Merge branch 'main' of github.com:elastic/detection-rules

detection_rules/etc/non-ecs-schema.json

@@ -71,6 +71,7 @@
     "process.Ext.effective_parent.name": "keyword",
     "file.Ext.header_bytes": "keyword",
     "file.Ext.entropy": "long",
+    "file.Ext.windows.zone_identifier": "long",
     "file.size": "long",
     "file.Ext.original.name": "keyword",
     "dll.Ext.device.product_id": "keyword",

detection_rules/etc/version.lock.json

@@ -190,6 +190,13 @@
     "type": "eql",
     "version": 106
   },
+  "07639887-da3a-4fbf-9532-8ce748ff8c50": {
+    "min_stack_version": "8.3",
+    "rule_name": "GitHub Protected Branch Settings Changed",
+    "sha256": "b801d28bb5398fb531f21cecefae0f3c21b0d7b4c675fc8349ccf4448e7a2b7c",
+    "type": "eql",
+    "version": 1
+  },
   "0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
     "min_stack_version": "8.3",
     "rule_name": "Suspicious Proc Pseudo File System Enumeration",
@@ -340,9 +347,9 @@
   "0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
     "min_stack_version": "8.5",
     "rule_name": "Threat Intel IP Address Indicator Match",
-    "sha256": "88e3b7fed59fc79874b0d6375168a21a7623b3a38a74c838ea3c3698190a92d1",
+    "sha256": "421308bb2c832aaa4cdbefbde389b0ff645e12fc5d7ea78c9296139099772abb",
     "type": "threat_match",
-    "version": 2
+    "version": 3
   },
   "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
     "min_stack_version": "8.3",
@@ -637,6 +644,13 @@
     "type": "query",
     "version": 102
   },
+  "14dab405-5dd9-450c-8106-72951af2391f": {
+    "min_stack_version": "8.3",
+    "rule_name": "Office Test Registry Persistence",
+    "sha256": "2a26bc9292902c92d9bc73a14ff7e20ffa9c0904b209692b1e8e23bd32c88fb3",
+    "type": "eql",
+    "version": 1
+  },
   "14de811c-d60f-11ec-9fd7-f661ea17fbce": {
     "min_stack_version": "8.4",
     "previous": {
@@ -967,6 +981,13 @@
     "type": "query",
     "version": 6
   },
+  "1f460f12-a3cf-4105-9ebb-f788cc63f365": {
+    "min_stack_version": "8.3",
+    "rule_name": "Unusual Process Execution on WBEM Path",
+    "sha256": "7d596dca903c48dde13a6b90746947628693b11dd9140e3eb89ca6eba10ae966",
+    "type": "eql",
+    "version": 1
+  },
   "1faec04b-d902-4f89-8aff-92cd9043c16f": {
     "min_stack_version": "8.3",
     "rule_name": "Unusual Linux User Calling the Metadata Service",
@@ -1036,6 +1057,13 @@
     "type": "query",
     "version": 100
   },
+  "210d4430-b371-470e-b879-80b7182aa75e": {
+    "min_stack_version": "8.3",
+    "rule_name": "Mofcomp Activity",
+    "sha256": "d42c6a1889b42bcd83cb46d9838038cfd4248b792d5fef1abc4cedc81b269d4a",
+    "type": "eql",
+    "version": 1
+  },
   "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
     "min_stack_version": "8.4",
     "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
@@ -1517,6 +1545,13 @@
     "type": "eql",
     "version": 1
   },
+  "345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
+    "min_stack_version": "8.3",
+    "rule_name": "GitHub Repository Deleted",
+    "sha256": "82225047c1559d8bba7c15944953088395802e8a1ad8fd0552714eee65b22635",
+    "type": "eql",
+    "version": 1
+  },
   "34fde489-94b0-4500-a76f-b8a157cf9269": {
     "min_stack_version": "8.3",
     "rule_name": "Accepted Default Telnet Port Connection",
@@ -1655,6 +1690,13 @@
     "type": "query",
     "version": 103
   },
+  "39157d52-4035-44a8-9d1a-6f8c5f580a07": {
+    "min_stack_version": "8.3",
+    "rule_name": "Downloaded Shortcut Files",
+    "sha256": "362ab87565072831948627491a1ba91889340030ce6f1438122322ffa57acb5d",
+    "type": "eql",
+    "version": 1
+  },
   "397945f3-d39a-4e6f-8bcb-9656c2031438": {
     "min_stack_version": "8.3",
