[Security Content] Update rules based on docs review (#1803)

* Adds suggestions from security-docs * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2022-03-01 21:39:30 -03:00
parent 0122e1e65f
commit 1c50f35aed
47 changed files with 165 additions and 160 deletions
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"
 min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
 min_stack_version = "7.15.0"

 [rule]
 author = ["Elastic"]
-description = """Detects events which have a mismatch on the expected event agent ID. The status "agent_id_mismatch"
+description = """Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch"
 occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could
 indicate attempts to spoof events in order to masquerade actual activity to evade detection.
 """
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/08/27"
 maturity = "production"
-updated_date = "2021/10/15"
+updated_date = "2022/02/28"
 integration = "aws"

 [rule]
 author = ["Austin Songer"]
 description = """
-Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that
+Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that
 is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to
 deleting the File System, or the adversary will be unable to delete the File System.
 """
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/13"
 maturity = "production"
-updated_date = "2021/09/13"
+updated_date = "2022/02/28"
 integration = "aws"

 [rule]
@@ -33,10 +33,10 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ
 ### Investigating Spikes in CloudTrail Errors

 CloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding
-what is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations
-are observed. This example rule triggers from a large spike in the number of CloudTrail log messages that contain a
-particular error message. The error message in question was associated with the response to an AWS API command or method call,
-this has the potential to uncover unknown threats or activity.
+what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations
+occur. This example rule triggers from a large spike in the number of CloudTrail log messages that contain a particular
+error message. The error message in question was associated with the response to an AWS API command or method call, this
+has the potential to uncover unknown threats or activity.

 #### Possible investigation steps:
 - Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script.
@@ -54,10 +54,10 @@ changes to automation modules or scripting.
 - Rare AWS Error Code

 ### Response and Remediation
- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys
- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users
- Look into enabling multi-factor authentication for users
- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS
+- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys.
+- If any unauthorized new user accounts were created, remove them. Request password resets for other IAM users.
+- Look into enabling multi-factor authentication for users.
+- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.
 """
 references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
@@ -55,10 +55,10 @@ therefore it's important to validate the activity listed in the investigation st
 - Rare AWS Error Code

 ### Response and Remediation
- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys
- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users
- Look into enabling multi-factor authentication for users
- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS
+- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys.
+- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users.
+- Look into enabling multi-factor authentication for users.
+- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.
 """
 references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 risk_score = 21
@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2021/06/24"
 maturity = "production"
-updated_date = "2021/10/13"
+updated_date = "2022/02/28"
 integration = "azure"

 [rule]
 author = ["Austin Songer"]
 description = """
 Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes.
-Example events are a container creation, an image pull, or a pod scheduling on a node.  An adversary may delete events
+Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events
 in Azure Kubernetes in an attempt to evade detection.
 """
 false_positives = [
@@ -2,16 +2,16 @@
 creation_date = "2022/01/06"
 integration = "azure"
 maturity = "production"
-updated_date = "2022/01/06"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-In Azure Active Directory (Azure AD), permissions to manage resources are assigned using Roles. The Global Administrator
+In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
 is a role that enables users to have access to all administrative features in Azure AD and services that use Azure
-Active Directory identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange,
-SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access
-and manage all subscriptions and their settings and resources.
+AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online,
+and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
+subscriptions and their settings and resources.
 """
 from = "now-25m"
 index = ["filebeat-*", "logs-azure*"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/02/28"
 integration = "gcp"

 [rule]
@@ -9,9 +9,9 @@ author = ["Elastic"]
 description = """
 Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize
 log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during
-that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination,
-or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log
-bucket to evade detection.
+that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their
+destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may
+delete a log bucket to evade detection.
 """
 false_positives = [
    """
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/03/29"
 maturity = "production"
-updated_date = "2022/01/05"
+updated_date = "2022/02/28"
 integration = "o365"

