nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/windows/defense_evasion_timestomp_sysmon.toml

@@ -0,0 +1,109 @@
+[metadata]
+creation_date = "2023/01/17"
+integration = ["windows"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content
+with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in
+trusted directories.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "File Creation Time Changed"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating File Creation Time Changed
+File creation timestamps are crucial for tracking file history and integrity. Adversaries may alter these timestamps, a tactic known as timestomping, to disguise malicious files as benign. This detection rule leverages Sysmon logs to identify suspicious changes in file creation times, excluding trusted processes and file types, thus highlighting potential evasion attempts by attackers.
+
+### Possible investigation steps
+
+- Review the Sysmon logs to confirm the event code 2, which indicates a file creation time change, and verify the associated process and file details.
+- Identify the process executable path that triggered the alert and determine if it is outside the list of trusted paths specified in the query.
+- Check the file extension and name to ensure they are not part of the excluded types such as "temp", "tmp", or "LOG".
+- Investigate the user account associated with the event to determine if it is a non-system account, as the query excludes "SYSTEM", "Local Service", and "Network Service".
+- Correlate the file creation time change event with other security events or logs to identify any related suspicious activities or patterns.
+- Assess the file's location and context to determine if it is in a sensitive or unusual directory that could indicate malicious intent.
+- If necessary, perform a deeper forensic analysis on the file and process to identify any potential malicious behavior or indicators of compromise.
+
+### False positive analysis
+
+- Trusted software updates or installations may alter file creation times. Exclude known update processes like msiexec.exe from detection to reduce noise.
+- System maintenance tasks, such as disk cleanup, can modify timestamps. Exclude cleanmgr.exe to prevent these benign changes from triggering alerts.
+- User-initiated actions in trusted applications like Chrome or Firefox might change file creation times. Exclude these applications to avoid unnecessary alerts.
+- Temporary files created by legitimate processes may have altered timestamps. Exclude file extensions like temp and tmp to minimize false positives.
+- System accounts such as SYSTEM or Local Service may perform legitimate file operations. Exclude these user names to focus on suspicious activities.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further malicious activity and lateral movement by the adversary.
+- Conduct a thorough review of the file in question to determine if it is malicious. Use a combination of antivirus scans and manual analysis to assess the file's behavior and origin.
+- If the file is confirmed to be malicious, remove it from the system and any other locations it may have been copied to. Ensure that all associated processes are terminated.
+- Restore any affected files from a known good backup to ensure data integrity and continuity.
+- Review and update endpoint protection settings to ensure that similar threats are detected and blocked in the future. This may include adjusting Sysmon configurations to enhance logging and detection capabilities.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.
+- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases with any new indicators of compromise (IOCs) identified."""
+risk_score = 47
+rule_id = "166727ab-6768-4e26-b80c-948b228ffc06"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Sysmon",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and
+  event.provider == "Microsoft-Windows-Sysmon" and
+  /* File creation time change */
+  event.code == "2" and
+  not process.executable :
+           ("?:\\Program Files\\*",
+            "?:\\Program Files (x86)\\*",
+            "?:\\Windows\\system32\\cleanmgr.exe",
+            "?:\\Windows\\system32\\msiexec.exe",
+            "?:\\Windows\\syswow64\\msiexec.exe",
+            "?:\\Windows\\system32\\svchost.exe",
+            "?:\\WINDOWS\\system32\\backgroundTaskHost.exe",
+            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
+            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
+            "?:\\Users\\*\\AppData\\Local\\slack\\app-*\\slack.exe",
+            "?:\\Users\\*\\AppData\\Local\\GitHubDesktop\\app-*\\GitHubDesktop.exe",
+            "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
+            "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe") and
+  not file.extension : ("temp", "tmp", "~tmp", "xml", "newcfg") and not user.name : ("SYSTEM", "Local Service", "Network Service") and
+  not file.name : ("LOG", "temp-index", "license.rtf", "iconcache_*.db")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1070"
+name = "Indicator Removal"
+reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.006"
+name = "Timestomp"
+reference = "https://attack.mitre.org/techniques/T1070/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

@@ -0,0 +1,192 @@
+[metadata]
+creation_date = "2022/11/22"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/09/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted
+program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a
+malicious DLL within the memory space of a signed processes.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.library-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Unsigned DLL Side-Loading from a Suspicious Folder"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Unsigned DLL Side-Loading from a Suspicious Folder
+
+DLL side-loading exploits the trust of signed executables to load malicious DLLs, often from suspicious directories. Adversaries use this to bypass security measures by placing unsigned DLLs in locations mimicking legitimate paths. The detection rule identifies this by checking for trusted programs loading recently modified, unsigned DLLs from atypical directories, signaling potential evasion tactics.