     "rule_name": "Persistence via Microsoft Outlook VBA",
@@ -1706,9 +1748,9 @@
   "3b47900d-e793-49e8-968f-c90dc3526aa1": {
     "min_stack_version": "8.3",
     "rule_name": "Unusual Parent Process for cmd.exe",
-    "sha256": "a9acccb7d18adc13099ab88eb003c037bf57f2defa18fc91c8945299c38cba92",
+    "sha256": "97b3141cf72282ca02c73091a527edf31e31d10d22d241e91c6d173bc1abd792",
     "type": "eql",
-    "version": 106
+    "version": 107
   },
   "3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
     "min_stack_version": "8.3",
@@ -2334,12 +2376,19 @@
     "type": "eql",
     "version": 106
   },
+  "53dedd83-1be7-430f-8026-363256395c8b": {
+    "min_stack_version": "8.3",
+    "rule_name": "Binary Content Copy via Cmd.exe",
+    "sha256": "3ab2b049abaa1462ebed7b019dcd5da6957b5328c2ce7d2eb86b87e74a4ec28d",
+    "type": "eql",
+    "version": 1
+  },
   "54902e45-3467-49a4-8abc-529f2c8cfb80": {
     "min_stack_version": "8.3",
     "rule_name": "Uncommon Registry Persistence Change",
-    "sha256": "950bfce6a55758ef6c60b1fd13ef84531915c61992e405c7217f3bcb40df0f3f",
+    "sha256": "470d8e6c5c1dfd3564bd5f3b59d7853db9137942de25c38e4281b2d16df70ede",
     "type": "eql",
-    "version": 104
+    "version": 105
   },
   "54a81f68-5f2a-421e-8eed-f888278bb712": {
     "min_stack_version": "8.3",
@@ -2586,6 +2635,13 @@
     "type": "new_terms",
     "version": 6
   },
+  "5c895b4f-9133-4e68-9e23-59902175355c": {
+    "min_stack_version": "8.6",
+    "rule_name": "Potential Meterpreter Reverse Shell",
+    "sha256": "5941e6650b12bc02b03d289fa389b9f2347c53636e6368753bd5917b5a776cd5",
+    "type": "eql",
+    "version": 1
+  },
   "5c983105-4681-46c3-9890-0c66d05e776b": {
     "min_stack_version": "8.3",
     "rule_name": "Unusual Linux Process Discovery Activity",
@@ -3537,6 +3593,13 @@
     "type": "eql",
     "version": 3
   },
+  "800e01be-a7a4-46d0-8de9-69f3c9582b44": {
+    "min_stack_version": "8.3",
+    "rule_name": "Unusual Process Extension",
+    "sha256": "15e1dd225bae684eac522b61872faae250a8aac0c4cb71b4e6d68986665587ed",
+    "type": "eql",
+    "version": 1
+  },
   "809b70d3-e2c3-455e-af1b-2626a5a1a276": {
     "min_stack_version": "8.3",
     "rule_name": "Unusual City For an AWS Command",
@@ -4577,6 +4640,13 @@
     "type": "eql",
     "version": 2
   },
+  "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
+    "min_stack_version": "8.6",
+    "rule_name": "Potential Reverse Shell via UDP",
+    "sha256": "2bb373420b8f04de56b4e10442d426787ff255a9ed14d92c64f05a0c3334871f",
+    "type": "eql",
+    "version": 1
+  },
   "a5f0d057-d540-44f5-924d-c6a2ae92f045": {
     "min_stack_version": "8.3",
     "rule_name": "Potential SSH Brute Force Detected on Privileged Account",
@@ -4601,9 +4671,9 @@
   "a61809f3-fb5b-465c-8bff-23a8a068ac60": {
     "min_stack_version": "8.5",
     "rule_name": "Threat Intel Windows Registry Indicator Match",
-    "sha256": "1867577987b72a8cb67a4b74b89643d3df862354ae3eadfd616c9b51ec1000a0",
+    "sha256": "4c02e860e8200660cdd059bfaa155532f5b584f3325ac7ffbdafbebcefe5a234",
     "type": "threat_match",
-    "version": 2
+    "version": 3
   },
   "a624863f-a70d-417f-a7d2-7a404638d47f": {
     "min_stack_version": "8.3",
@@ -4714,9 +4784,9 @@
   "aab184d3-72b3-4639-b242-6597c99d8bca": {
     "min_stack_version": "8.5",
     "rule_name": "Threat Intel Hash Indicator Match",
-    "sha256": "b84f93be7b12d9e7b6dc37e4b6f6f68f717bbb33d181321aaa4a2f77ed66a60d",
+    "sha256": "1532d5577abdf44288ebeb628cd80e676e02e99367876b31e9c46200d37d5e81",
     "type": "threat_match",
-    "version": 3
+    "version": 4
   },
   "ab75c24b-2502-43a0-bf7c-e60e662c811e": {
