[New/tuning] WarLock coverage (#5846)

Samirbous · w0rk3r · web-flow · commit e788ab7e7390 · 2026-03-23T11:01:12.000Z
* [New/tuning] WarLock coverage Improve coverage for https://www.trendmicro.com/tr_tr/research/26/c/dissecting-a-warlock-attack.html * ++ * Update command_and_control_velociraptor_shell_execution.toml * Update command_and_control_tunnel_cloudflared.toml * Update command_and_control_tunnel_yuze.toml * Update command_and_control_velociraptor_shell_execution.toml * Update exfiltration_rclone_cloud_upload.toml * Update rules/windows/exfiltration_rclone_cloud_upload.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_velociraptor_shell_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update command_and_control_tunnel_vscode.toml * Update command_and_control_tunnel_yuze.toml * Update command_and_control_tunnel_yuze.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
diff --git a/rules/windows/command_and_control_tunnel_cloudflared.toml b/rules/windows/command_and_control_tunnel_cloudflared.toml
@@ -0,0 +1,91 @@
+[metadata]
+creation_date = "2026/03/18"
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
+maturity = "production"
+updated_date = "2026/03/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries
+may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data
+through Cloudflare's edge while evading direct connection blocking.
+"""
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Protocol Tunneling via Cloudflared"
+note = """## Triage and analysis
+
+### Investigating Potential Protocol Tunneling via Cloudflared
+
+Cloudflare Tunnel (cloudflared) is a legitimate tool for exposing local services through Cloudflare's edge. Adversaries abuse it to create quick or named tunnels for C2, data exfiltration, or ingress tool transfer while evading direct connection blocking.
+
+### Possible investigation steps
+
+- Confirm the process command line for `tunnel`, `--url`, or `tunnel run` to validate cloudflared tunnel usage.
+- Identify the parent process and process executable path; cloudflared run from temp or user writable locations is more suspicious than from Program Files.
+- For quick tunnel (`--url http://...`), identify the local URL and whether it could be a C2 callback or proxy.
+- Correlate with network data for outbound connections to Cloudflare IPs or trycloudflare.com-style hostnames around the same time.
+- Review the user and session that started the tunnel; look for other suspicious logon or execution from the same context.
+
+### False positive analysis
+
+- Legitimate use of Cloudflare Tunnel for development or internal services may trigger this rule; consider allowlisting by path or user for approved use cases.
+
+### Response and remediation
+
+- If unauthorized tunnel use is confirmed: isolate the host, terminate the cloudflared process, and block cloudflared or Cloudflare tunnel domains at DNS/firewall where policy permits.
+- Rotate credentials for any accounts that may have been exposed over the tunnel.
+"""
+references = [
+    "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-commands/",
+    "https://attack.mitre.org/techniques/T1572/",
+]
+risk_score = 47
+rule_id = "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike",
+    "Data Source: Elastic Endgame", 
+    "Data Source: Windows Security Event Logs"
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+ (process.name : "cloudflared.exe" or ?process.pe.original_file_name == "cloudflared.exe" or ?process.code_signature.subject_name : "Cloudflare, Inc.") and process.args : "tunnel"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/09"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2026/03/18"
 
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,12 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.args : "tunnel" and (process.args : "--accept-server-license-terms" or process.name : "code*.exe") and
+  process.args : "tunnel" and
+  (process.args : "--accept-server-license-terms" or
+   process.name : "code*.exe" or
+   ?process.code_signature.subject_name : "Microsoft Corporation" or
+   process.executable : ("?:\\ProgramData\\*", "?:\\Users\\Public\\*", "?:\\windows\\debug\\*", 
+                         "\\Device\\HarddiskVolume*\\Users\\Public\\*", "\\Device\\HarddiskVolume*\\ProgramData\\*",  "\\Device\\HarddiskVolume*\\windows\\debug\\*")) and
   not (process.name == "code-tunnel.exe" and process.args == "status" and process.parent.name == "Code.exe")
 '''
 
diff --git a/rules/windows/command_and_control_tunnel_yuze.toml b/rules/windows/command_and_control_tunnel_yuze.toml
@@ -0,0 +1,97 @@
+[metadata]
+creation_date = "2026/03/18"
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
+maturity = "production"
+updated_date = "2026/03/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies execution of Yuze, a lightweight open-source tunneling tool used for intranet penetration. Yuze supports
+forward and reverse SOCKS5 proxy tunneling and is typically executed via rundll32 loading yuze.dll with the RunYuze
+export. Threat actors may use it to proxy C2 or pivot traffic.
+"""
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Protocol Tunneling via Yuze"
+note = """## Triage and analysis
+
+### Investigating Potential Protocol Tunneling via Yuze
+
+Yuze is a C-based tunneling tool used for intranet penetration and supports forward and reverse SOCKS5 proxy tunneling. It is commonly executed as `rundll32 yuze.dll,RunYuze reverse -c <ip>:<port>` and has been observed in threat actor campaigns.
+
+### Possible investigation steps
+
+- Confirm the command line contains `yuze.dll` and `RunYuze`; typical form is `rundll32 yuze.dll,RunYuze reverse -c <ip>:<port>`.
+- Extract the remote endpoint from the `-c` argument (C2 or relay) and look up the IP/domain in threat intelligence.
+- Locate where yuze.dll was loaded from; check file creation time to see if it was recently dropped.
+- Identify the parent process that started rundll32 (script, scheduled task, exploit, etc.) to understand the execution chain.
+- Correlate with network events for outbound connections from this host to the IP/port in the command line.
+
+### False positive analysis
+
+- Legitimate use of Yuze is rare; most hits are likely malicious or red-team. If you use Yuze for authorized testing, consider an exception by host or user.
+
+### Response and remediation
+
+- Isolate the host and terminate the rundll32 process.
+- Remove yuze.dll from disk and hunt for other copies or related artifacts.
+- Block the C2/relay IP or domain at DNS/firewall; rotate credentials if the tunnel was used for access.
+"""
+references = [
+    "https://attack.mitre.org/techniques/T1572/",
+    "https://github.com/P001water/yuze",
+    "https://www.trendmicro.com/tr_tr/research/26/c/dissecting-a-warlock-attack.html",
+]
+risk_score = 47
+rule_id = "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike", 
+    "Data Source: Elastic Endgame", 
+    "Data Source: Windows Security Event Logs"
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  ( 
+    (process.args : "reverse" and process.args : ("-c", "-s")) or 
+    (process.args : ("proxy", "fwd") and process.args : "-l") 
+   ) and 
+  (?process.code_signature.exists == false or process.name : "rundll32.exe")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
diff --git a/rules/windows/command_and_control_velociraptor_shell_execution.toml b/rules/windows/command_and_control_velociraptor_shell_execution.toml
@@ -0,0 +1,106 @@
+[metadata]
+creation_date = "2026/03/18"
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
+maturity = "production"
+updated_date = "2026/03/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects shell executions (cmd, PowerShell, rundll32) spawned by Velociraptor. Threat actors have been observed
+installing Velociraptor to execute shell commands on compromised systems, blending in with legitimate system processes.
+"""
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Shell Execution via Velociraptor"
+note = """## Triage and analysis
+
+### Investigating Suspicious Shell Execution via Velociraptor
+
+Velociraptor is a legitimate endpoint visibility and response tool. Threat actors have been observed deploying it on compromised systems to run shell commands (cmd, PowerShell, rundll32), making their activity look like normal Velociraptor-collector behavior.
+
+### Possible investigation steps
+
+- Confirm the parent process name matches a Velociraptor binary (e.g. velociraptor.exe, Velociraptor.exe) and the child is cmd.exe, powershell.exe, or rundll32.exe.
+- Review the child process command line for suspicious or interactive commands (e.g. download, lateral movement, credential access) versus known Velociraptor artifact scripts (Get-LocalGroupMember, Get-Date, registry queries, Velociraptor Tools module).
+- Identify how Velociraptor was installed (dropped by another process, scheduled task, service); correlate with earlier process or file events on the host.
+- Check whether the Velociraptor executable path and code signature are expected (e.g. Program Files vs. temp or user writable); unauthorized installs are often from non-standard paths.
+- Correlate with other alerts for the same host or user (initial access, persistence, C2) to determine if this is abuse vs. legitimate IR/DFIR use.
+
+### False positive analysis
+
+- Legitimate Velociraptor artifacts that run Get-LocalGroupMember, Get-Date, registry Run key checks, or Velociraptor Tools PowerShell module are excluded by the rule; remaining FPs may be custom artifacts. Allowlist by command-line pattern or host if you use Velociraptor for authorized IR and see known-good artifacts.
+
+### Response and remediation
+
+- If abuse is confirmed: isolate the host, terminate the Velociraptor and child shell processes, and remove the Velociraptor installation (binary, service, config).
+- Determine how Velociraptor was deployed and close the initial access vector; rotate credentials for affected accounts.
+- If the deployment was authorized (IR/DFIR), document and tune the rule or add an exception to reduce noise.
+"""
+references = [
+    "https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399",
+    "https://attack.mitre.org/techniques/T1219/",
+]
+risk_score = 47
+rule_id = "9aeca498-1e3d-4496-9e12-6ef40047eb23"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Tactic: Execution",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike",
+    "Data Source: Elastic Endgame", 
+    "Data Source: Windows Security Event Logs"
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and process.command_line != null and
+ process.parent.name : "velociraptor.exe" and
+ process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
+ not (process.name : "powershell.exe" and process.command_line : "*RwBlAHQALQBMAG8AYwBhAGwARwByAG8AdQBwAE0AZQBtAGIAZQBy*") and
+ not (process.name : "powershell.exe" and process.command_line : "*RwBlAHQALQBEAGEAdABl*" and process.command_line : "*-Format*") and
+ not (process.name : "cmd.exe" and process.command_line : "*start*127.0.0.1:8889*") and
+ not (process.name : "powershell.exe" and process.command_line : "*RwBlAHQALQBJAHQAZQBt*" and process.command_line : "*UgBlAGcAaQBzAHQAcgB5*" and process.command_line : "*UgB1AG4A*") and
+ not (process.name : "powershell.exe" and
+      process.args : ("RwBlAHQALQ*", "UgBlAG0AbwB2AGUALQBJAHQAZQBtACA*", "C:\\Program Files\\Velociraptor\\thor.db",
+                      "import-module \"C:\\Program Files\\Velociraptor\\Tools\\*"))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1219"
+name = "Remote Access Tools"
+reference = "https://attack.mitre.org/techniques/T1219/"
+[[rule.threat.technique.subtechnique]]
+id = "T1219.002"
+name = "Remote Desktop Software"
+reference = "https://attack.mitre.org/techniques/T1219/002/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/windows/exfiltration_rclone_cloud_upload.toml b/rules/windows/exfiltration_rclone_cloud_upload.toml
