diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index cb4ee150c..a2a67bc07 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Exporting Exchange Mailbox via PowerShell" @@ -78,7 +78,7 @@ references = [ risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index c1476e046..0462eff33 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies use of WinRar or 7z to create an encrypted files. Adversaries will of preparation for exfiltration. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Encrypting Files with WinRar or 7z" @@ -66,7 +66,7 @@ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-ba risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 6dd2ec4b8..d5a779597 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" @@ -64,7 +64,7 @@ references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-ove risk_score = 47 rule_id = "3a59fc81-99d3-47ea-8cd6-d48d561fca20" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] type = "threshold" query = ''' diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 0b916dd78..5449602b5 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th segmentation restrictions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Port Forwarding Rule Addition" @@ -79,12 +79,15 @@ references = [ risk_score = 47 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" +registry where registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" +) ''' diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 74c43a552..c58fbe76e 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T enable routing of network packets that would otherwise not reach their intended destination. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" @@ -69,7 +69,7 @@ references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunn risk_score = 73 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index c6aec2af8..284709044 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the desktopimgdownldr utility being used to download a remote file. A download arbitrary files as an alternative to certutil. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via Desktopimgdownldr Utility" @@ -82,7 +82,7 @@ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index c1c8463fa..17a5bc618 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -3,13 +3,13 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via MpCmdRun" @@ -77,7 +77,7 @@ references = [ risk_score = 47 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 2f40b9934..683615774 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -3,13 +3,13 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Remote File Copy via TeamViewer" @@ -75,7 +75,7 @@ references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.ht risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 633aa104d..17753dea7 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m (NTDS.dit) in preparation for credential access. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Windows Utilities" @@ -70,7 +70,7 @@ references = ["https://lolbas-project.github.io/"] risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index e438def51..4b27173b9 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic", "Austin Songer"] @@ -12,7 +12,7 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o Those files contain sensitive information including hashed domain and/or local credentials. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 3f1e8cc76..ef5046c1f 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" @@ -31,7 +31,7 @@ references = [ risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index a2b70388f..2deb0e17e 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -3,13 +3,13 @@ creation_date = "2020/11/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Credential Acquisition via Registry Hive Dumping" @@ -71,7 +71,7 @@ references = [ risk_score = 73 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 6069a2a77..36c1910c9 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -25,7 +25,7 @@ references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of- risk_score = 73 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 5fae2980c..130d58b3e 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ access via a webshell or alike can decrypt and dump any hardcoded connection str password using aspnet_regiis command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 9a393f8d0..2489d2712 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/08/24" +updated_date = "2022/09/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -13,7 +13,7 @@ indicate a credential access attempt via trusted system utilities such as Task M (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "LSASS Memory Dump Creation" @@ -25,7 +25,7 @@ references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoang risk_score = 73 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 08e3cdfa5..fb2e257b9 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -3,13 +3,13 @@ creation_date = "2020/08/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies the password log file from the default Mimikatz memssp module." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Mimikatz Memssp Log File Detected" @@ -73,7 +73,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 5cb3e7ac1..ac3a5c1ca 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ an endpoint. Once the UseLogonCredential value is modified, the adversary may at memory. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Modification of WDigest Security Provider" @@ -87,15 +87,16 @@ references = [ risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' registry where event.type : ("creation", "change") and - registry.path : - "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" - and registry.data.strings : ("1", "0x00000001") and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" + ) and registry.data.strings : ("1", "0x00000001") and not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18") ''' diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index be6289fe7..dc96c1528 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ during user logon. """ false_positives = ["Authorized third party network logon providers."] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Network Logon Provider Registry Modification" @@ -25,13 +25,16 @@ references = [ risk_score = 47 rule_id = "54c3d186-0461-4dc3-9b33-2dc5c7473936" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' registry where registry.data.strings != null and - registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" + ) and /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */ not ( user.id : "S-1-5-18" and registry.data.strings in diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index abb3d904d..be483dcdb 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -3,7 +3,7 @@ creation_date = "2022/04/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies attempt to coerce a local NTLM authentication via HTTP using the Wind An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Local NTLM Relay via HTTP" @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 92cdca419..3a52dd7dc 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ applications, and networks. An adversary may abuse this to list or dump credenti saved usernames and passwords. This may also be performed in preparation of lateral movement. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 6d2ae0fa2..4ea1d97b7 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -3,7 +3,7 @@ creation_date = "2021/12/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/27" [rule] author = ["Elastic", "Austin Songer"] @@ -13,7 +13,7 @@ copy, including sensitive files such as ntds.dit, System Boot Key and browser of """ false_positives = ["Legitimate administrative activity related to shadow copies."