     "min_stack_version": "8.3",
@@ -4889,6 +4959,13 @@
     "type": "eql",
     "version": 105
   },
+  "afd04601-12fc-4149-9b78-9c3f8fe45d39": {
+    "min_stack_version": "8.3",
+    "rule_name": "Network Activity Detected via cat",
+    "sha256": "842200b53b379cfcfe0e98cce8c0775e7120c7312edc3aecaa2cae7783559566",
+    "type": "eql",
+    "version": 1
+  },
   "afe6b0eb-dd9d-4922-b08a-1910124d524d": {
     "min_stack_version": "8.3",
     "rule_name": "Potential Privilege Escalation via Container Misconfiguration",
@@ -5091,6 +5168,13 @@
     "type": "eql",
     "version": 104
   },
+  "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
+    "min_stack_version": "8.3",
+    "rule_name": "Kirbi File Creation",
+    "sha256": "5cc88228ed8f2119aba7d21bef4e172fec1499a3b3b8168eb439cb581d94c2ac",
+    "type": "eql",
+    "version": 1
+  },
   "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
     "min_stack_version": "8.3",
     "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
@@ -5745,6 +5829,13 @@
     "type": "eql",
     "version": 105
   },
+  "cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
+    "min_stack_version": "8.3",
+    "rule_name": "Downloaded URL Files",
+    "sha256": "3b2b2822568470b436f1a1db2ca7db260343faeb5f156b1b3b697a4393137938",
+    "type": "eql",
+    "version": 1
+  },
   "cd89602e-9db0-48e3-9391-ae3bf241acd8": {
     "min_stack_version": "8.3",
     "rule_name": "Attempt to Deactivate MFA for an Okta User Account",
@@ -5886,6 +5977,13 @@
     "type": "eql",
     "version": 6
   },
+  "d3551433-782f-4e22-bbea-c816af2d41c6": {
+    "min_stack_version": "8.3",
+    "rule_name": "WMI WBEMTEST Utility Execution",
+    "sha256": "687d0e851309a066fb0d13b00750846d62e6da9fca5b2a80f9f8b6864ada9b76",
+    "type": "eql",
+    "version": 1
+  },
   "d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
     "min_stack_version": "8.3",
     "rule_name": "Shell Execution via Apple Scripting",
@@ -6492,7 +6590,7 @@
     "rule_name": "Suspicious WMI Event Subscription Created",
     "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a",
     "type": "eql",
-    "version": 2
+    "version": 4
   },
   "e74d645b-fec6-431e-bf93-ca64a538e0de": {
     "min_stack_version": "8.3",
@@ -6886,9 +6984,9 @@
   "f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
     "min_stack_version": "8.5",
     "rule_name": "Threat Intel URL Indicator Match",
-    "sha256": "b03b79e60e32f4744d7db406946e56fc43bf99671ae3c7cd9af2dabdb17d171f",
+    "sha256": "f8210c3d8a13d1354dfe9c14053034eafc71b8bef3477f9e8e7279672ce95601",
     "type": "threat_match",
-    "version": 2
+    "version": 3
   },
   "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
     "min_stack_version": "8.3",
@@ -6938,6 +7036,13 @@
     "type": "query",
     "version": 1
   },
+  "f59668de-caa0-4b84-94c1-3a1549e1e798": {
+    "min_stack_version": "8.3",
+    "rule_name": "WMIC Remote Command",
+    "sha256": "dc6e94a20b8f1618cea407e2ac25227adc96daf497e2c1b5b034408f0e1aa3c9",
+    "type": "eql",
+    "version": 1
+  },
   "f5fb4598-4f10-11ed-bdc3-0242ac120002": {
     "min_stack_version": "8.3",
     "rule_name": "Masquerading Space After Filename",
@@ -7004,9 +7109,9 @@
   "f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
     "min_stack_version": "8.3",
     "rule_name": "Persistent Scripts in the Startup Directory",
-    "sha256": "b1b304251797d95d12cc192562063ef62b6569b453974d77fb9f017320ae1731",
+    "sha256": "afb59ffb04d13b21e0f2cff08ed6f27c27dde808d3cb5b84a5eb3ddb2d566665",
     "type": "eql",
-    "version": 107
+    "version": 108
   },
   "f81ee52c-297e-46d9-9205-07e66931df26": {
     "min_stack_version": "8.3",

rules/cross-platform/threat_intel_indicator_match_address.toml

@@ -8,6 +8,31 @@ general rules.
 """
 min_stack_version = "8.5.0"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve DNS Cache"
+query = "SELECT * FROM dns_cache"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve All Services"
+query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Services Running on User Accounts"
+query = """
+SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
+NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
+user_account == null)
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
+services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
+authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
+"""
+
 [rule]
 author = ["Elastic"]
 description = """
@@ -30,6 +55,9 @@ Matches are based on threat intelligence data that's been ingested during the la
 
 This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.
 
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
 #### Possible investigation steps
 
 - Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.

rules/cross-platform/threat_intel_indicator_match_hash.toml

@@ -8,6 +8,31 @@ general rules.
 """
 min_stack_version = "8.5.0"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve DNS Cache"
+query = "SELECT * FROM dns_cache"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve All Services"
+query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Services Running on User Accounts"
+query = """
+SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
+NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
+user_account == null)
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
+services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
+authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
+"""
+
 [rule]
 author = ["Elastic"]
 description = """

rules/cross-platform/threat_intel_indicator_match_registry.toml

@@ -8,6 +8,31 @@ general rules.
 """
 min_stack_version = "8.5.0"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve DNS Cache"
+query = "SELECT * FROM dns_cache"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve All Services"
+query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Services Running on User Accounts"
+query = """
+SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
+NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
+user_account == null)
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
+services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
+authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
+"""
+
 [rule]
 author = ["Elastic"]
 description = """

rules/cross-platform/threat_intel_indicator_match_url.toml

@@ -8,6 +8,31 @@ general rules.
 """
 min_stack_version = "8.5.0"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve DNS Cache"
+query = "SELECT * FROM dns_cache"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve All Services"
+query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Services Running on User Accounts"
+query = """
+SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
+NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
+user_account == null)
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
+services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
+authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
+"""
+
 [rule]
 author = ["Elastic"]
 description = """
@@ -30,6 +55,9 @@ Matches are based on threat intelligence data that's been ingested during the la
 
 This rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.
 
