diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index adf029f66..a0421c6f4 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/07" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/07" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -12,6 +12,7 @@ point of lookup for DNS hostname resolution so if adversaries can modify the end to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. """ +from = "now-9m" index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1492/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index 9fbcaf82d..c557682dd 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -21,7 +21,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Mknod Process Activity" -references = ["https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/"] +references = [ + "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/", +] risk_score = 21 rule_id = "61c31c14-507f-4627-8c31-072556b89a9c" severity = "low" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index fd6aa6a54..1e88b3843 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,11 +2,12 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/14" +updated_date = "2020/09/30" [rule] author = ["Elastic"] description = "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets." +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -40,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/exfiltration_compress_credentials_keychains.toml b/rules/macos/exfiltration_compress_credentials_keychains.toml index 143503dd9..3d59f4139 100644 --- a/rules/macos/exfiltration_compress_credentials_keychains.toml +++ b/rules/macos/exfiltration_compress_credentials_keychains.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/14" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -11,6 +11,7 @@ Adversaries may collect the keychain storage data from a system to acquire crede for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1142/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index ce74ee45a..3bdf4f275 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,11 +2,12 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/18" +updated_date = "2020/09/30" [rule] author = ["Elastic"] description = "Detects use of the systemsetup command to enable remote SSH Login." +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 4e905c432..fe1559bd5 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,11 +2,12 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/09/30" [rule] author = ["Elastic"] description = "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 85a763f45..cd92ddf23 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -44,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1145/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 1aacc7038..d134e5045 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/18" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index a0d544d81..bba38ad96 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 972c265ea..3653d2e88 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,11 +2,12 @@ creation_date = "2020/08/31" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/31" +updated_date = "2020/09/30" [rule] author = ["Elastic"] description = "Identifies the password log file from the default Mimikatz memssp module." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml index 522b09a72..3af98dcdc 100644 --- a/rules/windows/defense_evasion_code_injection_conhost.toml +++ b/rules/windows/defense_evasion_code_injection_conhost.toml @@ -2,11 +2,12 @@ creation_date = "2020/08/31" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/31" +updated_date = "2020/09/30" [rule] author = ["Elastic"] description = "Identifies a suspicious Conhost child process which may be an indication of code injection activity." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_execution_suspicious_psexesvc.toml b/rules/windows/defense_evasion_execution_suspicious_psexesvc.toml index 3fe7ca476..4fd15d2e3 100644 --- a/rules/windows/defense_evasion_execution_suspicious_psexesvc.toml +++ b/rules/windows/defense_evasion_execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/14" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index bcee66a04..d452ec673 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 4bd506ccf..fb5b0b940 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/24" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ A suspicious Elastic endpoint agent parent process was detected. This may indicate a process hollowing or other form of code injection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index f3995fc1f..f80a940aa 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/01" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable to avoid detection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index b4e16e82c..ce6c6c729 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/24" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -11,6 +11,7 @@ A suspicious WerFault child process was detected, which may indicate an attempt such as command line, network connections, file writes and parent process details as well. """ false_positives = ["Custom Windows Error Reporting Debugger"] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 38d4d16e1..893536086 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,12 +2,13 @@ creation_date = "2020/08/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/24" +updated_date = "2020/09/30" [rule] author = ["Elastic"] description = "Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed." false_positives = ["Legit Application Crash with rare Werfault commandline value"] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 9bc01c35d..2463d6f42 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/21" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 9a546a8c4..84c47635c 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -60,3 +60,4 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index bf7838144..105a04702 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/19" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index de03f9ccf..8fc242b32 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,11 +2,12 @@ creation_date = "2020/08/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/19" +updated_date = "2020/09/30" [rule] author = ["Elastic"] description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 9c1c54587..d6a45b19d 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,11 +2,12 @@ creation_date = "2020/08/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/21" +updated_date = "2020/09/30" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -38,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml b/rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml index abd50c443..96c223d85 100644 --- a/rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml +++ b/rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml @@ -2,11 +2,12 @@ creation_date = "2020/08/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/21" +updated_date = "2020/09/30" [rule] author = ["Elastic"] description = "Identifies suspicious .NET code execution. connections." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 3f6daa621..7809cf368 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/17" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index 119765071..4a8b6a760 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/14" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/lateral_movement_gpo_schtask_service_creation.toml b/rules/windows/lateral_movement_gpo_schtask_service_creation.toml index e443bd60e..0616815c3 100644 --- a/rules/windows/lateral_movement_gpo_schtask_service_creation.toml +++ b/rules/windows/lateral_movement_gpo_schtask_service_creation.toml @@ -7,9 +7,9 @@ updated_date = "2020/08/13" [rule] author = ["Elastic"] description = """ -Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system -administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all -or a subset of the domain joined machines. +Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for +legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a +malicious payload remotely on all or a subset of the domain joined machines. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] @@ -54,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 43be6ec8d..b3917f659 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/17" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 6c3dc345f..197dc56bd 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -7,8 +7,8 @@ updated_date = "2020/08/17" [rule] author = ["Elastic"] description = """ -Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of -SYSTEM. +Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity +level of SYSTEM. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1050/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 0f22d05d3..a310345ad 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/14" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -11,6 +11,7 @@ Detects attempts to exploit privilege escalation vulnerabilities related to the information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -45,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 0550d3e71..86e89b952 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/14" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. . """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -42,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index afb59897d..098592884 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/18" +updated_date = "2020/09/30" [rule] author = ["Elastic"] @@ -10,6 +10,7 @@ description = """ Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License"