 [rule]
@@ -9,8 +9,8 @@ author = ["Elastic", "Gary Blackwell", "Austin Songer"]
 description = """
 Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based
 on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can
-abuse Inbox Rules to intercept and exfiltrate email data while not requiring organization-wide configuration changes nor
-privileges to set those.
+abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or
+having the corresponding privileges.
 """
 false_positives = [
    """
@@ -1,15 +1,15 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/02/28"
 integration = "o365"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies a transport rule creation in Microsoft 365. Exchange Online mail transport rules should be set to not forward
-email to domains outside of your organization as a best practice. An adversary may create transport rules to exfiltrate
-data.
+Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should
+not be set to forward email to domains outside of your organization. An adversary may create transport rules to
+exfiltrate data.
 """
 false_positives = [
    """
@@ -2,14 +2,14 @@
 creation_date = "2022/01/10"
 integration = "o365"
 maturity = "production"
-updated_date = "2022/01/10"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
 Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers
 can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access.
-Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain
+Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain
 initial access to other endpoints in the environment.
 """
 false_positives = ["Benign files can trigger signatures in the built-in virus protection"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/02/28"
 integration = "o365"

 [rule]
@@ -9,8 +9,8 @@ author = ["Elastic"]
 description = """
 Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in
 Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the
-receiving email system to validate that the messages were generated by a server that the organization authorized and not
-being spoofed.
+receiving email system to validate that the messages were generated by a server that the organization authorized and
+were not spoofed.
 """
 false_positives = [
    """
@@ -2,16 +2,16 @@
 creation_date = "2022/01/06"
 integration = "o365"
 maturity = "production"
-updated_date = "2022/01/06"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-In Azure Active Directory (Azure AD), permissions to manage resources are assigned using Roles. The Global Administrator
+In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
 is a role that enables users to have access to all administrative features in Azure AD and services that use Azure
-Active Directory identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange,
-SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access
-and manage all subscriptions and their settings and resources.
+AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online,
+and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
+subscriptions and their settings and resources.
 """
 from = "now-25m"
 index = ["filebeat-*", "logs-o365*"]
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2022/01/05"
 maturity = "production"
-updated_date = "2022/01/05"
+updated_date = "2022/02/28"
 integration = "okta"

 [rule]
 author = ["Elastic"]
 description = """
-Detect when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the
+Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the
 user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured
 for an organization to obtain unauthorized access.
 """
@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2022/01/26"
 maturity = "production"
-updated_date = "2022/01/26"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment
+Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment
 variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.
 """
 from = "now-9m"
@@ -1,11 +1,14 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "production"
-updated_date = "2022/01/25"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
-description = "Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence."
+description = """
+Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious
+payloads as part of persistence.
+"""
 false_positives = ["Trusted applications persisting via LaunchDaemons"]
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "production"
-updated_date = "2022/01/25"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its
+Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its
 window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a
 malicious script.
 """
@@ -19,7 +19,7 @@ name = "Unexpected Child Process of macOS Screensaver Engine"
 note = """## Triage and analysis

 - Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such
-as a download of a payload from a server
+as a download of a payload from a server.
 - Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to
 identify whether the file is malicious or not.
 """
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2021/09/13"
+updated_date = "2022/02/28"

 [rule]
 anomaly_threshold = 50
@@ -41,7 +41,7 @@ uncover potential malware and suspicious behaviors.
 ### False Positive Analysis
 - Validate the unusual Windows process is not related to new benign software installation activity. If related to
 legitimate software, this can be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch
-API to tune this rule to your environment
+API to tune this rule to your environment.
 - Try to understand the context of the execution by thinking about the user, machine, or business purpose.  It's possible that a small number of endpoints
 such as servers that have very unique software that might appear to be unusual, but satisfy a specific business need.

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -40,8 +40,8 @@ computer.

 ### Response and Remediation

- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -40,8 +40,8 @@ valuable information as credit card data and confidential conversations.

