[Rule Tuning] Add endgame support for Windows Rules (#2285)

* [Rule Tuning] Add endgame support for Windows Rules

* Update collection_email_powershell_exchange_mailbox.toml

* Supported Rules - First Half

* bum updated_date

* Add tag

* Revert compat

* missing tags

rules/windows/collection_email_powershell_exchange_mailbox.toml

@@ -3,7 +3,7 @@ creation_date = "2020/12/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect
 """
 false_positives = ["Legitimate exchange system administration activity."]
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Exporting Exchange Mailbox via PowerShell"
@@ -78,7 +78,7 @@ references = [
 risk_score = 47
 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/collection_winrar_encryption.toml

@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies use of WinRar or 7z to create an encrypted files. Adversaries will of
 preparation for exfiltration.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Encrypting Files with WinRar or 7z"
@@ -66,7 +66,7 @@ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-ba
 risk_score = 47
 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/command_and_control_dns_tunneling_nslookup.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl
 may indicate command and control activity utilizing the DNS protocol.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential DNS Tunneling via NsLookup"
@@ -64,7 +64,7 @@ references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-ove
 risk_score = 47
 rule_id = "3a59fc81-99d3-47ea-8cd6-d48d561fca20"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
 type = "threshold"
 
 query = '''

rules/windows/command_and_control_port_forwarding_added_registry.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th
 segmentation restrictions.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Port Forwarding Rule Addition"
@@ -79,12 +79,15 @@ references = [
 risk_score = 47
 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*"
+registry where registry.path : (
+  "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*",
+  "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*"
+)
 '''
 
 

rules/windows/command_and_control_rdp_tunnel_plink.toml

@@ -3,7 +3,7 @@ creation_date = "2020/10/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T
 enable routing of network packets that would otherwise not reach their intended destination.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Desktop Tunneling Detected"
@@ -69,7 +69,7 @@ references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunn
 risk_score = 73
 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

@@ -3,7 +3,7 @@ creation_date = "2020/09/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the desktopimgdownldr utility being used to download a remote file. A
 download arbitrary files as an alternative to certutil.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via Desktopimgdownldr Utility"
@@ -82,7 +82,7 @@ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native
 risk_score = 47
 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

@@ -3,13 +3,13 @@ creation_date = "2020/09/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via MpCmdRun"
@@ -77,7 +77,7 @@ references = [
 risk_score = 47
 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/command_and_control_teamviewer_remote_file_copy.toml

@@ -3,13 +3,13 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Copy via TeamViewer"
@@ -75,7 +75,7 @@ references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.ht
 risk_score = 47
 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_cmdline_dump_tool.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m
 (NTDS.dit) in preparation for credential access.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Credential Access via Windows Utilities"
@@ -70,7 +70,7 @@ references = ["https://lolbas-project.github.io/"]
 risk_score = 73
 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -12,7 +12,7 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o
 Those files contain sensitive information including hashed domain and/or local credentials.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -28,7 +28,7 @@ references = [
 risk_score = 73
 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/13"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari
 (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Creation or Modification of Domain Backup DPAPI private key"
@@ -31,7 +31,7 @@ references = [
 risk_score = 73
 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_dump_registry_hives.toml

@@ -3,13 +3,13 @@ creation_date = "2020/11/23"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Credential Acquisition via Registry Hive Dumping"
@@ -71,7 +71,7 @@ references = [
 risk_score = 73
 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be
 with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -25,7 +25,7 @@ references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-
 risk_score = 73
 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_iis_connectionstrings_dumping.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ access via a webshell or alike can decrypt and dump any hardcoded connection str
 password using aspnet_regiis command.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -29,7 +29,7 @@ references = [
 risk_score = 73
 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_lsass_memdump_file_created.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/24"
 maturity = "production"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -13,7 +13,7 @@ indicate a credential access attempt via trusted system utilities such as Task M
 (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "LSASS Memory Dump Creation"
@@ -25,7 +25,7 @@ references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoang
 risk_score = 73
 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"]
 timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
 timeline_title = "Comprehensive File Timeline"
 timestamp_override = "event.ingested"

rules/windows/credential_access_mimikatz_memssp_default_logs.toml

@@ -3,13 +3,13 @@ creation_date = "2020/08/31"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies the password log file from the default Mimikatz memssp module."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mimikatz Memssp Log File Detected"
@@ -73,7 +73,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 73
 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_mod_wdigest_security_provider.toml

