempted follow-up actions such as downloading scripts, connecting to IPs directly, or loading remote models.
+- Inspect whether the domain matches prompt-redirections, malicious AI plugins, or compromised package dependencies.
+
+### False positive analysis
+
+- Legitimate GenAI tools may occasionally connect to domains using suspicious TLDs if they're legitimate services.
+- Package managers (npx, pnpm, yarn, bunx) may connect to package registries or CDNs that use suspicious TLDs. Review and exclude known legitimate package registries if needed.
+- Some third-party AI plugin ecosystems (VSCode AI plugins, Cursor extensions) may download assets from unusual TLDs; verify allowlists.
+
+### Response and remediation
+
+- Terminate the GenAI process and any spawned child processes to stop the malicious activity.
+- Review and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.
+- Block the identified suspicious domains at the network level.
+- Investigate the GenAI tool configuration to identify how it was configured and what it was authorized to access.
+- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for network communications.
+- Add detection for secondary indicators (reverse shells, encoded C2 traffic, odd user-agent strings).
+"""
+references = [
+    "https://www.cybercrimeinfocenter.org/top-20-tlds-by-malicious-phishing-domains",
+    "https://atlas.mitre.org/techniques/AML.T0086",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 47
+rule_id = "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: macOS",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Resources: Investigation Guide",
+    "Domain: LLM",
+    "Mitre Atlas: T0086",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+network where host.os.type in ("macos", "windows") and
+
+  // GenAI processes
+  process.name in (
+    "ollama.exe", "ollama", "Ollama",
+    "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
+    "lmstudio.exe", "lmstudio", "LM Studio",
+    "claude.exe", "claude", "Claude",
+    "cursor.exe", "cursor", "Cursor",
+    "copilot.exe", "copilot", "Copilot",
+    "codex.exe", "codex",
+    "Jan", "jan.exe", "jan",
+    "gpt4all.exe", "gpt4all", "GPT4All",
+    "gemini-cli.exe", "gemini-cli",
+    "genaiscript.exe", "genaiscript",
+    "grok.exe", "grok",
+    "qwen.exe", "qwen",
+    "koboldcpp.exe", "koboldcpp", "KoboldCpp",
+    "llama-server", "llama-cli",
+    "deno.exe", "deno",
+    "npx", "pnpm", "yarn", "bunx"
+  ) and
+
+  // Suspicious TLDs 
+  (
+    // Windows DNS events
+    (host.os.type == "windows" and dns.question.name != null and
+     dns.question.name regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host)""") or
+
+    // macOS network events
+    (host.os.type == "macos" and destination.domain != null and
+     destination.domain regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host)""")
+
+    // Linux DNS events
+    // Revist when available
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat.technique.subtechnique]]
+id = "T1071.004"
+name = "DNS"
+reference = "https://attack.mitre.org/techniques/T1071/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

nldcsc_elastic_rules/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml

@@ -0,0 +1,128 @@
+[metadata]
+creation_date = "2025/12/04"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/12/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects GenAI tools connecting to unusual domains on macOS. Adversaries may compromise GenAI tools through prompt
+injection, malicious MCP servers, or poisoned plugins to establish C2 channels or exfiltrate sensitive data to
+attacker-controlled infrastructure. AI agents with network access can be manipulated to beacon to external servers,
+download malicious payloads, or transmit harvested credentials and documents.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "GenAI Process Connection to Unusual Domain"
+note = """## Triage and analysis
+
+### Investigating GenAI Process Connection to Unusual Domain
+
+GenAI tools with network access can be weaponized to contact attacker infrastructure for C2, data exfiltration, or payload retrieval. Compromised MCP servers, malicious plugins, or prompt injection attacks can redirect AI agents to connect to arbitrary domains. While legitimate GenAI tools connect to vendor APIs and CDNs, connections to unusual domains may indicate exploitation.
+
+### Possible investigation steps
+
+- Review the destination domain to determine if it's a legitimate GenAI service, CDN, package registry, or potentially malicious infrastructure.