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Symbolic Link to Shadow Copy Created" @@ -95,7 +95,7 @@ references = [ risk_score = 47 rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index aeb2c8b4e..2feb392f9 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -3,13 +3,13 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Adding Hidden File Attribute via Attrib" @@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 2d59eb344..fee6af99d 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies modifications of the AmsiEnable registry key to 0, which disables the adversary can modify this key to disable AMSI protections. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Modification of AmsiEnable Registry Key" @@ -85,7 +85,7 @@ references = [ risk_score = 73 rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -93,7 +93,8 @@ query = ''' registry where event.type in ("creation", "change") and registry.path : ( "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", - "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" + "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" ) and registry.data.strings: ("0", "0x00000000") ''' diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index e1dd965ed..5b0971a49 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -3,7 +3,7 @@ creation_date = "2021/11/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/27" [rule] author = ["Austin Songer"] @@ -12,7 +12,7 @@ Identifies when a user attempts to clear console history. An adversary may clear account to conceal the actions undertaken during an intrusion. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Clearing Windows Console History" @@ -68,12 +68,12 @@ references = [ risk_score = 47 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.action == "start" and +process where event.type == "start" and (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and (process.args : "*Clear-History*" or (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 98b1c9a61..4880ede76 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies attempts to clear or disable Windows event log stores using Windows w attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Clearing Windows Event Logs" @@ -65,7 +65,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index d16e3ff03..3b6a9519d 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -3,7 +3,7 @@ creation_date = "2021/02/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ certificate would allow an attacker the ability to masquerade malicious files as """ false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Root Certificate" @@ -86,7 +86,7 @@ references = [ risk_score = 21 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -97,7 +97,11 @@ registry where event.type in ("creation", "change") and "HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", "HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", - "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob" + "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", + "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob" ) and not process.executable : ("?:\\Program Files\\*.exe", diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index b23778b35..83d52fc6f 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies modifications to the Windows Defender registry settings to disable th started manually. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Windows Defender Disabled via Registry Modification" @@ -70,7 +70,7 @@ references = ["https://thedfirreport.com/2020/12/13/defender-control/"] risk_score = 21 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -78,11 +78,17 @@ query = ''' registry where event.type in ("creation", "change") and ( ( - registry.path:"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" and + registry.path: ( + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" + ) and registry.data.strings: ("1", "0x00000001") ) or ( - registry.path:"HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start" and + registry.path: ( + "HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start", + "\\REGISTRY\\MACHINE\\System\\*ControlSet*\\Services\\WinDefend\\Start" + ) and registry.data.strings in ("3", "4", "0x00000003", "0x00000004") ) ) and diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index c761b30be..722cd459b 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies modifications to the Windows Defender configuration settings using Po directory or process level. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Windows Defender Exclusions Added via PowerShell" @@ -81,7 +81,7 @@ references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitd risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index c14746fc4..fad3b0c69 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is of files created during post-exploitation activities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Delete Volume USN Journal with Fsutil" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 91bcc3732..dab175b7b 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies attempts to disable PowerShell Script Block Logging via registry modi logging to conceal their activities in the host and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "PowerShell Script Block Logging Disabled" @@ -88,15 +88,16 @@ references = [ risk_score = 47 rule_id = "818e23e6-2094-4f0e-8c01-22d30f3506c6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' registry where event.type == "change" and - registry.path : - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" - and registry.data.strings : ("0", "0x00000000") + registry.path : ( + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" + ) and registry.data.strings : ("0", "0x00000000") ''' diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 22a4383b9..0aeb1c3fc 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies use of the netsh.exe to disable or weaken the local firewall. Attacke disable the firewall during troubleshooting or to enable network mobility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Disable Windows Firewall Rules via Netsh" @@ -57,7 +57,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index ecab390cb..8f3fd0afb 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -3,14 +3,14 @@ creation_date = "2021/07/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings." false_positives = ["Planned Windows Defender configuration changes."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Disabling Windows Defender Security Settings via PowerShell" @@ -71,7 +71,7 @@ references = [ risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 1691e959f..f3514aec5 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -12,7 +12,7 @@ Identifies attempts to disable EventLog via the logman Windows utility, PowerShe attackers in an attempt to evade detection on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Disable Windows Event and Security Logs Using Built-in Tools" @@ -64,7 +64,7 @@ references = [ risk_score = 21 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 24a7c4173..6c3012e9e 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Austin Songer"] @@ -13,7 +13,7 @@ data. With this enabled, an organization will lose visibility into data such as IP, which are used to determine bad actors. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "DNS-over-HTTPS Enabled via Registry" @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index ec548620d..770cb35da 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -3,13 +3,13 @@ creation_date = "2020/08/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies suspicious .NET code execution. connections." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" @@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index a436da34d..3846656c4 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote the Windows Firewall. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Remote Desktop Enabled in Windows Firewall by Netsh" @@ -65,7 +65,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 64fd5cc3e..39e4c77c1 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ tool to weaken the host firewall settings. """ false_positives = ["Host Windows Firewall planned system administration changes."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Enable Host Network Discovery via Netsh" @@ -63,7 +63,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 44cb437a6..7fa0ff586 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -3,7 +3,7 @@ creation_date = "2021/09/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies unusual instances of Control Panel with suspicious keywords or paths Adversaries may abuse control.exe to proxy execution of malicious code. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" @@ -24,7 +24,7 @@ references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 2ccff59e4..04a563b17 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load as a defense evasion technique to blend-in malicious activity with legitimate Windows software. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "ImageLoad via Windows Update Auto Update Client" @@ -24,7 +24,7 @@ references = ["https://dtm.uk/wuauclt/"] risk_score = 47 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 37b9abc23..a27a4e0bb 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by an Office Application" @@ -94,7 +94,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 0806d9a0c..65b839a18 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 16eb12389..d61498589 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 60c8ca5b3..c6044d04d 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ indicate an attempt to run unnoticed or undetected. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Using an Alternate Name" @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 416e41fe2..bf3c63d91 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" @@ -30,7 +30,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 4a8300d01..6e16c734f 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ starting after being renamed or from a non-standard path. This is uncommon behav defenses via side loading a malicious DLL within the memory space of one of those processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential DLL SideLoading via Trusted Microsoft Programs" @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 861f269e8..8af1c0c9f 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic", "Dennis Perto"] @@ -14,7 +14,7 @@ side-loading a malicious DLL within the memory space of one of those processes. """ false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable" @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 61979ad96..069ad0e44 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ when the name or location of a file is manipulated as a means of tricking a user benign file type but is actually executable code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index b66c6c8d4..cbdb7ad7b 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies process execution from suspicious default Windows directories. This i malware in trusted paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Execution from an Unusual Directory" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 329ccf66d..fa1940873 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,14 +12,14 @@ Identifies registry write modifications to hide an encoded portable executable. defense evasion by avoiding the storing of malicious content directly on disk. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Encoded Executable Stored in the Registry" risk_score = 47 rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index b2b25e42c..9e35a7553 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/04/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies when Internet Information Services (IIS) HTTP Logging is disabled on access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 0b0c519b2..1df9208ae 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ A suspicious Endpoint Security parent process was detected. This may indicate a injection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 841a27e9a..ce4bab22c 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies a suspicious AutoIt process execution. Malware written as an AutoIt s executable to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Renamed AutoIt Scripts Interpreter" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index b4a73e962..f447a189a 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ such as command line, network connections, file writes and parent process detail """ false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious WerFault Child Process" @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 04b181254..38ca0ee8b 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ usually host trusted third party programs. An adversary may leverage masqueradin detections allowlisting those folders. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Program Files Directory Masquerading" @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index e66b05b39..0f8dc05aa 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Macros. Adversaries may abuse these security settings to modify the default beha future macros and/or disable security warnings, which could increase their chances of establishing persistence. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "MS Office Macro Security Registry Modifications" @@ -87,7 +87,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "feeed87c-5e95-4339-aef1-47fd79bcfbe3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -95,9 +95,11 @@ query = ''' registry where event.type == "change" and registry.path : ( "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM", - "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings" + "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings", + "\\REGISTRY\\USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM", + "\\REGISTRY\\USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings" ) and - registry.data.strings == "0x00000001" and + registry.data.strings : ("0x00000001", "1") and process.name : ("cscript.exe", "wscript.exe", "mshta.exe", "mshta.exe", "winword.exe", "excel.exe") ''' diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 8f4c49c18..adbb129a0 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Austin Songer"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Windows Firewall Disabled via PowerShell" @@ -76,7 +76,7 @@ references = [ risk_score = 47 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 58f8fc802..5b630ac27 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -14,20 +14,20 @@ of these files can occur during an intrusion, or as part of a post-intrusion pro footprint. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Termination followed by Deletion" risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] type = "eql" query = ''' sequence by host.id with maxspan=5s [process where event.type == "end" and - process.code_signature.trusted == false and + process.code_signature.trusted != true and not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe") ] by process.executable [file where event.type == "deletion" and file.extension : ("exe", "scr", "com") and diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index f07d98c5b..450769c52 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard ( execution via malicious process arguments. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Microsoft Diagnostics Wizard Execution" @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 9410f0173..d0f939ea1 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ move laterally or persist locally. The AT command has been deprecated since Wind exists for backwards compatibility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Scheduled Tasks AT Command Enabled" @@ -25,14 +25,16 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32 risk_score = 47 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' registry where - registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and - registry.data.strings : ("1", "0x00000001") + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" + ) and registry.data.strings : ("1", "0x00000001") ''' diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index f19450462..b279fc1c0 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Detects file name patterns generated by the use of Sysinternals SDelete utility file overwrite and rename operations. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Secure File Deletion via SDelete Utility" @@ -27,7 +27,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index d438ea117..9b88b2623 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Windows cryptographic system to validate file signatures on the system. This may validation checks or inject code into critical processes. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "SIP Provider Modification" @@ -21,17 +21,17 @@ references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] risk_score = 47 rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' registry where event.type:"change" and registry.path: ( - "HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", - "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", - "HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll", - "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll" + "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", + "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", + "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll", + "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll" ) and registry.data.strings:"*.dll" ''' diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 5c264a229..0ab06bd19 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies a SolarWinds binary modifying the start type of a service to be disab technique to manipulate relevant security services. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "SolarWinds Process Disabling Services via Registry" @@ -26,12 +26,15 @@ references = [ risk_score = 47 rule_id = "b9960fef-82c6-4816-befa-44745030e917" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and +registry where registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start" + ) and registry.data.strings : ("4", "0x00000004") and process.name : ( "SolarWinds.BusinessLayerHost*.exe", @@ -39,7 +42,7 @@ registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" "NetflowDatabaseMaintenance*.exe", "NetFlowService*.exe", "SolarWinds.Administration*.exe", - "SolarWinds.Collector.Service*.exe" , + "SolarWinds.Collector.Service*.exe", "SolarwindsDiagnostics*.exe") ''' diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index c0ebb515d..f9bc598d7 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/24" +updated_date = "2022/09/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -13,7 +13,7 @@ Certificate Services. CertUtil is often abused by attackers to live off the land data exfiltration. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious CertUtil Commands" @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 5b738b96e..0b7c1c5d7 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies process execution with a single character process name. This is often executing temporary utilities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution - Short Program Name" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index e2e57888f..a2e13a109 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r such as command line, network connections, file writes and associated file signature details as well. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Zoom Child Process" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 470bd218b..53515ed95 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies an unexpected executable file being created or modified by a Windows indicate activity related to remote code execution or other forms of exploitation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Executable File Creation by a System Critical Process" @@ -71,7 +71,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 1aadd0b37..8ccb8ab29 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies processes running from an Alternate Data Stream. This is uncommon for by adversaries to hide malware. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 7e99746cb..639543763 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -3,13 +3,13 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" @@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index a021848ce..799a1480f 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ The Filter Manager Control Program (fltMC.exe) binary may be abused by adversari defenses. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Filter Manager" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 7ab1b46af..88f8906b2 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -3,7 +3,7 @@ creation_date = "2022/03/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic", "Austin Songer"] @@ -12,7 +12,7 @@ Identifies the use of Windows Work Folders to execute a potentially masqueraded directory. Misuse of Windows Work Folders could indicate malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Signed Proxy Execution via MS Work Folders" @@ -69,7 +69,7 @@ references = [ risk_score = 47 rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 140019413..faafba29d 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ leveraged by threat actors to perform post-exploitation Active Directory reconna observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "AdFind Command Activity" @@ -78,7 +78,7 @@ references = [ risk_score = 21 rule_id = "eda499b8-a073-4e35-9733-22ec71f57f3a" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index d59f4d41d..019f70b8a 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies instances of lower privilege accounts enumerating Administrator accou tools. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Administrator Accounts" @@ -66,7 +66,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index cb6e93288..2e786ec23 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via NLTEST.EXE" @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 12a7055f6..8c11eca6e 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -3,13 +3,13 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool." from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Windows Network Enumeration" @@ -59,7 +59,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index b483a3d2c..5b5625c40 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies use of the Windows file system utility (fsutil.exe) to gather informa and components connected to a computer system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Peripheral Device Discovery" @@ -64,7 +64,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 4430e9444..369989560 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -3,13 +3,13 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Discovery of remote system information using built-in commands, which may be used to move laterally." from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Remote System Discovery Commands" @@ -58,7 +58,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index e561d847c..5a156fcc0 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the use of Windows Management Instrumentation Command (WMIC) to disco such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" @@ -62,7 +62,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index f5e556e8c..b7b596cb7 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Whoami Process Activity" @@ -71,7 +71,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 416bd5048..69477680f 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ false_positives = [ "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 1c0847cde..740575033 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ false_positives = [ "Trusted SolarWinds child processes, verify process details such as network connections and file writes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious SolarWinds Child Process" @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 0ec84a67a..aafc49f45 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ programming interface (API) that enables interaction between software objects or run a COM object created in registry to evade defensive counter measures. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Execution of COM object via Xwizard" @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 2537d9816..0932561bb 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/09/20" +updated_date = "2022/09/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -9,7 +9,7 @@ min_stack_version = "8.3.0" author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Svchost spawning Cmd" @@ -73,7 +73,7 @@ references = [ risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index ca3979789..12c09061b 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -3,13 +3,13 @@ creation_date = "2020/08/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" @@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index a9db9e87d..81e4454bd 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -3,14 +3,14 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] description = "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code." false_positives = ["Microsoft Windows installers leveraging RunDLL32 for installation."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Command Shell Activity Started via RunDLL32" @@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 91aff1f85..f72a9f59c 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies native Windows host and network enumeration commands spawned by the W Provider Service (WMIPrvSE). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index ca4d40039..298a0df72 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -12,7 +12,7 @@ Identifies process execution from suspicious default Windows directories. This m malware in trusted paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" @@ -71,7 +71,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 3684fad02..9769a1831 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies an executable created by a Microsoft Office application and subsequen launched via scripts inside documents or during exploitation of Microsoft Office applications. """ from = "now-120m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -79,7 +79,7 @@ mean time to respond (MTTR). risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e925b96da..2023152f0 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies a suspicious file that was written by a PDF reader application and su often launched via exploitation of PDF applications. """ from = "now-120m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -78,7 +78,7 @@ mean time to respond (MTTR). risk_score = 73 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index eb0103d8a..00ca0163d 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/28" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ shared modules to execute malicious payloads by instructing the Windows module l paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Execution via local SxS Shared Module" @@ -29,7 +29,7 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link- risk_score = 47 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index a288ec590..1f88c4aef 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta be indicative of adversary lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 8f6e3d5c1..fbd8716dd 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ adversarial activity where child processes are spawned via Windows Management In be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious WMI Image Load from MS Office" @@ -27,13 +27,13 @@ references = [ risk_score = 21 rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' any where - (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") ''' diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 306d06b4f..6e421728e 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies suspicious child processes of PDF reader applications. These child pr exploitation of PDF applications or social engineering. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious PDF Reader Child Process" @@ -80,7 +80,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 2ef227d9e..c8f0996ec 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the PowerShell engine being invoked by unexpected processes. Rather t with powershell.exe, some attackers do this to operate more stealthily. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious PowerShell Engine ImageLoad" @@ -95,12 +95,12 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and +any where (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") or file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll")) and diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index b3c2d1392..e63b63cc0 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies suspicious psexec activity which is executing from the psexec service evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Process Execution via Renamed PsExec Executable" @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index c922ebb80..08fdd5e85 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Activity via Compiled HTML File" @@ -31,7 +31,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index f767b2b97..e2f28a55b 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Detects when the Console Window Host (conhost.exe) process is spawned by a suspi indicative of code injection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Conhost Spawned By Suspicious Parent Process" @@ -84,7 +84,7 @@ references = [ risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index a282df431..d76b2376e 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -12,7 +12,7 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" @@ -71,7 +71,7 @@ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index c685e0957..70a915422 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/27" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Third-party Backup Files Deleted via Unexpected Process" @@ -75,7 +75,7 @@ references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti- risk_score = 47 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "has_guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql"