PyPI - nldcsc-elastic-rules - Versions diffs - 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl - Mend

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

nldcsc_elastic_rules/rules/windows/credential_access_rare_webdav_destination.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/05"
 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-*
+from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-*, logs-crowdstrike.fdr*, logs-m365_defender.event-* METADATA _id, _version, _index
 | where
     @timestamp > now() - 8 hours and
     event.category == "process" and
@@ -62,8 +62,7 @@ from logs-*
     process.name == "rundll32.exe" and
     process.command_line like "*DavSetCookie*"
 | keep host.id, process.command_line, user.name
-| grok
-    process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
+| grok process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
 | eval
     Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
 | where

nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_svchost.toml CHANGED Viewed

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/11/12"
-integration = ["windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2025/11/12"
+updated_date = "2025/12/09"
 min_stack_version = "9.1.0"
 min_stack_comments = "The esql match operator was introduced in version 9.1.0"
@@ -60,19 +60,22 @@ tags = [
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
-    "Resources: Investigation Guide"
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Sysmon"
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-FROM logs-* metadata _id, _version, _index
+FROM logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-* metadata _id, _version, _index
 | where event.category == "process" and event.type == "start" and
   match(process.name, "svchost.exe", { "fuzziness": 1, "max_expansions": 10 }) and
-  not process.executable in ("C:\\Windows\\SysWOW64\\svchost.exe", "C:\\Windows\\System32\\svchost.exe") and
-  not process.executable like """\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe""" and
-  not process.executable like """\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\svchost.exe"""
-| keep event.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line
+  not to_lower(process.executable) in ("c:\\windows\\syswow64\\svchost.exe", "c:\\windows\\system32\\svchost.exe") and
+  not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\system32\\svchost.exe""" and
+  not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\syswow64\\svchost.exe"""
+| keep event.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line, _id, _version, _index
 '''

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2024/07/03"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -91,7 +91,6 @@ event.category:process and host.os.type:windows and
     "[convert]::toint16" or
     "[char][int]$_" or
     ("ConvertTo-SecureString" and "PtrToStringAuto") or
-    ".GetNetworkCredential().password" or
     "-BXor" or
     ("replace" and "char") or
     "[array]::reverse" or
@@ -106,9 +105,33 @@ event.category:process and host.os.type:windows and
     ("$VerbosePreference" and "[1,3]+'X'-Join''") or
     ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs") or
     ("System.Management.Automation.$([cHAr]" or "System.$([cHAr]" or ")+[cHAR]([byte]")
+  ) and
+  not powershell.file.script_block_text : (
+        ("Copyright (c) 2018 Ansible Project" or "Export-ModuleMember -Function Add-CSharpType") and
+        ("[Object]$AnsibleModule" or "$AnsibleModule.Tmpdir")
   )
 '''
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.directory"]
+case_insensitive = true
+value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*"
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.directory"]
+case_insensitive = true
+value = "?:\\\\Program Files (x86)\\\\WindowsPowerShell\\\\Modules\\\\*"
+[[rule.filters]]
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.path"]
+case_insensitive = true
+value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"
 [[rule.threat]]
 framework = "MITRE ATT&CK"

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -104,8 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.name,
     file.directory,
     file.path,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -103,8 +103,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     file.name,
     powershell.sequence,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -105,8 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -101,8 +101,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -106,8 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_ratio,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.directory,
     file.path,
     powershell.sequence,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -106,8 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -107,8 +107,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     file.directory,
     powershell.sequence,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -108,8 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -104,8 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -106,8 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_format.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/03"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -105,8 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     file.directory,
     powershell.sequence,

nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -113,8 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_length,
     Esql.script_block_ratio,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,

nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_filesystem.toml CHANGED Viewed