+
+### Possible investigation steps
+
+- Review the process code signature to confirm the legitimacy of the trusted program that loaded the DLL. Check if the process is expected to run from the identified directory.
+- Examine the DLL's path and creation or modification time to determine if it aligns with typical user or system activity. Investigate why the DLL was recently modified or created.
+- Analyze the DLL's code signature status to understand why it is unsigned or has an error status. This can help identify if the DLL is potentially malicious.
+- Investigate the parent process and any associated child processes to understand the context of the DLL loading event. This can provide insights into how the DLL was introduced.
+- Check for any recent changes or anomalies in the system or user activity logs around the time the DLL was created or modified to identify potential indicators of compromise.
+- Correlate the alert with other security events or alerts in the environment to determine if this is part of a broader attack or isolated incident.
+
+### False positive analysis
+
+- Legitimate software updates or installations may temporarily load unsigned DLLs from atypical directories. Users can create exceptions for known update processes by verifying the source and ensuring the process is part of a legitimate update.
+- Custom or in-house applications might load unsigned DLLs from non-standard directories. Users should verify the application's behavior and, if deemed safe, exclude these specific paths or processes from the rule.
+- Development environments often involve testing unsigned DLLs in various directories. Developers can exclude these environments by specifying the directories or processes involved in the development workflow.
+- Some third-party security or system management tools may use unsigned DLLs for legitimate purposes. Users should confirm the tool's legitimacy and add exceptions for these tools to prevent false positives.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
+- Terminate the process associated with the unsigned DLL to stop any ongoing malicious operations.
+- Quarantine the suspicious DLL file and any related files for further analysis to understand the scope and nature of the threat.
+- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
+- Review and restore any altered system configurations or settings to their original state to ensure system integrity.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has impacted other systems.
+- Implement additional monitoring and logging on the affected system and network to detect any recurrence or similar threats in the future."""
+references = [
+    "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion",
+]
+risk_score = 47
+rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389"
+setup = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
+events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
+Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
+`event.ingested` to @timestamp.
+For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+library where host.os.type == "windows" and
+
+ process.code_signature.trusted == true and
+
+ (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and
+
+  not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining") and
+
+      /* Suspicious Paths */
+      dll.path : ("?:\\PerfLogs\\*.dll",
+                  "?:\\Users\\*\\Pictures\\*.dll",
+                  "?:\\Users\\*\\Music\\*.dll",
+                  "?:\\Users\\Public\\*.dll",
+                  "?:\\Users\\*\\Documents\\*.dll",
+                  "?:\\Windows\\Tasks\\*.dll",
+                  "?:\\Windows\\System32\\Tasks\\*.dll",
+                  "?:\\Intel\\*.dll",
+                  "?:\\AMD\\Temp\\*.dll",
+                  "?:\\Windows\\AppReadiness\\*.dll",
+                  "?:\\Windows\\ServiceState\\*.dll",
+                  "?:\\Windows\\security\\*.dll",
+		  "?:\\Windows\\System\\*.dll",
+                  "?:\\Windows\\IdentityCRL\\*.dll",
+                  "?:\\Windows\\Branding\\*.dll",
+                  "?:\\Windows\\csc\\*.dll",
+                  "?:\\Windows\\DigitalLocker\\*.dll",
+                  "?:\\Windows\\en-US\\*.dll",
+                  "?:\\Windows\\wlansvc\\*.dll",
+                  "?:\\Windows\\Prefetch\\*.dll",
+                  "?:\\Windows\\Fonts\\*.dll",
+                  "?:\\Windows\\diagnostics\\*.dll",
+                  "?:\\Windows\\TAPI\\*.dll",
+                  "?:\\Windows\\INF\\*.dll",
+                  "?:\\windows\\tracing\\*.dll",
+                  "?:\\windows\\IME\\*.dll",
+                  "?:\\Windows\\Performance\\*.dll",
+                  "?:\\windows\\intel\\*.dll",