+- Investigate the GenAI process command line and configuration to identify what triggered the connection (plugin, MCP server, user prompt).
+- Check if the domain was recently registered, uses a suspicious TLD, or has a low reputation score in threat intelligence feeds.
+- Review the timing and context of the connection to determine if it correlates with user activity or was automated.
+- Examine network traffic to and from the domain to identify the nature of the communication (API calls, file downloads, data exfiltration).
+- Check for other hosts in the environment connecting to the same domain to determine if this is an isolated incident.
+- Investigate whether the GenAI tool's configuration files were recently modified to add new MCP servers or plugins.
+- Correlate with file events to see if the GenAI tool downloaded or created files around the same time as the connection.
+
+### False positive analysis
+
+- GenAI tools may connect to new domains as vendors update their infrastructure, CDNs, or API endpoints.
+- Package managers (npm, pip) used by MCP servers may connect to package registries for dependency resolution.
+- Legitimate MCP servers and AI plugins connect to their respective backend services.
+- Developer workflows testing new AI integrations or MCP servers will naturally trigger alerts for novel domain connections.
+
+### Response and remediation
+
+- If the domain is confirmed malicious, block it at the network level and investigate the source of the compromise.
+- Review the GenAI tool's configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.
+- Investigate any data that may have been sent to the suspicious domain and assess the potential for data exfiltration.
+- Review and rotate any API keys, tokens, or credentials used by the GenAI tool.
+- Update detection rules to monitor the identified domain across all hosts in the environment.
+"""
+references = [
+    "https://atlas.mitre.org/techniques/AML.T0086",
+    "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+    "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code",
+]
+risk_score = 47
+rule_id = "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+    "Domain: LLM",
+    "Mitre Atlas: T0086",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.category:network and host.os.type:macos and
+process.name:(
+    Claude or "Claude Helper" or "Claude Helper (Plugin)" or Copilot or Cursor or
+    "Cursor Helper" or "Cursor Helper (Plugin)" or GPT4All or Jan or "Jan Helper" or
+    KoboldCpp or "LM Studio" or Ollama or Windsurf or "Windsurf Helper" or
+    "Windsurf Helper (Plugin)" or bunx or claude or codex or copilot or cursor or deno or
+    gemini-cli or genaiscript or gpt4all or grok or jan or koboldcpp or llama-cli or
+    llama-server or lmstudio or npx or ollama or pnpm or qwen or textgen or windsurf or yarn
+) and destination.domain:(* and not (
+    aka.ms or anthropic.com or atlassian.com or cursor.com or cursor.sh or github.com or
+    gpt4all.io or hf.co or huggingface.co or lmstudio.ai or localhost or ollama.ai or
+    ollama.com or openai.com or *.aka.ms or *.akamaized.net or *.amazonaws.com or
+    *.amplitude.com or *.anthropic.com or *.atlassian.com or *.aws.amazon.com or
+    *.azure.com or *.cdn.cloudflare.net or *.cloudflare-dns.com or *.cloudflare.com or
+    *.cloudflarestorage.com or *.codeium.com or *.cursor.com or *.cursor.sh or
+    *.datadoghq.com or *.elastic-cloud.com or *.elastic.co or *.exp-tas.com or
+    *.gemini.google.com or *.generativelanguage.googleapis.com or *.github.com or
+    *.githubcopilot.com or *.githubusercontent.com or *.gitkraken.com or *.gitkraken.dev or
+    *.google.com or *.googleapis.com or *.gpt4all.io or *.grok.x.ai or *.hf.co or
+    *.honeycomb.io or *.huggingface.co or *.intercom.io or *.jan.ai or *.launchdarkly.com or
+    *.lmstudio.ai or *.microsoft.com or *.mixpanel.com or *.msedge.net or *.npmjs.com or
+    *.npmjs.org or *.ollama.ai or *.ollama.com or *.openai.com or *.pypi.org or
+    *.r2.cloudflarestorage.com or *.segment.io or *.sentry.io or *.visualstudio.com or
+    *.vsassets.io or *.vscode-cdn.net or *.windsurf.ai or *.x.ai or *.yarnpkg.com
+))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat.technique.subtechnique]]
+id = "T1071.001"
+name = "Web Protocols"
+reference = "https://attack.mitre.org/techniques/T1071/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["destination.domain"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
+
+

nldcsc_elastic_rules/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml

@@ -0,0 +1,154 @@
+[metadata]
+creation_date = "2025/12/04"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/12/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or
+shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and
+tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs
+(.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.file*"]
+language = "eql"
+license = "Elastic License v2"
+name = "GenAI Process Accessing Sensitive Files"
+note = """## Triage and analysis
+
+### Investigating GenAI Process Accessing Sensitive Files
+
+This rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation.
