diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index fd1d03bc8..7f39cc445 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" min_stack_version = "7.15.0" [rule] author = ["Elastic"] -description = """Detects events which have a mismatch on the expected event agent ID. The status "agent_id_mismatch" +description = """Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection. """ diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 1ef0548a2..3f480a119 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2021/08/27" maturity = "production" -updated_date = "2021/10/15" +updated_date = "2022/02/28" integration = "aws" [rule] author = ["Austin Songer"] description = """ -Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that +Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. """ diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index fa64118bb..5b5d0f91c 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/09/13" +updated_date = "2022/02/28" integration = "aws" [rule] @@ -33,10 +33,10 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ ### Investigating Spikes in CloudTrail Errors CloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding -what is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations -are observed. This example rule triggers from a large spike in the number of CloudTrail log messages that contain a -particular error message. The error message in question was associated with the response to an AWS API command or method call, -this has the potential to uncover unknown threats or activity. +what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations +occur. This example rule triggers from a large spike in the number of CloudTrail log messages that contain a particular +error message. The error message in question was associated with the response to an AWS API command or method call, this +has the potential to uncover unknown threats or activity. #### Possible investigation steps: - Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script. @@ -54,10 +54,10 @@ changes to automation modules or scripting. - Rare AWS Error Code ### Response and Remediation -- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys -- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users -- Look into enabling multi-factor authentication for users -- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS +- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys. +- If any unauthorized new user accounts were created, remove them. Request password resets for other IAM users. +- Look into enabling multi-factor authentication for users. +- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 09ef2cd25..52003f225 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -55,10 +55,10 @@ therefore it's important to validate the activity listed in the investigation st - Rare AWS Error Code ### Response and Remediation -- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys -- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users -- Look into enabling multi-factor authentication for users -- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS +- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys. +- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users. +- Look into enabling multi-factor authentication for users. +- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index b5c43c684..1a0c11705 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2021/06/24" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/02/28" integration = "azure" [rule] author = ["Austin Songer"] description = """ Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. -Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events +Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. """ false_positives = [ diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index 29e68ee6f..eb931018e 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,16 +2,16 @@ creation_date = "2022/01/06" integration = "azure" maturity = "production" -updated_date = "2022/01/06" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -In Azure Active Directory (Azure AD), permissions to manage resources are assigned using Roles. The Global Administrator +In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure -Active Directory identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, -SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access -and manage all subscriptions and their settings and resources. +AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, +and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all +subscriptions and their settings and resources. """ from = "now-25m" index = ["filebeat-*", "logs-azure*"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index fda783531..aadea9b77 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/02/28" integration = "gcp" [rule] @@ -9,9 +9,9 @@ author = ["Elastic"] description = """ Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during -that time. To stop routing logs to a deleted bucket, the log sinks can be deleted that have the bucket as a destination, -or the filter for the sinks can be modified to stop routing logs to the deleted bucket. An adversary may delete a log -bucket to evade detection. +that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their +destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may +delete a log bucket to evade detection. """ false_positives = [ """ diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 314858425..230ea7384 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/29" maturity = "production" -updated_date = "2022/01/05" +updated_date = "2022/02/28" integration = "o365" [rule] @@ -9,8 +9,8 @@ author = ["Elastic", "Gary Blackwell", "Austin Songer"] description = """ Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can -abuse Inbox Rules to intercept and exfiltrate email data while not requiring organization-wide configuration changes nor -privileges to set those. +abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or +having the corresponding privileges. """ false_positives = [ """ diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index fe93a320c..71a9478f2 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/02/28" integration = "o365" [rule] author = ["Elastic"] description = """ -Identifies a transport rule creation in Microsoft 365. Exchange Online mail transport rules should be set to not forward -email to domains outside of your organization as a best practice. An adversary may create transport rules to exfiltrate -data. +Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should +not be set to forward email to domains outside of your organization. An adversary may create transport rules to +exfiltrate data. """ false_positives = [ """ diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 36ec9de52..c8e7dd095 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,14 +2,14 @@ creation_date = "2022/01/10" integration = "o365" maturity = "production" -updated_date = "2022/01/10" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. -Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain +Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] diff --git a/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml index 0108a46eb..0a267b2f5 100644 --- a/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/02/28" integration = "o365" [rule] @@ -9,8 +9,8 @@ author = ["Elastic"] description = """ Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the -receiving email system to validate that the messages