@@ -2,13 +2,13 @@
 creation_date = "2023/01/12"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
 description = """
-Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may
-enable and use WSL for Linux to avoid detection.
+Detects file creation and modification on the host system from the Windows Subsystem for Linux. Adversaries may enable
+and use WSL to avoid detection.
 """
 from = "now-9m"
 index = [
@@ -20,13 +20,13 @@ index = [
 ]
 language = "eql"
 license = "Elastic License v2"
-name = "Host Files System Changes via Windows Subsystem for Linux"
+name = "Host File System Changes via Windows Subsystem for Linux"
 note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-### Investigating Host Files System Changes via Windows Subsystem for Linux
+### Investigating Host File System Changes via Windows Subsystem for Linux
 Windows Subsystem for Linux (WSL) allows users to run a Linux environment directly on Windows, facilitating seamless file access between systems. Adversaries may exploit WSL to modify host files stealthily, bypassing traditional security measures. The detection rule identifies suspicious file operations initiated by WSL processes, particularly those involving the Plan9FileSystem, to flag potential defense evasion attempts.
@@ -75,11 +75,14 @@ type = "eql"
 query = '''
 sequence by process.entity_id with maxspan=5m
- [process where host.os.type == "windows" and event.type == "start" and
-  process.name : "dllhost.exe" and
-   /* Plan9FileSystem CLSID - WSL Host File System Worker */
-  process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"]
- [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"]
+[process where host.os.type == "windows" and event.type == "start" and
+ process.name : "dllhost.exe" and
+  /* Plan9FileSystem CLSID - WSL Host File System Worker */
+ process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"]
+[file where host.os.type == "windows" and process.name : "dllhost.exe" and
+  not file.path : (
+        "?:\\Users\\*\\Downloads\\*",
+        "?:\\Windows\\Prefetch\\DLLHOST.exe-????????.pf")]
 '''

nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_functions.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2023/01/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/09/03"
+updated_date = "2025/12/01"
 [transform]
 [[transform.osquery]]
@@ -321,7 +321,8 @@ event.category:process and host.os.type:windows and
     "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or
     "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or
     "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" or
-    "Invoke-AzureHound" or "Invoke-SharpHound"
+    "Invoke-AzureHound" or "Invoke-SharpHound" or "Invoke-DownloadCradle" or
+    "Invoke-AppPathBypass"
   ) and
   not powershell.file.script_block_text : (
     "sentinelbreakpoints" and "Set-PSBreakpoint"

nldcsc_elastic_rules/rules/windows/execution_suspicious_powershell_imgload.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/11/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/18"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -97,7 +97,7 @@ host.os.type:windows and event.category:library and
     process.code_signature.trusted:true
   ) and
   not (
-    process.executable: C\:\\Windows\\Temp\\\{*\}\\_is*.exe and
+    process.name: (_is*.exe or "DellInstaller_x64.exe") and
     process.code_signature.subject_name:("Dell Technologies Inc." or "Dell Inc" or "Dell Inc.") and
     process.code_signature.trusted:true
   ) and
@@ -106,6 +106,11 @@ host.os.type:windows and event.category:library and
     process.code_signature.subject_name:("Chocolatey Software, Inc." or "Chocolatey Software, Inc") and
     process.code_signature.trusted:true
   ) and
+  not (
+    process.name: "Docker Desktop Installer.exe" and
+    process.code_signature.subject_name:"Docker Inc" and
+    process.code_signature.trusted:true
+  ) and
   not process.executable : (
     "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or
     "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"

nldcsc_elastic_rules/rules/windows/execution_windows_powershell_susp_args.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/18"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -150,7 +150,9 @@ process where host.os.type == "windows" and event.type == "start" and
           "*$env:computername*http*",
           "*;InVoKe-ExpRESsIoN $COntent.CONTENt;*",
           "*WebClient*example.com*",
-          "*=iwr $*;iex $*"
+          "*=iwr $*;iex $*",
+          "*ServerXmlHttp*IEX*",
+          "*XmlDocument*IEX*"
     ) or
     (process.args : "-c" and process.args : "&{'*") or
@@ -161,6 +163,11 @@ process where host.os.type == "windows" and event.type == "start" and
     process.args : "$*$*;set-alias" or
+    process.args == "-e" or
+    // ATHPowerShellCommandLineParameter
+    process.args : ("-EncodedCommandParamVariation", "-UseEncodedArguments", "-CommandParamVariation") or
     (
       process.parent.name : ("explorer.exe", "cmd.exe") and
       process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))

nldcsc_elastic_rules/rules/windows/impact_mod_critical_os_files.toml CHANGED Viewed