+                  "?:\\windows\\ms\\*.dll",
+                  "?:\\Windows\\dot3svc\\*.dll",
+                  "?:\\Windows\\ServiceProfiles\\*.dll",
+                  "?:\\Windows\\panther\\*.dll",
+                  "?:\\Windows\\RemotePackages\\*.dll",
+                  "?:\\Windows\\OCR\\*.dll",
+                  "?:\\Windows\\appcompat\\*.dll",
+                  "?:\\Windows\\apppatch\\*.dll",
+                  "?:\\Windows\\addins\\*.dll",
+                  "?:\\Windows\\Setup\\*.dll",
+                  "?:\\Windows\\Help\\*.dll",
+                  "?:\\Windows\\SKB\\*.dll",
+                  "?:\\Windows\\Vss\\*.dll",
+                  "?:\\Windows\\Web\\*.dll",
+                  "?:\\Windows\\servicing\\*.dll",
+                  "?:\\Windows\\CbsTemp\\*.dll",
+                  "?:\\Windows\\Logs\\*.dll",
+                  "?:\\Windows\\WaaS\\*.dll",
+                  "?:\\Windows\\twain_32\\*.dll",
+                  "?:\\Windows\\ShellExperiences\\*.dll",
+                  "?:\\Windows\\ShellComponents\\*.dll",
+                  "?:\\Windows\\PLA\\*.dll",
+                  "?:\\Windows\\Migration\\*.dll",
+                  "?:\\Windows\\debug\\*.dll",
+                  "?:\\Windows\\Cursors\\*.dll",
+                  "?:\\Windows\\Containers\\*.dll",
+                  "?:\\Windows\\Boot\\*.dll",
+                  "?:\\Windows\\bcastdvr\\*.dll",
+                  "?:\\Windows\\TextInput\\*.dll",
+                  "?:\\Windows\\schemas\\*.dll",
+                  "?:\\Windows\\SchCache\\*.dll",
+                  "?:\\Windows\\Resources\\*.dll",
+                  "?:\\Windows\\rescache\\*.dll",
+                  "?:\\Windows\\Provisioning\\*.dll",
+                  "?:\\Windows\\PrintDialog\\*.dll",
+                  "?:\\Windows\\PolicyDefinitions\\*.dll",
+                  "?:\\Windows\\media\\*.dll",
+                  "?:\\Windows\\Globalization\\*.dll",
+                  "?:\\Windows\\L2Schemas\\*.dll",
+                  "?:\\Windows\\LiveKernelReports\\*.dll",
+                  "?:\\Windows\\ModemLogs\\*.dll",
+                  "?:\\Windows\\ImmersiveControlPanel\\*.dll",
+                  "?:\\$Recycle.Bin\\*.dll") and
+
+	 /* DLL loaded from the process.executable current directory */
+	 endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.001"
+name = "Invalid Code Signature"
+reference = "https://attack.mitre.org/techniques/T1036/001/"
+
+
+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+[[rule.threat.technique.subtechnique]]
+id = "T1574.001"
+name = "DLL"
+reference = "https://attack.mitre.org/techniques/T1574/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/windows/defense_evasion_untrusted_driver_loaded.toml

@@ -0,0 +1,137 @@
+[metadata]
+creation_date = "2023/01/27"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/09/04"
+
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,
+issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =
+authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1")
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,
+issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =
+authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0"
+"""
+
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of
+unsigned or self-signed code.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.library-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Untrusted Driver Loaded"
+note = """## Triage and analysis
+
+### Investigating Untrusted Driver Loaded
+
+Microsoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. 
+
+This protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.
+
+This rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible investigation steps
+
+- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:
+  - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.
+  - Examine the file creation and modification timestamps:
+    - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.
+    - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.
+      - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.
+  - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
+- Use Osquery to investigate the drivers loaded into the system.
+  - $osquery_0
+  - $osquery_1
+- Identify the driver's `Device Name` and `Service Name`.
+- Check for alerts from the rules specified in the `Related Rules` section.
+
+### False positive analysis
+
+- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.
+
+### Related Rules
+
+- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9
+- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd
+- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)
+- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.