were generated by a server that the organization authorized and not -being spoofed. +receiving email system to validate that the messages were generated by a server that the organization authorized and +were not spoofed. """ false_positives = [ """ diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 959a0b38a..821f25621 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -2,16 +2,16 @@ creation_date = "2022/01/06" integration = "o365" maturity = "production" -updated_date = "2022/01/06" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -In Azure Active Directory (Azure AD), permissions to manage resources are assigned using Roles. The Global Administrator +In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure -Active Directory identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, -SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access -and manage all subscriptions and their settings and resources. +AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, +and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all +subscriptions and their settings and resources. """ from = "now-25m" index = ["filebeat-*", "logs-o365*"] diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index 46334e6a5..b9d374a1e 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2022/01/05" maturity = "production" -updated_date = "2022/01/05" +updated_date = "2022/02/28" integration = "okta" [rule] author = ["Elastic"] description = """ -Detect when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the +Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. """ diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index aa3ef7b99..3c097c6f1 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2022/01/26" maturity = "production" -updated_date = "2022/01/26" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment +Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user. """ from = "now-9m" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index a4616df08..13613e533 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -1,11 +1,14 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/01/25" +updated_date = "2022/02/28" [rule] author = ["Elastic"] -description = "Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence." +description = """ +Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious +payloads as part of persistence. +""" false_positives = ["Trusted applications persisting via LaunchDaemons"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index a6c19cdf5..87f257846 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/01/25" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its +Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. """ diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index ad82885fc..b9b10e684 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -19,7 +19,7 @@ name = "Unexpected Child Process of macOS Screensaver Engine" note = """## Triage and analysis - Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such -as a download of a payload from a server +as a download of a payload from a server. - Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to identify whether the file is malicious or not. """ diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml index 24cea4f49..ef6b07a7f 100644 --- a/rules/ml/ml_rare_process_by_host_windows.toml +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/09/13" +updated_date = "2022/02/28" [rule] anomaly_threshold = 50 @@ -41,7 +41,7 @@ uncover potential malware and suspicious behaviors. ### False Positive Analysis - Validate the unusual Windows process is not related to new benign software installation activity. If related to legitimate software, this can be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch -API to tune this rule to your environment +API to tune this rule to your environment. - Try to understand the context of the execution by thinking about the user, machine, or business purpose. It's possible that a small number of endpoints such as servers that have very unique software that might appear to be unusual, but satisfy a specific business need. diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 916918b39..a534703cd 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -40,8 +40,8 @@ computer. ### Response and Remediation -- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index edcd15b7d..2f30f5420 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -40,8 +40,8 @@ valuable information as credit card data and confidential conversations. ### Response and Remediation -- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 4b598e894..257c68504 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/02/08" maturity = "production" -updated_date = "2022/02/08" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -44,8 +44,8 @@ use computer accounts and also Azure AD Connect MSOL accounts (more details [her #### Possible investigation steps: -- Identify the account that performed the action -- Confirm whether the account owner is aware of the operation +- Identify the account that performed the action. +- Confirm whether the account owner is aware of the operation. - Investigate other alerts related to the user/host in the last 48 hours. - Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not. @@ -60,10 +60,10 @@ cracking attacks (Kerberoasting, brute force, etc.). ### Response and Remediation -- Initiate the incident response process based on the outcome of the triage -- In case of specific credentials were compromised: - - Reset the password for the accounts -- In case of the entire domain or the `krbtgt` user were compromised: +- Initiate the incident response process based on the outcome of the triage. +- If specific credentials were compromised: + - Reset the password for the accounts. +- If the entire domain or the `krbtgt` user were compromised: - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 6b11038b2..3536aa91d 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -1,13 +1,14 @@ [metadata] creation_date = "2021/03/18" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting -the authentication credentials in clear text during user logon. +Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon +provider module for persistence and/or credential access via intercepting the authentication credentials in clear text +during user logon. """ false_positives = ["Authorized third party network logon providers."] from = "now-9m" diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 7d64bfb03..74934ee76 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -42,8 +42,8 @@ information stored in the process memory. ### Response and Remediation -- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index a5cf5abc6..845f64d02 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -6,7 +6,7 @@ updated_date = "2021/01/24" [rule] author = ["Elastic"] description = """ -Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is common step in +Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts. """ from = "now-9m" diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 5d89d464d..f0b9bb07e 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2021/10/14" -updated_date = "2022/02/16" +updated_date = "2022/02/28" maturity = "production" min_stack_version = "7.14.0" min_stack_comments = "Cardinality field not added to threshold rule type until 7.14." @@ -10,7 +10,7 @@ min_stack_comments = "Cardinality field not added to threshold rule type until 7 author = ["Elastic"] description = """ Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed -by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and +by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. """ from = "now-9m" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index faf9fb880..e2d3b86b7 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2021/06/01" maturity = "production" -updated_date = "2022/02/07" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware +Identifies when JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections. """ diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 096a708b4..2842cead1 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/20" maturity = "production" -updated_date = "2021/12/03" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -32,8 +32,8 @@ to be legitimately allowlisted from Windows Defender? ### False Positive Analysis - This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly -a network administrator. In order to validate the activity further, review the specific exclusion and based on its -intent. There are many legitimate reasons for exclusions, so it's important to gain context. +a network administrator. In order to validate the activity further, review the specific exclusion and its intent. There +are many legitimate reasons for exclusions, so it's important to gain context. ### Related Rules - Windows Defender Disabled via Registry Modification @@ -41,10 +41,10 @@ intent. There are many legitimate reasons for exclusions, so it's important to g ### Response and Remediation - Since this is related to post-exploitation activity, take immediate action to review, investigate and -potentially isolate further activity +potentially isolate further activity. - If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove -the exclusion and ensure antimalware capability has not been disabled or deleted -- Exclusion lists for antimalware capabilities should always be routinely monitored for review +the exclusion and ensure antimalware capability has not been disabled or deleted. +- Exclusion lists for antimalware capabilities should always be routinely monitored for review. """ references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"] risk_score = 47 diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 6792074ac..d050a83cd 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -6,7 +6,7 @@ updated_date = "2022/02/14" [rule] author = ["Austin Songer"] description = """ -Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft +Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. """ false_positives = ["Legitimate Windows Defender configuration changes"] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index c4a756bab..b080c36c0 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -6,7 +6,7 @@ updated_date = "2022/01/12" [rule] author = ["Elastic"] description = """ -Microsoft Office Products offers options for users and developers to control the security settings for running and using +Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence. """ diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 31af43230..4614cdc82 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/14" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -44,8 +44,8 @@ payloads directly into the memory, without touching the disk. ### Response and Remediation -- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 44c889227..6a8abe43c 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -7,7 +7,7 @@ updated_date = "2022/02/16" [rule] author = ["Austin Songer"] description = """ -Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network +Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions. """ false_positives = [ diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 9f4bff788..f8046ab1a 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -29,16 +29,16 @@ observed where this tool has been adopted by ransomware and criminal groups and - `AdFind` is a legitimate Active Directory enumeration tool used by network administrators, it's important to understand the source of the activity. This could involve identifying the account using `AdFind` and determining based on the command-lines what information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities. -- In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted -machine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic +- In multiple public references, `AdFind` is leveraged after initial access is achieved. Review previous activity on impacted +machines for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic to suspicious infrastructure. ### False Positive Analysis -- This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One +- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators. One option could be allowlisting specific users or groups who use the tool as part of their daily responsibilities. This can -be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment +be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment. - Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in -isolation, so reviewing previous logs/activity from impacted machines could be very telling. +isolation, so reviewing previous logs/activity from impacted machines can be very telling. ### Related Rules - Windows Network Enumeration @@ -46,8 +46,8 @@ isolation, so reviewing previous logs/activity from impacted machines could be v - Enumeration Command Spawned via WMIPrvSE ### Response and Remediation -- take immediate action to validate activity, investigate and potentially isolate activity to prevent further -post-compromise behavior +- Take immediate action to validate activity, investigate and potentially isolate activity to prevent further +post-compromise behavior. - It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate purposes, so understanding the intent behind the activity will help determine the appropropriate response. """ diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 1e8c80892..f47aef68c 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2022/02/10" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an -adversary has achieved privilege escalation. +Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after +an adversary has achieved privilege escalation. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index b1336bebf..eabfc07ce 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -42,8 +42,8 @@ like PSReflect or Get-ProcAddress Cmdlet. ### Response and Remediation -- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 7f35483c8..2e72fec7f 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,14 +1,13 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. -Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to -disk. +Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers +embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] @@ -43,8 +42,8 @@ bypassing antivirus software. These executables are generally base64 encoded. ### Response and Remediation -- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index eb43b5e6d..3712a9f45 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -48,11 +48,11 @@ PowerShell, enabling the defender to discover tools being dropped in the environ - PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70 ### Response and Remediation -- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config -The 'PowerShell Script Block Logging' logging policy is required be configured (Enable). +The 'PowerShell Script Block Logging' logging policy must be configured (Enable). Steps to implement the logging policy with with Advanced