+
+### Possible investigation steps
+
+- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool.
+- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
+- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration.
+- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events.
+- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment.
+- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting.
+- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning.
+- Review whether the access was preceded by an MCP server, LangChain agent, or background automation.
+
+### False positive analysis
+
+- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation.
+- Development workflows that use GenAI tools for code analysis may occasionally access credential files.
+
+### Response and remediation
+
+- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious.
+- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.
+- Investigate the document access patterns to determine the scope of potential data exfiltration.
+- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files.
+"""
+references = [
+    "https://atlas.mitre.org/techniques/AML.T0085",
+    "https://atlas.mitre.org/techniques/AML.T0085.001",
+    "https://atlas.mitre.org/techniques/AML.T0055",
+    "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+    "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code",
+]
+risk_score = 73
+rule_id = "c0136397-f82a-45e5-9b9f-a3651d77e21a"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Collection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+    "Domain: LLM",
+    "Mitre Atlas: T0085",
+    "Mitre Atlas: T0085.001",
+    "Mitre Atlas: T0055",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where event.action in ("open", "creation", "modification") and event.outcome == "success" and
+
+  // GenAI process 
+    process.name in (
+      "ollama.exe", "ollama", "Ollama",
+      "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
+      "lmstudio.exe", "lmstudio", "LM Studio",
+      "claude.exe", "claude", "Claude",
+      "cursor.exe", "cursor", "Cursor",
+      "copilot.exe", "copilot", "Copilot",
+      "codex.exe", "codex",
+      "Jan", "jan.exe", "jan",
+      "gpt4all.exe", "gpt4all", "GPT4All",
+      "gemini-cli.exe", "gemini-cli",
+      "genaiscript.exe", "genaiscript",
+      "grok.exe", "grok",
+      "qwen.exe", "qwen",
+      "koboldcpp.exe", "koboldcpp", "KoboldCpp",
+      "llama-server", "llama-cli"
+    ) and
+
+  // Sensitive file paths
+  (
+    // Persistence via Shell configs
+    file.name in (".bashrc", ".bash_profile", ".zshrc", ".zshenv", ".zprofile", ".profile", ".bash_logout") or
+
+    // Credentials In Files 
+    file.name like~ 
+                 ("key?.db", 
+                  "logins.json", 
+                  "Login Data", 
+                  "Local State",
+                  "signons.sqlite",
+                  "Cookies", 
+                  "cookies.sqlite",
+                  "Cookies.binarycookies", 
+                  "login.keychain-db", 
+                  "System.keychain", 
+                  "credentials.db", 
+                  "credentials", 
+                  "access_tokens.db", 
+                  "accessTokens.json", 
+                  "azureProfile.json",
+                  "RDCMan.settings", 
+                  "known_hosts", 
+                  "KeePass.config.xml", 
+                  "Unattended.xml")
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1005"
+name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"
+
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+

nldcsc_elastic_rules/rules/cross-platform/credential_access_gitleaks_execution.toml

@@ -0,0 +1,114 @@
+[metadata]
+creation_date = "2025/11/28"
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
+maturity = "production"
+updated_date = "2025/11/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the execution of Gitleaks, a tool used to search for high-entropy strings and secrets in code
+repositories, which may indicate an attempt to access credentials.