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/09/01"
-integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/09/11"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,6 @@ index = [
     "endgame-*",
     "logs-m365_defender.event-*",
     "logs-sentinel_one_cloud_funnel.*",
-    "logs-crowdstrike.fdr*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -75,9 +74,20 @@ type = "eql"
 query = '''
 file where host.os.type == "windows" and event.type in ("change", "deletion") and
- file.name : ("winload.exe", "winlod.efi", "ntoskrnl.exe", "bootmgr") and
- file.path : ("?:\\Windows\\*", "\\Device\\HarddiskVolume*\\Windows\\*") and
- not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe")
+  file.name : ("winload.exe", "winlod.efi", "ntoskrnl.exe", "bootmgr") and
+  file.path : ("?:\\Windows\\*", "\\Device\\HarddiskVolume*\\Windows\\*") and
+  not process.executable : (
+    "?:\\Windows\\System32\\poqexec.exe",
+    "?:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\tiworker.exe"
+  ) and
+  not file.path : (
+    "?:\\Windows\\WinSxS\\Temp\\InFlight\\*",
+    "?:\\Windows\\SoftwareDistribution\\Download*",
+    "?:\\Windows\\WinSxS\\amd64_microsoft-windows*",
+    "?:\\Windows\\SystemTemp\\*",
+    "?:\\Windows\\Temp\\????????.???\\*",
+    "?:\\Windows\\Temp\\*\\amd64_microsoft-windows-*"
+  )
 '''

nldcsc_elastic_rules/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/10/28"
 integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2025/10/28"
+updated_date = "2025/11/25"
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,12 @@ query = '''
 sequence by source.port, source.ip with maxspan=3s
  [network where host.os.type == "windows" and destination.port == 88 and
   process.executable != null and
-  not process.executable : ("?:\\Windows\\system32\\lsass.exe", "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe") and
+  not process.executable :
+              ("?:\\Windows\\system32\\lsass.exe",
+               "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe") and
+  not (process.executable : ("C:\\Windows\\System32\\svchost.exe",
+                             "C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
+                             "F:\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe") and user.id in ("S-1-5-20", "S-1-5-18")) and
   source.ip != "127.0.0.1" and destination.ip != "::1" and destination.ip != "127.0.0.1"]
  [authentication where host.os.type == "windows" and event.code in ("4768", "4769")]
 '''

nldcsc_elastic_rules/rules/windows/lateral_movement_scheduled_task_target.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/11/20"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2025/12/08"
 [rule]
 author = ["Elastic"]
@@ -68,7 +68,7 @@ query = '''
 sequence by host.id, process.entity_id with maxspan = 1m
    [network where host.os.type == "windows" and process.name : "svchost.exe" and
    network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and
-   source.ip != "127.0.0.1" and source.ip != "::1"
+   source.ip != "127.0.0.1" and source.ip != "::1" and source.ip != null
    ]
    [registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and
     registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]

nldcsc_elastic_rules/rules/windows/persistence_browser_extension_install.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2023/08/22"
 integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/12/01"
 [rule]
 author = ["Elastic"]
@@ -84,7 +84,24 @@ file where host.os.type == "windows" and event.type : "creation" and
     not
     (
       process.name : "firefox.exe" and
-      file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
+      file.name : (
+        "langpack-*@firefox.mozilla.org.xpi",
+        "*@dictionaries.addons.mozilla.org.xpi",
+        "newtab@mozilla.org.xpi",
+        "uBlock0@raymondhill.net.xpi",
+        /* AdBlockPlus */
+        "{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi",
+        /* Bitwarden */
+        "{446900e4-71c2-419f-a6a7-df9c091e268b}.xpi",
+        "addon@darkreader.org.xpi",
+        /* 1Password */
+        "{d634138d-c276-4fc8-924b-40a0ea21d284}.xpi",
+        "support@lastpass.com.xpi",
+        /* Grammarly */
+        "87677a2c52b84ad3a151a4a72f5bd3c4@jetpack.xpi",
+        "sentinelone_visibility@sentinelone.com.xpi",
+        "keepassxc-browser@keepassxc.org.xpi"
+      )
     )
   ) or
   /* Chromium-Based Browsers */

nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl