diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index 63547bdae..fa74f1325 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware- risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Execution", "Persistence"] +tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 2b2c84c31..e45eea4b4 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ references = [ risk_score = 47 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Persistence"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index ff5e6a505..a350fde02 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office risk_score = 47 rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 126b9c945..2bb4ad9a8 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = [ risk_score = 47 rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Credential Access"] +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index d48776e76..1246a62c0 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://www.xorrior.com/emond-persistence/"] risk_score = 47 rule_id = "3e3d15c6-1509-479a-b125-21718372157e" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"] +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 78564ea30..08d29614f 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -30,7 +30,7 @@ severity = "critical" tags = [ "Command and Control", "Post-Execution", - "Threat Detection, Prevention and Hunting", + "Threat Detection", "Elastic", "Network", ] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 608262f9a..94a2b9758 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-ba risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Exfiltration"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index c0e81c0e8..3871e6196 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "MsBuild Making Network Connections" risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_mshta_making_network_connections.toml b/rules/windows/defense_evasion_mshta_making_network_connections.toml index 7d6f22583..3a45b8efa 100644 --- a/rules/windows/defense_evasion_mshta_making_network_connections.toml +++ b/rules/windows/defense_evasion_mshta_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "development" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ references = ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espion risk_score = 47 rule_id = "a4ec1382-4557-452b-89ba-e413b22ed4b8" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 390b71e90..2baf216fb 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Network Connection via MsXsl" risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 016fa1840..5a2c14948 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Unusual Network Connection via RunDLL32" risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 09edb13be..c3559fd07 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Unusual Process Network Connection" risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index ab530c2c3..986566f70 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = [ risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Lateral Movement"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 2622dfcf6..d8189fff8 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Suspicious Cmd Execution via WMI" risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 853169f54..a772e5941 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Suspicious PowerShell Engine ImageLoad" risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml index 96808be38..dae812637 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Volume Shadow Copy Deletion via VssAdmin" risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 35fdb1ade..2cfb2a9e7 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Windows Script Executing PowerShell" risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 52a27b712..70ba707d0 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/27" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] type = "eql" query = ''' diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 605083cb0..7c5d33a2d 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/04" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/03/08" [rule] author = ["Elastic", "Austin Songer"] @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index b8131b172..84972f34c 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/04" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/03/08" [rule] author = ["Elastic", "Austin Songer"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 576847aac..85ee28601 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -22,7 +22,7 @@ references = [ risk_score = 73 rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 6a35c3a2b..abae170a4 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Suspicious MS Office Child Process" risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index b53698119..d398dad52 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Suspicious MS Outlook Child Process" risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 77f2183a3..b7ce5220e 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 6c1f4be76..6af388862 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 219374b21..72c6028bb 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/29" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Suspicious Explorer Child Process" risk_score = 47 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_local_service_commands.toml b/rules/windows/lateral_movement_local_service_commands.toml index 479114f92..48f95d3c6 100644 --- a/rules/windows/lateral_movement_local_service_commands.toml +++ b/rules/windows/lateral_movement_local_service_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Local Service Commands" risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 4325402e3..cc6e95968 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Remotely Started Services via RPC" risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 1654f3cdb..5ee1b9583 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = [ risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Persistence"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 43c40b1a0..51e7d5962 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 21 rule_id = "baa5d22c-5e1c-4f33-bfc9-efa73bb53022" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index b358c4d5c..7871b185c 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Unusual Service Host Child Process - Childless Service" risk_score = 47 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Privilege Escalation"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 159baba5c..928811644 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "WPAD Service Exploit" risk_score = 73 rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] type = "eql" query = ''' diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index cf6935deb..edf0ac8d7 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -292,6 +292,48 @@ class TestRuleTags(BaseRuleTest): if missing_required_tags or is_missing_any_tags: self.fail(error_msg) + def test_primary_tactic_as_tag(self): + from detection_rules.attack import tactics + + invalid = [] + tactics = set(tactics) + + for rule in self.rules: + rule_tags = rule.contents['tags'] + + if 'Continuous Monitoring' in rule_tags or rule.type == 'machine_learning': + continue + + threat = rule.contents.get('threat') + if threat: + missing = [] + threat_tactic_names = [e['tactic']['name'] for e in threat] + primary_tactic = threat_tactic_names[0] + + if 'Threat Detection' not in rule_tags: + missing.append('Threat Detection') + + # missing primary tactic + if primary_tactic not in rule.contents['tags']: + missing.append(primary_tactic) + + # listed tactic that is not in threat mapping + tag_tactics = set(rule_tags).intersection(tactics) + missing_from_threat = list(tag_tactics.difference(threat_tactic_names)) + + if missing or missing_from_threat: + err_msg = self.rule_str(rule) + if missing: + err_msg += f'\n expected: {missing}' + if missing_from_threat: + err_msg += f'\n unexpected (or missing from threat mapping): {missing_from_threat}' + + invalid.append(err_msg) + + if invalid: + err_msg = '\n'.join(invalid) + self.fail(f'Rules with misaligned tags and tactics:\n{err_msg}') + class TestRuleTimelines(BaseRuleTest): """Test timelines in rules are valid."""