@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ an endpoint. Once the UseLogonCredential value is modified, the adversary may at
 memory.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Modification of WDigest Security Provider"
@@ -87,15 +87,16 @@ references = [
 risk_score = 73
 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 registry where event.type : ("creation", "change") and
-    registry.path :
-        "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential"
-    and registry.data.strings : ("1", "0x00000001") and
+    registry.path : (
+        "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential",
+        "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential"
+    ) and registry.data.strings : ("1", "0x00000001") and
     not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18")
 '''
 

rules/windows/credential_access_persistence_network_logon_provider_modification.toml

@@ -3,7 +3,7 @@ creation_date = "2021/03/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ during user logon.
 """
 false_positives = ["Authorized third party network logon providers."]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Logon Provider Registry Modification"
@@ -25,13 +25,16 @@ references = [
 risk_score = 47
 rule_id = "54c3d186-0461-4dc3-9b33-2dc5c7473936"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 registry where registry.data.strings != null and
- registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" and
+ registry.path : (
+    "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath",
+    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath"
+ ) and
  /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */
  not ( user.id : "S-1-5-18" and
        registry.data.strings in

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml

@@ -3,7 +3,7 @@ creation_date = "2022/04/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies attempt to coerce a local NTLM authentication via HTTP using the Wind
 An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Local NTLM Relay via HTTP"
@@ -24,7 +24,7 @@ references = [
 risk_score = 73
 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_saved_creds_vaultcmd.toml

@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ applications, and networks. An adversary may abuse this to list or dump credenti
 saved usernames and passwords. This may also be performed in preparation of lateral movement.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Searching for Saved Credentials via VaultCmd"
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

@@ -3,7 +3,7 @@ creation_date = "2021/12/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -13,7 +13,7 @@ copy, including sensitive files such as ntds.dit, System Boot Key and browser of
 """
 false_positives = ["Legitimate administrative activity related to shadow copies."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Symbolic Link to Shadow Copy Created"
@@ -95,7 +95,7 @@ references = [
 risk_score = 47
 rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

@@ -3,13 +3,13 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Adding Hidden File Attribute via Attrib"
@@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
 timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"

rules/windows/defense_evasion_amsienable_key_mod.toml

@@ -3,7 +3,7 @@ creation_date = "2021/06/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies modifications of the AmsiEnable registry key to 0, which disables the
 adversary can modify this key to disable AMSI protections.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Modification of AmsiEnable Registry Key"
@@ -85,7 +85,7 @@ references = [
 risk_score = 73
 rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -93,7 +93,8 @@ query = '''
 registry where event.type in ("creation", "change") and
   registry.path : (
     "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable",
-    "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
+    "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable",
+    "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
   ) and
   registry.data.strings: ("0", "0x00000000")
 '''

rules/windows/defense_evasion_clearing_windows_console_history.toml

@@ -3,7 +3,7 @@ creation_date = "2021/11/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Austin Songer"]
@@ -12,7 +12,7 @@ Identifies when a user attempts to clear console history. An adversary may clear
 account to conceal the actions undertaken during an intrusion.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clearing Windows Console History"
@@ -68,12 +68,12 @@ references = [
 risk_score = 47
 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where event.action == "start" and
+process where event.type == "start" and
   (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and
      (process.args : "*Clear-History*" or
      (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or

rules/windows/defense_evasion_clearing_windows_event_logs.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies attempts to clear or disable Windows event log stores using Windows w
 attackers in an attempt to evade detection or destroy forensic evidence on a system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clearing Windows Event Logs"
@@ -65,7 +65,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_create_mod_root_certificate.toml