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
 #### Possible investigation steps
 
 - Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:

rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml

@@ -0,0 +1,51 @@
+[metadata]
+creation_date = "2023/08/29"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules 
+can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in 
+your repository. Changes to these protected branch settings should be investigated and verified as legitimate 
+activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed 
+for future attacks. 
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "GitHub Protected Branch Settings Changed"
+risk_score = 47
+rule_id = "07639887-da3a-4fbf-9532-8ce748ff8c50"
+severity = "medium"
+tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+configuration where event.dataset == "github.audit" 
+  and github.category == "protected_branch" and event.type == "change" 
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/integrations/github/impact_github_repository_deleted.toml

@@ -0,0 +1,47 @@
+[metadata]
+creation_date = "2023/08/29"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/29"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects when a GitHub repository is deleted within your organization. 
+Repositories are a critical component used within an organization to manage work, 
+collaborate with others and release products to the public. Any delete action against 
+a repository should be investigated to determine it's validity. Unauthorized deletion 
+of organization repositories could cause irreversible loss of intellectual property and 
+indicate compromise within your organization.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "GitHub Repository Deleted"
+risk_score = 47
+rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
+severity = "medium"
+tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+configuration where event.module == "github" and event.action == "repo.destroy"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1485"
+name = "Data Destruction"
+reference = "https://attack.mitre.org/techniques/T1485/"
+
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+

rules/linux/command_and_control_cat_network_activity.toml

@@ -0,0 +1,57 @@
+[metadata]
+creation_date = "2023/09/04"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat 
+is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. 
+This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools
+or files to another host in the network or exfiltrate data while attempting to evade detection in the process.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Network Activity Detected via cat"
+risk_score = 47
+rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
+type = "eql"
+query = '''
+sequence by host.id, process.entity_id with maxspan=1s
+  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+   process.name == "cat"]
+  [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and 
+   process.name == "cat"]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"

rules/windows/execution_command_shell_started_by_unusual_process.toml

@@ -51,7 +51,8 @@ process where host.os.type == "windows" and event.type == "start" and
                          "WerFault.exe",
                          "WUDFHost.exe",
                          "unsecapp.exe",
-                         "wlanext.exe" )
+                         "wlanext.exe" ) and
+  not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}")
 '''
 
 

rules/windows/persistence_registry_uncommon.toml

@@ -102,7 +102,14 @@ id = "T1547.001"
 name = "Registry Run Keys / Startup Folder"
 reference = "https://attack.mitre.org/techniques/T1547/001/"
 
-
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+[[rule.threat.technique.subtechnique]]
+id = "T1546.002"
+name = "Screensaver"
+reference = "https://attack.mitre.org/techniques/T1546/002/"
 
 [rule.threat.tactic]
 id = "TA0003"

rules/windows/persistence_startup_folder_scripts.toml

@@ -137,6 +137,11 @@ id = "T1547.001"
 name = "Registry Run Keys / Startup Folder"
 reference = "https://attack.mitre.org/techniques/T1547/001/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1547.009"
+name = "Shortcut Modification"
+reference = "https://attack.mitre.org/techniques/T1547/009/"
+
 
 
 [rule.threat.tactic]

rules_building_block/credential_access_kirbi_file.toml

@@ -0,0 +1,70 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running
+Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the
+attacker to impersonate users using Kerberos tickets.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Kirbi File Creation"
+risk_score = 21
+rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique]]
+id = "T1558"
+name = "Steal or Forge Kerberos Tickets"
+reference = "https://attack.mitre.org/techniques/T1558/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Binary Content Copy via Cmd.exe"
+risk_score = 21
+rule_id = "53dedd83-1be7-430f-8026-363256395c8b"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+building_block_type = "default"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.name : "cmd.exe" and (
+    (process.args : "type" and process.args : (">", ">>")) or
+    (process.args : "copy" and process.args : "/b"))
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1140"
+name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules_building_block/defense_evasion_unusual_process_extension.toml