 ### Response and Remediation

- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/02/08"
 maturity = "production"
-updated_date = "2022/02/08"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -44,8 +44,8 @@ use computer accounts and also Azure AD Connect MSOL accounts (more details [her

 #### Possible investigation steps:

- Identify the account that performed the action
- Confirm whether the account owner is aware of the operation
+- Identify the account that performed the action.
+- Confirm whether the account owner is aware of the operation.
 - Investigate other alerts related to the user/host in the last 48 hours.
 - Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received
 the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.
@@ -60,10 +60,10 @@ cracking attacks (Kerberoasting, brute force, etc.).

 ### Response and Remediation

- Initiate the incident response process based on the outcome of the triage
- In case of specific credentials were compromised:
-    - Reset the password for the accounts
- In case of the entire domain or the `krbtgt` user were compromised:
+- Initiate the incident response process based on the outcome of the triage.
+- If specific credentials were compromised:
+    - Reset the password for the accounts.
+- If the entire domain or the `krbtgt` user were compromised:
    - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password
    reset (twice) of the `krbtgt` user.

@@ -1,13 +1,14 @@
 [metadata]
 creation_date = "2021/03/18"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting
-the authentication credentials in clear text during user logon.
+Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon
+provider module for persistence and/or credential access via intercepting the authentication credentials in clear text
+during user logon.
 """
 false_positives = ["Authorized third party network logon providers."]
 from = "now-9m"
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/05"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -42,8 +42,8 @@ information stored in the process memory.

 ### Response and Remediation

- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config

@@ -6,7 +6,7 @@ updated_date = "2021/01/24"
 [rule]
 author = ["Elastic"]
 description = """
-Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is common step in
+Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in
 Kerberoasting toolkits to crack service accounts.
 """
 from = "now-9m"
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2021/10/14"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"
 maturity = "production"
 min_stack_version = "7.14.0"
 min_stack_comments = "Cardinality field not added to threshold rule type until 7.14."
@@ -10,7 +10,7 @@ min_stack_comments = "Cardinality field not added to threshold rule type until 7
 author = ["Elastic"]
 description = """
 Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed
-by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and
+by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and
 dump LSASS memory for credential access.
 """
 from = "now-9m"
@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2021/06/01"
 maturity = "production"
-updated_date = "2022/02/07"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware
+Identifies when JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware
 Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify
 this key to disable AMSI protections.
 """
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/20"
 maturity = "production"
-updated_date = "2021/12/03"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -32,8 +32,8 @@ to be legitimately allowlisted from Windows Defender?

 ### False Positive Analysis
 - This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly
-a network administrator. In order to validate the activity further, review the specific exclusion and based on its
-intent. There are many legitimate reasons for exclusions, so it's important to gain context.
+a network administrator. In order to validate the activity further, review the specific exclusion and its intent. There
+are many legitimate reasons for exclusions, so it's important to gain context.

 ### Related Rules
 - Windows Defender Disabled via Registry Modification
@@ -41,10 +41,10 @@ intent. There are many legitimate reasons for exclusions, so it's important to g

 ### Response and Remediation
 - Since this is related to post-exploitation activity, take immediate action to review, investigate and
-potentially isolate further activity
+potentially isolate further activity.
 - If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove
-the exclusion and ensure antimalware capability has not been disabled or deleted
- Exclusion lists for antimalware capabilities should always be routinely monitored for review
+the exclusion and ensure antimalware capability has not been disabled or deleted.
+- Exclusion lists for antimalware capabilities should always be routinely monitored for review.
 """
 references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"]
 risk_score = 47
@@ -6,7 +6,7 @@ updated_date = "2022/02/14"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft
+Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft
 Defender features to evade detection and conceal malicious behavior.
 """
 false_positives = ["Legitimate Windows Defender configuration changes"]
@@ -6,7 +6,7 @@ updated_date = "2022/01/12"
 [rule]
 author = ["Elastic"]
 description = """
-Microsoft Office Products offers options for users and developers to control the security settings for running and using
+Microsoft Office Products offer options for users and developers to control the security settings for running and using
 Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust
 future macros and/or disable security warnings, which could increase their chances of establishing persistence.
 """
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/14"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -44,8 +44,8 @@ payloads directly into the memory, without touching the disk.