@@ -3,7 +3,7 @@ creation_date = "2021/02/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ certificate would allow an attacker the ability to masquerade malicious files as
 """
 false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Creation or Modification of Root Certificate"
@@ -86,7 +86,7 @@ references = [
 risk_score = 21
 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -97,7 +97,11 @@ registry where event.type in ("creation", "change") and
       "HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
       "HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
       "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
-      "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
+      "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
+      "\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
+      "\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob",
+      "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob",
+      "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob"
     ) and
   not process.executable :
               ("?:\\Program Files\\*.exe",

rules/windows/defense_evasion_defender_disabled_via_registry.toml

@@ -3,7 +3,7 @@ creation_date = "2020/12/23"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies modifications to the Windows Defender registry settings to disable th
 started manually.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Defender Disabled via Registry Modification"
@@ -70,7 +70,7 @@ references = ["https://thedfirreport.com/2020/12/13/defender-control/"]
 risk_score = 21
 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -78,11 +78,17 @@ query = '''
 registry where event.type in ("creation", "change") and
   (
     (
-      registry.path:"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" and
+      registry.path: (
+        "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
+        "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware"
+      ) and
       registry.data.strings: ("1", "0x00000001")
    ) or
    (
-      registry.path:"HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start" and
+      registry.path: (
+        "HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start",
+        "\\REGISTRY\\MACHINE\\System\\*ControlSet*\\Services\\WinDefend\\Start"
+      ) and
       registry.data.strings in ("3", "4", "0x00000003", "0x00000004")
    )
   ) and

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

@@ -3,7 +3,7 @@ creation_date = "2021/07/20"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies modifications to the Windows Defender configuration settings using Po
 directory or process level.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Defender Exclusions Added via PowerShell"
@@ -81,7 +81,7 @@ references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitd
 risk_score = 47
 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is
 of files created during post-exploitation activities.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Delete Volume USN Journal with Fsutil"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml

@@ -3,7 +3,7 @@ creation_date = "2022/01/31"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies attempts to disable PowerShell Script Block Logging via registry modi
 logging to conceal their activities in the host and evade detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "PowerShell Script Block Logging Disabled"
@@ -88,15 +88,16 @@ references = [
 risk_score = 47
 rule_id = "818e23e6-2094-4f0e-8c01-22d30f3506c6"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 registry where event.type == "change" and
-    registry.path :
-        "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging"
-    and registry.data.strings : ("0", "0x00000000")
+    registry.path : (
+        "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging",
+        "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging"
+    ) and registry.data.strings : ("0", "0x00000000")
 '''
 
 

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies use of the netsh.exe to disable or weaken the local firewall. Attacke
 disable the firewall during troubleshooting or to enable network mobility.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disable Windows Firewall Rules via Netsh"
@@ -57,7 +57,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

@@ -3,14 +3,14 @@ creation_date = "2021/07/07"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings."
 false_positives = ["Planned Windows Defender configuration changes."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disabling Windows Defender Security Settings via PowerShell"
@@ -71,7 +71,7 @@ references = [
 risk_score = 47
 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_disabling_windows_logs.toml

@@ -3,7 +3,7 @@ creation_date = "2021/05/06"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
@@ -12,7 +12,7 @@ Identifies attempts to disable EventLog via the logman Windows utility, PowerShe
 attackers in an attempt to evade detection on a system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disable Windows Event and Security Logs Using Built-in Tools"
@@ -64,7 +64,7 @@ references = [
 risk_score = 21
 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_dns_over_https_enabled.toml

@@ -3,7 +3,7 @@ creation_date = "2021/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Austin Songer"]
@@ -13,7 +13,7 @@ data. With this enabled, an organization will lose visibility into data such as
 IP, which are used to determine bad actors.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "DNS-over-HTTPS Enabled via Registry"
@@ -28,7 +28,7 @@ references = [
 risk_score = 21
 rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml

@@ -3,13 +3,13 @@ creation_date = "2020/08/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies suspicious .NET code execution. connections."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious .NET Code Compilation"
@@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

@@ -3,7 +3,7 @@ creation_date = "2020/10/13"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote
 the Windows Firewall.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote Desktop Enabled in Windows Firewall by Netsh"
@@ -65,7 +65,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml

@@ -3,7 +3,7 @@ creation_date = "2021/07/07"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ tool to weaken the host firewall settings.
 """
 false_positives = ["Host Windows Firewall planned system administration changes."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enable Host Network Discovery via Netsh"
@@ -63,7 +63,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml

@@ -3,7 +3,7 @@ creation_date = "2021/09/08"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies unusual instances of Control Panel with suspicious keywords or paths
 Adversaries may abuse control.exe to proxy execution of malicious code.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Control Panel Process with Unusual Arguments"
@@ -24,7 +24,7 @@ references = ["https://www.joesandbox.com/analysis/476188/1/html"]
 risk_score = 73
 rule_id = "416697ae-e468-4093-a93d-59661fa619ec"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

@@ -3,7 +3,7 @@ creation_date = "2020/10/13"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load
 as a defense evasion technique to blend-in malicious activity with legitimate Windows software.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "ImageLoad via Windows Update Auto Update Client"
@@ -24,7 +24,7 @@ references = ["https://dtm.uk/wuauclt/"]
 risk_score = 47
 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
 timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml

@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started by an Office Application"
@@ -94,7 +94,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m
 risk_score = 73
 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ behavior is unusual and is sometimes used by malicious payloads.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started by a Script Process"
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml

@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started by a System Process"
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml

@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ indicate an attempt to run unnoticed or undetected.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Using an Alternate Name"
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml

@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Build Engine Started an Unusual Process"
@@ -30,7 +30,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m
 risk_score = 21
 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

@@ -3,7 +3,7 @@ creation_date = "2020/09/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ starting after being renamed or from a non-standard path. This is uncommon behav
 defenses via side loading a malicious DLL within the memory space of one of those processes.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential DLL SideLoading via Trusted Microsoft Programs"
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 73
 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_execution_windefend_unusual_path.toml

@@ -3,7 +3,7 @@ creation_date = "2021/07/07"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic", "Dennis Perto"]
@@ -14,7 +14,7 @@ side-loading a malicious DLL within the memory space of one of those processes.
 """
 false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable"
@@ -28,7 +28,7 @@ references = [
 risk_score = 73
 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_file_creation_mult_extension.toml

@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ when the name or location of a file is manipulated as a means of tricking a user
 benign file type but is actually executable code.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Executable File Creation with Multiple Extensions"
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_from_unusual_directory.toml

@@ -3,7 +3,7 @@ creation_date = "2020/10/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies process execution from suspicious default Windows directories. This i
 malware in trusted paths.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Process Execution from an Unusual Directory"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_hide_encoded_executable_registry.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,14 +12,14 @@ Identifies registry write modifications to hide an encoded portable executable.
 defense evasion by avoiding the storing of malicious content directly on disk.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Encoded Executable Stored in the Registry"
 risk_score = 47
 rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_iis_httplogging_disabled.toml

@@ -3,7 +3,7 @@ creation_date = "2020/04/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies when Internet Information Services (IIS) HTTP Logging is disabled on
 access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 73
 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ A suspicious Endpoint Security parent process was detected. This may indicate a
 injection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Endpoint Security Parent Process"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_masquerading_renamed_autoit.toml

@@ -3,7 +3,7 @@ creation_date = "2020/09/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies a suspicious AutoIt process execution. Malware written as an AutoIt s
 executable to avoid detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Renamed AutoIt Scripts Interpreter"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/24"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ such as command line, network connections, file writes and parent process detail
 """
 false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious WerFault Child Process"
@@ -29,7 +29,7 @@ references = [
 risk_score = 47
 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_masquerading_trusted_directory.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ usually host trusted third party programs. An adversary may leverage masqueradin
 detections allowlisting those folders.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Program Files Directory Masquerading"
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml

@@ -3,7 +3,7 @@ creation_date = "2022/01/12"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Macros. Adversaries may abuse these security settings to modify the default beha
 future macros and/or disable security warnings, which could increase their chances of establishing persistence.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "MS Office Macro Security Registry Modifications"
@@ -87,7 +87,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "feeed87c-5e95-4339-aef1-47fd79bcfbe3"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -95,9 +95,11 @@ query = '''
 registry where event.type == "change" and
     registry.path : (
         "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
-        "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings"
+        "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings",
+        "\\REGISTRY\\USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM",
+        "\\REGISTRY\\USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings"
         ) and
-    registry.data.strings == "0x00000001" and
+    registry.data.strings : ("0x00000001", "1") and
     process.name : ("cscript.exe", "wscript.exe", "mshta.exe", "mshta.exe", "winword.exe", "excel.exe")
 '''
 