Audit Configuration: ``` diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index fd2abc55f..db0238b08 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move -laterally while attempting to evading detection. +laterally while attempting to evade detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index c299e4c86..b80d55709 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/09/08" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in +Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. """ false_positives = [ @@ -36,7 +36,7 @@ the source of the incoming traffic and determine if this activity has been obser - Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment. #### False Positive Analysis -- Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes +- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes. - This activity can be triggered by compliance/vulnerability scanning or compromise assessment, it's diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index f1f85f460..dc983f744 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows +Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. """ false_positives = [ diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 12218b03b..b905fdec3 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/15" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -24,10 +24,10 @@ behavior may evade existing AV/EDR solutions. These programs may also run with h an attacker. #### Possible investigation steps: -- Review the source process and related file tied to the Windows Registry entry +- Review the source process and related file tied to the Windows Registry entry. - Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software -installations -- Determine if activity is unique by validating if other machines in same organization have similar entry +installations. +- Determine if activity is unique by validating if other machines in same organization have similar entry. ### False Positive Analysis - There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based @@ -40,9 +40,9 @@ investigation, it should be verified that this activity is not benign. ### Response and Remediation - Activity should first be validated as a true positive event if so then take immediate action to review, -investigate and potentially isolate activity to prevent further post-compromise behavior +investigate and potentially isolate activity to prevent further post-compromise behavior. - The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand -its behavior and capabilities +its behavior and capabilities. - Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first initialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source of the attack, this information can then be used to search for similar indicators on other machines in the same environment. diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 16241b7de..ab8892600 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -1,11 +1,14 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/02/28" [rule] author = ["Elastic"] -description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges." +description = """ +Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or +escalate privileges. +""" false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 43c4562bb..9526b40b4 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be +Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner. """ from = "now-9m" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index d30a80489..09aa535f6 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -1,16 +1,15 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/02/28" [rule] author = ["Elastic"] description = """ -Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from -other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides -in System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. Adversaries may -abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time -provider. +Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a +malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other +network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the +System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index e6f6346c3..c212a508d 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -35,12 +35,12 @@ and the administrator is authorized to perform this operation. - Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e ### Response and Remediation -- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config -The 'Audit Detailed File Share' audit policy is required be configured (Success Failure). +The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > @@ -53,7 +53,7 @@ Object Access > Audit Detailed File Share (Success,Failure) ``` -The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure). +The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 43387db0e..1e320ad35 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -27,11 +27,11 @@ Example Path: "\\\\DC.com\\SysVol\\DC.com\\Policies\\{21B9B880-B2FB-4836-9C2D-20 is legitimate and the administrator is authorized to perform this operation. - Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc. -- Inspect the user SIDs associated with these privileges +- Inspect the user SIDs associated with these privileges. ### False Positive Analysis -- Verify if these User SIDs should have these privileges enabled. -- Inspect whether the user that has done these modifications should be allowed to do it. The user name can be found in the +- Verify if the User SIDs should have these privileges. +- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field. ### Related Rules @@ -39,12 +39,12 @@ dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelega - Startup/Logon Script added to Group Policy Object ### Response and Remediation -- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config -The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure). +The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 3ba801ada..68b386811 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ file. #### Possible investigation steps: - This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation. -- Retrieve the contents of the `ScheduledTasks.xml` file, ánd check the `` and `` XML tags for any +- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands and binaries. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. @@ -35,12 +35,12 @@ potentially malicious commands and binaries. - Startup/Logon Script added to Group Policy Object ### Response and Remediation -- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. ## Config -The 'Audit Detailed File Share' audit policy is required be configured (Success Failure). +The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > @@ -53,7 +53,7 @@ Object Access > Audit Detailed File Share (Success,Failure) ``` -The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure). +The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index bb6cfd6b8..a23ac9530 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/25" maturity = "production" -updated_date = "2022/02/16" +updated_date = "2022/02/28" [rule] author = ["Elastic"] @@ -40,8 +40,8 @@ to the location to escalate privileges. An attacker is able to still take over a ### Response and Remediation -- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further -post-compromise behavior. +- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent +further post-compromise behavior. """ references = [ "https://github.com/klinix5/InstallerFileTakeOver"