 ### Response and Remediation

- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config

@@ -7,7 +7,7 @@ updated_date = "2022/02/16"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network
+Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network
 constraints, like internet and network lateral communication restrictions.
 """
 false_positives = [
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/19"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -29,16 +29,16 @@ observed where this tool has been adopted by ransomware and criminal groups and
 - `AdFind` is a legitimate Active Directory enumeration tool used by network administrators, it's important to understand
 the source of the activity.  This could involve identifying the account using `AdFind` and determining based on the command-lines
 what information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities.
- In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted
-machine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic
+- In multiple public references, `AdFind` is leveraged after initial access is achieved. Review previous activity on impacted
+machines for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic
 to suspicious infrastructure.

 ### False Positive Analysis
- This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One
+- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators. One
 option could be allowlisting specific users or groups who use the tool as part of their daily responsibilities. This can
-be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment
+be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.
 - Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in
-isolation, so reviewing previous logs/activity from impacted machines could be very telling.
+isolation, so reviewing previous logs/activity from impacted machines can be very telling.

 ### Related Rules
 - Windows Network Enumeration
@@ -46,8 +46,8 @@ isolation, so reviewing previous logs/activity from impacted machines could be v
 - Enumeration Command Spawned via WMIPrvSE

 ### Response and Remediation
- take immediate action to validate activity, investigate and potentially isolate activity to prevent further
-post-compromise behavior
+- Take immediate action to validate activity, investigate and potentially isolate activity to prevent further
+post-compromise behavior.
 - It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate
 purposes, so understanding the intent behind the activity will help determine the appropropriate response.
 """
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/03/18"
 maturity = "production"
-updated_date = "2022/02/10"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an
-adversary has achieved privilege escalation.
+Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after
+an adversary has achieved privilege escalation.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/13"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -42,8 +42,8 @@ like PSReflect or Get-ProcAddress Cmdlet.

 ### Response and Remediation

- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config

@@ -1,14 +1,13 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header.
-Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to
-disk.
+Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers
+embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
@@ -43,8 +42,8 @@ bypassing antivirus software. These executables are generally base64 encoded.

 ### Response and Remediation

- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/15"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -48,11 +48,11 @@ PowerShell, enabling the defender to discover tools being dropped in the environ
 - PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70

 ### Response and Remediation
- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config
-The 'PowerShell Script Block Logging' logging policy is required be configured (Enable).
+The 'PowerShell Script Block Logging' logging policy must be configured (Enable).