+  - This can be done via PowerShell `Remove-Service` cmdlet.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Ensure that the Driver Signature Enforcement is enabled on the system.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://github.com/hfiref0x/TDL",
+    "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN",
+]
+risk_score = 73
+rule_id = "d8ab1ec1-feeb-48b9-89e7-c12e189448aa"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+driver where host.os.type == "windows" and process.pid == 4 and
+  (dll.code_signature.trusted == false or dll.code_signature.exists == false) and
+  not dll.code_signature.status : ("errorExpired", "errorRevoked", "errorCode_endpoint:*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.001"
+name = "Invalid Code Signature"
+reference = "https://attack.mitre.org/techniques/T1036/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_ads_file_creation.toml

@@ -0,0 +1,193 @@
+[metadata]
+creation_date = "2021/01/21"
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
+maturity = "production"
+updated_date = "2025/07/02"
+
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve DNS Cache"
+query = "SELECT * FROM dns_cache"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve All Services"
+query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Services Running on User Accounts"
+query = """
+SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
+NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
+user_account == null)
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
+services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
+authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
+"""
+
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files
+and sometimes done by adversaries to hide malware.
+"""
+from = "now-9m"
+index = [
+    "winlogbeat-*",
+    "logs-endpoint.events.file-*",
+    "logs-windows.sysmon_operational-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "endgame-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Unusual File Creation - Alternate Data Stream"
+note = """## Triage and analysis
+
+### Investigating Unusual File Creation - Alternate Data Stream
+
+Alternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.
+
+The regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.
+
+Attackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible investigation steps
+
+- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:
+  - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
+- Examine the host for derived artifacts that indicate suspicious activities:
+  - Analyze the process executable using a private sandboxed analysis system.
+  - Observe and collect information about the following activities in both the sandbox and the alert subject host:
+    - Attempts to contact external domains and addresses.
+      - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.
+      - Examine the DNS cache for suspicious or anomalous entries.
+        - $osquery_0
+    - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.
+    - Examine the host services for suspicious or anomalous entries.
+      - $osquery_1
+      - $osquery_2
+      - $osquery_3
+  - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.
+
+
+### False positive analysis
+
+- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+risk_score = 21
+rule_id = "71bccb61-e19b-452f-b104-79a60e546a95"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
+    "Data Source: Elastic Endgame",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.type == "creation" and
+
+  file.path : "C:\\*:*" and file.extension in~ (
+    "pdf", "dll", "exe", "dat", "com", "bat", "cmd", "sys", "vbs", "ps1", "hta", "txt", "vbe", "js",
+    "wsh", "docx", "doc", "xlsx", "xls", "pptx", "ppt", "rtf", "gif", "jpg", "png", "bmp", "img", "iso"
+  ) and
+
+  not file.path : 
+          ("C:\\*:zone.identifier*",
+           "C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA",
+           "C:\\Windows\\CSC\\*:CscBitmapStream") and
+
+  not process.executable : (
+          "?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe",
+          "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
+          "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\EXCEL.EXE",
+          "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE",
+          "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE",
+          "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE",
+          "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
+          "?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe",
+          "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
+          "?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE",
+          "?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE",
+          "?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE",
+          "?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE",
+          "?:\\Program Files\\Mozilla Firefox\\firefox.exe",
+          "?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe",
+          "?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe",
+          "?:\\Windows\\explorer.exe",
+          "?:\\Windows\\System32\\DataExchangeHost.exe",
+          "?:\\Windows\\System32\\drivers\\Intel\\ICPS\\IntelConnectivityNetworkService.exe",
+          "?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\KillerNetworkService.exe",
+          "?:\\Windows\\System32\\inetsrv\\w3wp.exe",
+          "?:\\Windows\\System32\\PickerHost.exe",
+          "?:\\Windows\\System32\\RuntimeBroker.exe",
+          "?:\\Windows\\System32\\SearchProtocolHost.exe",
+          "?:\\Windows\\System32\\sihost.exe",
+          "?:\\windows\\System32\\svchost.exe",
+          "?:\\Windows\\System32\\WFS.exe"
+  ) and
+  
+  not (
+    ?process.code_signature.trusted == true and
+    file.name : "*:sec.endpointdlp:$DATA"
+  )
+
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+[[rule.threat.technique.subtechnique]]
+id = "T1564.004"
+name = "NTFS File Attributes"
+reference = "https://attack.mitre.org/techniques/T1564/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+