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

@@ -3,7 +3,7 @@ creation_date = "2021/10/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Austin Songer"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Firewall Disabled via PowerShell"
@@ -76,7 +76,7 @@ references = [
 risk_score = 47
 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -14,20 +14,20 @@ of these files can occur during an intrusion, or as part of a post-intrusion pro
 footprint.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Process Termination followed by Deletion"
 risk_score = 47
 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 type = "eql"
 
 query = '''
 sequence by host.id with maxspan=5s
    [process where event.type == "end" and
-    process.code_signature.trusted == false and
+    process.code_signature.trusted != true and
     not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe")
    ] by process.executable
    [file where event.type == "deletion" and file.extension : ("exe", "scr", "com") and

rules/windows/defense_evasion_proxy_execution_via_msdt.toml

@@ -3,7 +3,7 @@ creation_date = "2022/05/31"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (
 execution via malicious process arguments.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Microsoft Diagnostics Wizard Execution"
@@ -27,7 +27,7 @@ references = [
 risk_score = 73
 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/23"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ move laterally or persist locally. The AT command has been deprecated since Wind
 exists for backwards compatibility.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Scheduled Tasks AT Command Enabled"
@@ -25,14 +25,16 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32
 risk_score = 47
 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 registry where
- registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and
- registry.data.strings : ("1", "0x00000001")
+  registry.path : (
+    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
+    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt"
+  ) and registry.data.strings : ("1", "0x00000001")
 '''
 
 

rules/windows/defense_evasion_sdelete_like_filename_rename.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Detects file name patterns generated by the use of Sysinternals SDelete utility
 file overwrite and rename operations.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Secure File Deletion via SDelete Utility"
@@ -27,7 +27,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_sip_provider_mod.toml

@@ -3,7 +3,7 @@ creation_date = "2021/01/20"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Windows cryptographic system to validate file signatures on the system. This may
 validation checks or inject code into critical processes.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "SIP Provider Modification"
@@ -21,17 +21,17 @@ references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"]
 risk_score = 47
 rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 registry where event.type:"change" and
   registry.path: (
-    "HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
-    "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
-    "HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll",
-    "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll"
+    "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
+    "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
+    "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll",
+    "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll"
     ) and
   registry.data.strings:"*.dll"
 '''

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

@@ -3,7 +3,7 @@ creation_date = "2020/12/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies a SolarWinds binary modifying the start type of a service to be disab
 technique to manipulate relevant security services.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "SolarWinds Process Disabling Services via Registry"
@@ -26,12 +26,15 @@ references = [
 risk_score = 47
 rule_id = "b9960fef-82c6-4816-befa-44745030e917"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and
+registry where registry.path : (
+    "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start",
+    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start"
+  ) and
   registry.data.strings : ("4", "0x00000004") and
   process.name : (
       "SolarWinds.BusinessLayerHost*.exe",
@@ -39,7 +42,7 @@ registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start"
       "NetflowDatabaseMaintenance*.exe",
       "NetFlowService*.exe",
       "SolarWinds.Administration*.exe",
-      "SolarWinds.Collector.Service*.exe" ,
+      "SolarWinds.Collector.Service*.exe",
       "SolarwindsDiagnostics*.exe")
 '''
 

rules/windows/defense_evasion_suspicious_certutil_commands.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -13,7 +13,7 @@ Certificate Services. CertUtil is often abused by attackers to live off the land
 data exfiltration.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious CertUtil Commands"
@@ -30,7 +30,7 @@ references = [
 risk_score = 47
 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
 timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"

rules/windows/defense_evasion_suspicious_short_program_name.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/15"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies process execution with a single character process name. This is often
 executing temporary utilities.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Execution - Short Program Name"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_suspicious_zoom_child_process.toml

@@ -3,7 +3,7 @@ creation_date = "2020/09/03"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r
 such as command line, network connections, file writes and associated file signature details as well.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Zoom Child Process"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies an unexpected executable file being created or modified by a Windows
 indicate activity related to remote code execution or other forms of exploitation.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Executable File Creation by a System Critical Process"
@@ -71,7 +71,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 73
 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_unusual_dir_ads.toml

@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies processes running from an Alternate Data Stream. This is uncommon for
 by adversaries to hide malware.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Process Execution Path - Alternate Data Stream"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_unusual_system_vp_child_program.toml

@@ -3,13 +3,13 @@ creation_date = "2020/08/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Child Process from a System Virtual Process"
@@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 73
 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_via_filter_manager.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ The Filter Manager Control Program (fltMC.exe) binary may be abused by adversari
 defenses.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Evasion via Filter Manager"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/defense_evasion_workfolders_control_execution.toml

@@ -3,7 +3,7 @@ creation_date = "2022/03/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -12,7 +12,7 @@ Identifies the use of Windows Work Folders to execute a potentially masqueraded
 directory. Misuse of Windows Work Folders could indicate malicious activity.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Signed Proxy Execution via MS Work Folders"
@@ -69,7 +69,7 @@ references = [
 risk_score = 47
 rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/discovery_adfind_command_activity.toml

@@ -3,7 +3,7 @@ creation_date = "2020/10/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ leveraged by threat actors to perform post-exploitation Active Directory reconna
 observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "AdFind Command Activity"
@@ -78,7 +78,7 @@ references = [
 risk_score = 21
 rule_id = "eda499b8-a073-4e35-9733-22ec71f57f3a"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/discovery_admin_recon.toml

@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies instances of lower privilege accounts enumerating Administrator accou
 tools.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Administrator Accounts"
@@ -66,7 +66,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "871ea072-1b71-4def-b016-6278b505138d"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

@@ -3,7 +3,7 @@ creation_date = "2022/05/31"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumerating Domain Trusts via NLTEST.EXE"
@@ -34,7 +34,7 @@ references = [
 risk_score = 21
 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/discovery_net_view.toml

@@ -3,13 +3,13 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool."
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Network Enumeration"
@@ -59,7 +59,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/discovery_peripheral_device.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies use of the Windows file system utility (fsutil.exe) to gather informa
 and components connected to a computer system.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Peripheral Device Discovery"
@@ -64,7 +64,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/discovery_remote_system_discovery_commands_windows.toml

@@ -3,13 +3,13 @@ creation_date = "2020/12/04"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Discovery of remote system information using built-in commands, which may be used to move laterally."
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote System Discovery Commands"
@@ -58,7 +58,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/discovery_security_software_wmic.toml

@@ -3,7 +3,7 @@ creation_date = "2020/10/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the use of Windows Management Instrumentation Command (WMIC) to disco
 such as AntiVirus or Host Firewall details.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Security Software Discovery using WMIC"
@@ -62,7 +62,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/discovery_whoami_command_activity.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Whoami Process Activity"
@@ -71,7 +71,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

@@ -3,7 +3,7 @@ creation_date = "2020/12/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ false_positives = [
     "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.",
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Command Execution via SolarWinds Process"
@@ -27,7 +27,7 @@ references = [
 risk_score = 47
 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml

@@ -3,7 +3,7 @@ creation_date = "2020/12/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ false_positives = [
     "Trusted SolarWinds child processes, verify process details such as network connections and file writes.",
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious SolarWinds Child Process"
@@ -27,7 +27,7 @@ references = [
 risk_score = 47
 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_com_object_xwizard.toml

@@ -3,7 +3,7 @@ creation_date = "2021/01/20"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ programming interface (API) that enables interaction between software objects or
 run a COM object created in registry to evade defensive counter measures.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution of COM object via Xwizard"
@@ -28,7 +28,7 @@ references = [
 risk_score = 47
 rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_command_shell_started_by_svchost.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -9,7 +9,7 @@ min_stack_version = "8.3.0"
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe"
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Svchost spawning Cmd"
@@ -73,7 +73,7 @@ references = [
 risk_score = 21
 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"]
 timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
 timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"

rules/windows/execution_command_shell_started_by_unusual_process.toml

@@ -3,13 +3,13 @@ creation_date = "2020/08/21"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process."
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Parent Process for cmd.exe"
@@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_command_shell_via_rundll32.toml