@@ -0,0 +1,60 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies processes running with unusual extensions that are not typically valid for Windows executables.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Unusual Process Extension"
+risk_score = 21
+rule_id = "800e01be-a7a4-46d0-8de9-69f3c9582b44"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+building_block_type = "default"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.executable : "?*" and 
+  not process.name : ("*.exe", "*.com", "*.scr", "*.tmp", "*.dat") and
+  not process.executable : 
+    (
+      "MemCompression",
+      "Registry",
+      "vmmem",
+      "vmmemWSL",
+      "?:\\Program Files\\Dell\\SupportAssistAgent\\*.p5x",
+      "?:\\Program Files\\Docker\\Docker\\com.docker.service",
+      "?:\\Users\\*\\AppData\\Local\\Intel\\AGS\\Libs\\AGSRunner.bin"
+    ) and
+  not (
+    (process.name : "C9632CF058AE4321B6B0B5EA39B710FE" and process.code_signature.subject_name == "Dell Inc") or
+    (process.name : "*.upd" and process.code_signature.subject_name == "Bloomberg LP") or
+    (process.name: "FD552E21-686E-413C-931D-3B82A9D29F3B" and process.code_signature.subject_name: "Adobe Inc.") or
+    (process.name: "3B91051C-AE82-43C9-BCEF-0309CD2DD9EB" and process.code_signature.subject_name: "McAfee, LLC")
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules_building_block/defense_evasion_unusual_process_path_wbem.toml

@@ -0,0 +1,54 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Unusual Process Execution on WBEM Path"
+risk_score = 21
+rule_id = "1f460f12-a3cf-4105-9ebb-f788cc63f365"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+building_block_type = "default"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.executable : ("?:\\Windows\\System32\\wbem\\*", "?:\\Windows\\SysWow64\\wbem\\*") and
+  not process.name : (
+    "mofcomp.exe",
+    "scrcons.exe",
+    "unsecapp.exe",
+    "wbemtest.exe",
+    "winmgmt.exe",
+    "wmiadap.exe",
+    "wmiapsrv.exe",
+    "wmic.exe",
+    "wmiprvse.exe"
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules_building_block/execution_downloaded_shortcut_files.toml

@@ -1,37 +1,34 @@
 [metadata]
 creation_date = "2020/09/02"
-integration = ["endpoint", "windows"]
-maturity = "development"
-query_schema_validation = false
-updated_date = "2023/06/22"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in
 phishing campaigns.
+
 """
-from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Downloaded Shortcut Files"
 risk_score = 21
-rule_id = "6b1fd8e8-cefe-444c-bc4d-feaa2c497347"
+rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
 type = "eql"
+building_block_type = "default"
 
 query = '''
-/* leaving in development pending `file.Ext.windows.zone_identifier` landing in ECS then endpoint */
-
-sequence by process.entity_id with maxspan=2s
-                                           /* file.extension added to endpoint fields for 7.10 */
-  [file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk"]
-                                           /* not sure yet how the update will capture ADS */
-  [file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk:Zone.Identifier" and
-     /* non-ECS field - may disqualify conversion */
-     file.Ext.windows.zone_identifier > 1]
+file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk" and file.Ext.windows.zone_identifier > 1
 '''
 
 

rules_building_block/execution_downloaded_url_file.toml

@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2020/09/02"
-integration = ["endpoint", "windows"]
-maturity = "development"
-query_schema_validation = false
-updated_date = "2023/06/22"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
 
 [rule]
 author = ["Elastic"]
@@ -11,26 +12,23 @@ description = """
 Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in
 phishing campaigns.
 """
-from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Downloaded URL Files"
-risk_score = 47
+risk_score = 21
 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb"
-severity = "medium"
-tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
 type = "eql"
 
 query = '''
-/* leaving in development pending `file.Ext.windows.zone_identifier` landing in ECS then endpoint */
-
-sequence by process.entity_id with maxspan=2s
-  [file where host.os.type == "windows" and event.type == "creation" and file.extension == "url" and
-     not process.name == "explorer.exe"]
-  [file where host.os.type == "windows" and event.type == "creation" and file.extension == "url:Zone.Identifier" and
-      /* non-ECS field - may disqualify conversion */
-     file.Ext.windows.zone_identifier > 1 and not process.name == "explorer.exe"]
+file where host.os.type == "windows" and event.type == "creation" and file.extension == "url"
+   and file.Ext.windows.zone_identifier > 1 and not process.name : "explorer.exe"
 '''
 
 

rules_building_block/execution_mofcomp.toml

@@ -0,0 +1,65 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF
+files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or
+establish persistence using WMI Event Subscription.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Mofcomp Activity"
+risk_score = 21
+rule_id = "210d4430-b371-470e-b879-80b7182aa75e"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+building_block_type = "default"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.name : "mofcomp.exe" and process.args : "*.mof" and
+  not user.id : "S-1-5-18"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1047"
+name = "Windows Management Instrumentation"
+reference = "https://attack.mitre.org/techniques/T1047/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+[[rule.threat.technique.subtechnique]]
+id = "T1546.003"
+name = "Windows Management Instrumentation Event Subscription"
+reference = "https://attack.mitre.org/techniques/T1546/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

rules_building_block/execution_wmi_wbemtest.toml

@@ -0,0 +1,45 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against
+local or remote endpoints.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "WMI WBEMTEST Utility Execution"
+risk_score = 21
+rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and process.name : "wbemtest.exe"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1047"
+name = "Windows Management Instrumentation"
+reference = "https://attack.mitre.org/techniques/T1047/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

rules_building_block/lateral_movement_wmic_remote.toml

@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately,
+attackers can abuse this built-in utility to achieve lateral movement.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "WMIC Remote Command"
+risk_score = 21
+rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.name : "WMIC.exe" and
+  process.args : "*node:*" and
+  process.args : ("call", "set", "get")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1047"
+name = "Windows Management Instrumentation"
+reference = "https://attack.mitre.org/techniques/T1047/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

rules_building_block/persistence_msoffice_startup_registry.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/08/22"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to
+specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain
+persistence on a compromised host.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Office Test Registry Persistence"
+references = [
+    "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/",
+]
+risk_score = 21
+rule_id = "14dab405-5dd9-450c-8106-72951af2391f"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+building_block_type = "default"
+
+query = '''
+registry where host.os.type == "windows" and event.action != "deletion" and
+    registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1137"
+name = "Office Application Startup"
+reference = "https://attack.mitre.org/techniques/T1137/"
+[[rule.threat.technique.subtechnique]]
+id = "T1137.002"
+name = "Office Test"
+reference = "https://attack.mitre.org/techniques/T1137/002/"
+	
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

tests/test_all_rules.py

@@ -1177,20 +1177,29 @@ class TestNoteMarkdownPlugins(BaseRuleTest):
         for rule in self.production_rules.rules:
             has_transform = rule.contents.get('transform') is not None
             has_note = rule.contents.data.get('note') is not None
+            note = rule.contents.data.note
 
-            if has_transform and not has_note:
-                self.fail(f'{self.rule_str(rule)} transformed defined with no note')
-            elif not has_transform:
-                continue
+            if has_transform:
+                if not has_note:
+                    self.fail(f'{self.rule_str(rule)} transformed defined with no note')
+            else:
+                if not has_note:
+                    continue
+
+            note_template = PatchedTemplate(note)
+            identifiers = [i for i in note_template.get_identifiers() if '_' in i]
+
+            if not has_transform:
+                if identifiers:
+                    self.fail(f'{self.rule_str(rule)} note contains plugin placeholders with no transform entries')
+                else:
+                    continue
 
             transform = rule.contents.transform
             transform_counts = {plugin: len(entries) for plugin, entries in transform.to_dict().items()}
-            note = rule.contents.data.note
-            self.assertIsNotNone(note)
-            note_template = PatchedTemplate(note)
 
             note_counts = defaultdict(int)
-            for identifier in note_template.get_identifiers():
+            for identifier in identifiers:
                 # "$" is used for other things, so this verifies the pattern of a trailing "_" followed by ints
                 if '_' not in identifier:
                     continue