 Steps to implement the logging policy with with Advanced Audit Configuration:
 ```
@@ -1,14 +1,14 @@
 [metadata]
 creation_date = "2020/11/03"
 maturity = "production"
-updated_date = "2022/01/13"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
 Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are
 launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move
-laterally while attempting to evading detection.
+laterally while attempting to evade detection.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2020/07/16"
 maturity = "production"
-updated_date = "2021/09/08"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in
+Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in
 Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
 """
 false_positives = [
@@ -36,7 +36,7 @@ the source of the incoming traffic and determine if this activity has been obser
 - Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.

 #### False Positive Analysis
- Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes
+- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes
 and related to legitimate behavior.  In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses
 were all observed as greater than 65k bytes.
 - This activity can be triggered by compliance/vulnerability scanning or compromise assessment, it's
@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2020/11/24"
 maturity = "production"
-updated_date = "2022/01/13"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows
+Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows
 PowerShell command on one or more remote computers. This could be an indication of lateral movement.
 """
 false_positives = [
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/03/15"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -24,10 +24,10 @@ behavior may evade existing AV/EDR solutions. These programs may also run with h
 an attacker.

 #### Possible investigation steps:
- Review the source process and related file tied to the Windows Registry entry
+- Review the source process and related file tied to the Windows Registry entry.
 - Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software
-installations
- Determine if activity is unique by validating if other machines in same organization have similar entry
+installations.
+- Determine if activity is unique by validating if other machines in same organization have similar entry.

 ### False Positive Analysis
 - There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based
@@ -40,9 +40,9 @@ investigation, it should be verified that this activity is not benign.

 ### Response and Remediation
 - Activity should first be validated as a true positive event if so then take immediate action to review,
-investigate and potentially isolate activity to prevent further post-compromise behavior
+investigate and potentially isolate activity to prevent further post-compromise behavior.
 - The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand
-its behavior and capabilities
+its behavior and capabilities.
 - Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first
 initialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source
 of the attack, this information can then be used to search for similar indicators on other machines in the same environment.
@@ -1,11 +1,14 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
-description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges."
+description = """
+Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or
+escalate privileges.
+"""
 false_positives = ["Legitimate scheduled tasks may be created during installation of new software."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
@@ -1,12 +1,12 @@
 [metadata]
 creation_date = "2020/11/18"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be
+Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be
 an indication of an adversary's attempt to persist in a stealthy manner.
 """
 from = "now-9m"
@@ -1,16 +1,15 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
 description = """
-Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from
-other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides
-in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may
-abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time
-provider.
+Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a
+malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other
+network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the
+System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/08"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -35,12 +35,12 @@ and the administrator is authorized to perform this operation.
 - Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e

 ### Response and Remediation
- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config

-The 'Audit Detailed File Share' audit policy is required be configured (Success Failure).
+The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
 Steps to implement the logging policy with with Advanced Audit Configuration:
 ```
 Computer Configuration > 
@@ -53,7 +53,7 @@ Object Access >
 Audit Detailed File Share (Success,Failure)
 ```

-The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
+The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).
 Steps to implement the logging policy with with Advanced Audit Configuration:
 ```
 Computer Configuration > 
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/08"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -27,11 +27,11 @@ Example Path: "\\\\DC.com\\SysVol\\DC.com\\Policies\\{21B9B880-B2FB-4836-9C2D-20
 is legitimate and the administrator is authorized to perform this operation.
 - Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially
 dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.
- Inspect the user SIDs associated with these privileges
+- Inspect the user SIDs associated with these privileges.

 ### False Positive Analysis
- Verify if these User SIDs should have these privileges enabled.
- Inspect whether the user that has done these modifications should be allowed to do it. The user name can be found in the
+- Verify if the User SIDs should have these privileges.
+- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the
 `winlog.event_data.SubjectUserName` field.

 ### Related Rules
@@ -39,12 +39,12 @@ dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelega
 - Startup/Logon Script added to Group Policy Object

 ### Response and Remediation
- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config

-The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
+The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).
 Steps to implement the logging policy with with Advanced Audit Configuration:
 ```
 Computer Configuration > 
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/08"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ file.
 #### Possible investigation steps:
 - This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity
 is legitimate and the administrator is authorized to perform this operation.
- Retrieve the contents of the `ScheduledTasks.xml` file, ánd check the `<Command>` and `<Arguments>` XML tags for any
+- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `<Command>` and `<Arguments>` XML tags for any
 potentially malicious commands and binaries.
 - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.

@@ -35,12 +35,12 @@ potentially malicious commands and binaries.
 - Startup/Logon Script added to Group Policy Object

 ### Response and Remediation
- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.

 ## Config

-The 'Audit Detailed File Share' audit policy is required be configured (Success Failure).
+The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
 Steps to implement the logging policy with with Advanced Audit Configuration:
 ```
 Computer Configuration > 
@@ -53,7 +53,7 @@ Object Access >
 Audit Detailed File Share (Success,Failure)
 ```

-The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
+The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).
 Steps to implement the logging policy with with Advanced Audit Configuration:
 ```
 Computer Configuration > 
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/25"
 maturity = "production"
-updated_date = "2022/02/16"
+updated_date = "2022/02/28"

 [rule]
 author = ["Elastic"]
@@ -40,8 +40,8 @@ to the location to escalate privileges. An attacker is able to still take over a

 ### Response and Remediation

- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further
-post-compromise behavior.
+- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
+further post-compromise behavior.
 """
 references = [
    "https://github.com/klinix5/InstallerFileTakeOver"