@@ -3,14 +3,14 @@ creation_date = "2020/10/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
 description = "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code."
 false_positives = ["Microsoft Windows installers leveraging RunDLL32 for installation."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Command Shell Activity Started via RunDLL32"
@@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_enumeration_via_wmiprvse.toml

@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies native Windows host and network enumeration commands spawned by the W
 Provider Service (WMIPrvSE).
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration Command Spawned via WMIPrvSE"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_from_unusual_path_cmdline.toml

@@ -12,7 +12,7 @@ Identifies process execution from suspicious default Windows directories. This m
 malware in trusted paths.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution from Unusual Directory - Command Line"
@@ -71,7 +71,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_ms_office_written_file.toml

@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies an executable created by a Microsoft Office application and subsequen
 launched via scripts inside documents or during exploitation of Microsoft Office applications.
 """
 from = "now-120m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -79,7 +79,7 @@ mean time to respond (MTTR).
 risk_score = 73
 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"]
 type = "eql"
 
 query = '''

rules/windows/execution_pdf_written_file.toml

@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies a suspicious file that was written by a PDF reader application and su
 often launched via exploitation of PDF applications.
 """
 from = "now-120m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
@@ -78,7 +78,7 @@ mean time to respond (MTTR).
 risk_score = 73
 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"]
 type = "eql"
 
 query = '''

rules/windows/execution_shared_modules_local_sxs_dll.toml

@@ -3,7 +3,7 @@ creation_date = "2020/10/28"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ shared modules to execute malicious payloads by instructing the Windows module l
 paths.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution via local SxS Shared Module"
@@ -29,7 +29,7 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-
 risk_score = 47
 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_suspicious_cmd_wmi.toml

@@ -3,7 +3,7 @@ creation_date = "2020/10/19"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta
 be indicative of adversary lateral movement.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Cmd Execution via WMI"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/17"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ adversarial activity where child processes are spawned via Windows Management In
 be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious WMI Image Load from MS Office"
@@ -27,13 +27,13 @@ references = [
 risk_score = 21
 rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
 any where
- (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
+ (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
   process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
   (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll")
 '''

rules/windows/execution_suspicious_pdf_reader.toml

@@ -3,7 +3,7 @@ creation_date = "2020/03/30"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies suspicious child processes of PDF reader applications. These child pr
 exploitation of PDF applications or social engineering.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious PDF Reader Child Process"
@@ -80,7 +80,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 21
 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_suspicious_powershell_imgload.toml

@@ -3,7 +3,7 @@ creation_date = "2020/11/17"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies the PowerShell engine being invoked by unexpected processes. Rather t
 with powershell.exe, some attackers do this to operate more stealthily.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious PowerShell Engine ImageLoad"
@@ -95,12 +95,12 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
+any where (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
  (dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") or
   file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll")) and
 

rules/windows/execution_suspicious_psexesvc.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies suspicious psexec activity which is executing from the psexec service
 evade detection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Process Execution via Renamed PsExec Executable"
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_via_compiled_html_file.toml

@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/15"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Process Activity via Compiled HTML File"
@@ -31,7 +31,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_via_hidden_shell_conhost.toml

@@ -3,7 +3,7 @@ creation_date = "2020/08/17"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/20"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ Detects when the Console Window Host (conhost.exe) process is spawned by a suspi
 indicative of code injection.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Conhost Spawned By Suspicious Parent Process"
@@ -84,7 +84,7 @@ references = [
 risk_score = 73
 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

@@ -12,7 +12,7 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may
 using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Execution via MSSQL xp_cmdshell Stored Procedure"
@@ -71,7 +71,7 @@ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
 risk_score = 73
 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
 

rules/windows/impact_backup_file_deletion.toml

@@ -3,7 +3,7 @@ creation_date = "2021/10/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/13"
+updated_date = "2022/09/27"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ false_positives = [
     "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.",
 ]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Third-party Backup Files Deleted via Unexpected Process"
@@ -75,7 +75,7 @@ references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti-
 risk_score = 47
 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"