+"""
+false_positives = [
+    """
+    Gitleaks is a legitimate open-source tool used by security professionals and developers to search for sensitive
+    information, such as passwords, API keys, and other secrets, within code repositories. It is commonly employed
+    during security assessments and code reviews to identify potential vulnerabilities.
+    """,
+]
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+    "auditbeat-*",
+    "logs-auditd_manager.auditd-*"
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Secret Scanning via Gitleaks"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Secret Scanning via Gitleaks
+
+This alert fires when a host launches Gitleaks, a secret-scanning utility that hunts high-entropy strings and credentials in source code and repositories, signaling potential credential harvesting. An attacker may clone internal repos or traverse local workspace directories, drop a portable gitleaks binary in /tmp or %TEMP%, run recursive scans with wide rule sets and JSON output, then archive the results to exfiltrate tokens, API keys, and passwords for lateral movement and service impersonation.
+
+### Possible investigation steps
+
+- Review the full command line to identify --path/--repo/--report/--format flags, which reveal scope and whether results are being written for exfiltration.
+- Examine parent and ancestry plus user session to determine if it was launched by CI/dev tooling versus an interactive shell, and note execution from temp or unusual directories suggesting a dropped portable binary.
+- Locate and inspect newly created artifacts (gitleaks.json, .sarif, .csv, zip archives) near the event time, confirm the presence of secrets, and map their sensitivity to affected systems.
+- Correlate with network and data movement around the event for clones to internal repos and outbound transfers to cloud storage, paste sites, or email, and capture repository URLs or destinations if present.
+- Trace how the binary arrived by checking recent downloads and file writes (curl/wget, package managers, GitHub releases), verify the binary’s hash and signer, and compare against known-good sources.
+
+### False positive analysis
+
+- A developer or security team member intentionally runs gitleaks to audit internal code for secrets during routine hygiene, producing local report artifacts and showing normal parent processes without exfiltration behavior.
+- A user invokes gitleaks with --version or --help to validate installation or review usage, which generates a process start event but performs no scanning or credential access.
+
+### Response and remediation
+
+- If the run was unauthorized or executed from /tmp, %TEMP%, or a user profile, terminate gitleaks.exe/gitleaks, isolate the host from the network, and capture the binary path and hash for forensics.
+- Quarantine report artifacts produced by the run (gitleaks.json, .sarif, .csv, and any zip archives) by securing copies for evidence, removing world-readable permissions, and deleting residual copies from the working directory, Downloads, repo folders, and CI workspaces after collection.
+- Eradicate tooling by removing the dropped gitleaks binary and any wrapper scripts or CI job steps that invoke it, and enforce execution blocking for gitleaks in user-writable paths via application control or EDR policy.
+- Immediately revoke and rotate any secrets confirmed in the reports or repository (cloud API keys, service tokens, SSH keys, credentials), purge them from repo history (git filter-repo/BFG) if present, redeploy updated secrets from the vault, and force password resets for affected accounts.
+- Review git activity and data movement around the event for repo clones and exports, and inspect outbound transfers of report files to cloud storage, paste sites, or email; escalate to Incident Response and Legal if any report left the device or if production/customer credentials are exposed.
+- Harden going forward by enabling approved server-side and CI secret scanning, enforcing pre-commit hooks, prohibiting PATs with broad scopes, restricting egress to paste/file-sharing sites, and blocking execution of portable binaries from temp and user-writable locations."""
+references = [
+    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
+    "https://socket.dev/blog/shai-hulud-strikes-again-v2",
+]
+risk_score = 47
+rule_id = "f92171ed-a4d3-4baa-98f9-4df1652cb11b"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+    "Data Source: Auditd Manager",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where event.type == "start" and event.action like ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started", "Process Create*") and
+process.name : ("gitleaks.exe", "gitleaks")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"