From 25ad765acbc26e642f580d2ebf0cd3e1cf2425eb Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 8 Aug 2024 12:02:23 -0300 Subject: [PATCH] [Rule Tuning] Include winlogbeat index in sysmon-related rules (#3966) --- rules/windows/credential_access_kirbi_file.toml | 4 ++-- ...ccess_persistence_network_logon_provider_modification.toml | 4 ++-- .../defense_evasion_defender_disabled_via_registry.toml | 4 ++-- .../defense_evasion_hide_encoded_executable_registry.toml | 4 ++-- ...efense_evasion_reg_disable_enableglobalqueryblocklist.toml | 4 ++-- rules/windows/defense_evasion_sip_provider_mod.toml | 4 ++-- rules/windows/defense_evasion_suspicious_scrobj_load.toml | 4 ++-- ...t_defense_evasion_lanman_nullsessionpipe_modification.toml | 4 ++-- rules/windows/lateral_movement_via_wsus_update.toml | 4 ++-- .../windows/persistence_evasion_registry_ifeo_injection.toml | 4 ++-- ...stence_evasion_registry_startup_shell_folder_modified.toml | 4 ++-- rules/windows/persistence_registry_uncommon.toml | 4 ++-- rules/windows/persistence_services_registry.toml | 4 ++-- .../persistence_suspicious_service_created_registry.toml | 4 ++-- rules/windows/persistence_time_provider_mod.toml | 4 ++-- .../privilege_escalation_dns_serverlevelplugindll.toml | 4 ++-- rules/windows/privilege_escalation_exploit_cve_202238028.toml | 4 ++-- .../privilege_escalation_printspooler_registry_copyfiles.toml | 4 ++-- .../privilege_escalation_reg_service_imagepath_mod.toml | 4 ++-- .../privilege_escalation_rogue_windir_environment_var.toml | 4 ++-- .../collection_files_staged_in_recycle_bin_root.toml | 4 ++-- rules_building_block/collection_outlook_email_archive.toml | 4 ++-- .../command_and_control_bitsadmin_activity.toml | 4 ++-- .../credential_access_win_private_key_access.toml | 4 ++-- .../defense_evasion_cmd_copy_binary_contents.toml | 4 ++-- rules_building_block/defense_evasion_cmstp_execution.toml | 4 ++-- .../defense_evasion_service_path_registry.toml | 4 ++-- rules_building_block/defense_evasion_services_exe_path.toml | 4 ++-- .../execution_settingcontent_ms_file_creation.toml | 4 ++-- rules_building_block/lateral_movement_wmic_remote.toml | 4 ++-- 30 files changed, 60 insertions(+), 60 deletions(-) diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index c98f6321b..7c001c891 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defende maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/25" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P attacker to impersonate users using Kerberos tickets. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 0be017dcd..89223e855 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ during user logon. """ false_positives = ["Authorized third party network logon providers."] from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Network Logon Provider Registry Modification" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 2652c213c..59f36e682 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies modifications to the Windows Defender registry settings to disable th started manually. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Windows Defender Disabled via Registry Modification" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index e317785ad..b36b861ed 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies registry write modifications to hide an encoded portable executable. defense evasion by avoiding the storing of malicious content directly on disk. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Encoded Executable Stored in the Registry" diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index c9f6d6411..41f26de34 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ modify or disable the GQBL, allowing exploitation of hosts running WPAD with def and lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "DNS Global Query Block List Modified or Disabled" diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 393f00420..7c33e64c8 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Windows cryptographic system to validate file signatures on the system. This may validation checks or inject code into critical processes. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "SIP Provider Modification" diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 1011838ee..7030bbad0 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean executed in the target process. """ from = "now-9m" -index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Script Object Execution" diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 69077226a..c46346d8b 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies NullSessionPipe registry modifications that specify which pipes can b indicative of adversary lateral movement preparation by making the added pipe available to everyone. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "NullSessionPipe Registry Modification" diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 5e307ca7c..053c49868 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36 maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for Sentinel One Cloud Funnel Integration" min_stack_version = "8.13.0" -updated_date = "2024/08/06" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ WSUS is limited to executing Microsoft signed binaries, which limits the executa by Microsoft. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential WSUS Abuse for Lateral Movement" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index d36eb1419..6dc825a60 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ The Debugger and SilentProcessExit registry keys can allow an adversary to inter different process to be executed. This functionality can be abused by an adversary to establish persistence. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Image File Execution Options Injection" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 219784033..b146663bf 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [transform] [[transform.osquery]] @@ -37,7 +37,7 @@ Identifies suspicious startup shell folder modifications to change the default S detections monitoring file creation in the Windows Startup folder. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Startup Shell Folder Modification" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 0bb258553..56454aa68 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Detects changes to registry persistence keys that are not commonly used or modif be an indication of an adversary's attempt to persist in a stealthy manner. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Uncommon Registry Persistence Change" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index f9ba4f476..d74b56087 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ could be an indication of an adversary attempting to stealthily persist through modification of an existing service. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Unusual Persistence via Services Registry" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 8e3f777f2..06fc55196 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the creation of a suspicious ImagePath value. This could be an indica stealthily persist or escalate privileges through abnormal service creation. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious ImagePath Service Creation" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 171069fa7..a68e767e5 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ network devices or clients in the network. Time providers are implemented in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Persistence via Time Provider Modification" diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 20aa16f0d..1c637ae95 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/29" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies unusual DLLs loaded by the DNS Server process, potentially indicating functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges. """ from = "now-9m" -index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL loaded by DNS Service" diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index d73ec6d3b..15a5bb09a 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,13 +2,13 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/07" [rule] author = ["Elastic"] description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n" from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential privilege escalation via CVE-2022-38028" diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 03ba85956..5d36aec1f 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Exploitation involves chaining multiple primitives to load an arbitrary DLL into SYSTEM. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Print Spooler Point and Print DLL" diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index 71f91b041..67d05be06 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/06/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ privileges from groups like Server Operators may change the ImagePath of service to execute commands. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Service ImagePath Modification" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 4c0274f61..a6db1dcd9 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies a privilege escalation attempt via a rogue Windows directory (Windir) primitive that is often combined with other vulnerabilities to elevate privileges. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Windir Environment Variable" diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 4e5cfbd7f..07b1b1b56 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies files written to the root of the Recycle Bin folder instead of subdir the root of the Recycle Bin in preparation for exfiltration or to evade defenses. """ from = "now-119m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 0174d4726..8d831a61c 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies commands containing references to Outlook data files extensions, whic access, or modification of these files. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index 0b4b571cd..87f0a8e8a 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, async Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index dfa2a34ec..99622acbd 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,14 +2,14 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] building_block_type = "default" description = "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\n" from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 67ef9faf7..8184313e7 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,14 +2,14 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] building_block_type = "default" description = "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\n" from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index 9b97d4ce0..8b3e705a3 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ service profiles, which accept installation information file (INF) files. Advers execution of malicious code by supplying INF files that contain malicious commands. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 4cb92d4fd..b11fd2832 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies attempts to modify a service path by an unusual process. Attackers ma for persistence or privilege escalation. """ from = "now-119m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 5035dd0c7..9300d0b0a 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies attempts to modify a service path setting using sc.exe. Attackers may persistence or privilege escalation. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index 8e46fde29..cde899ce5 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the suspicious creation of SettingContents-ms files, which have been execution while evading defenses. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Creation of SettingContent-ms Files" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 5819eb436..12ecd9783 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/27" +updated_date = "2024/08/07" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the use of wmic.exe to run commands on remote hosts. While this can b attackers can abuse this built-in utility to achieve lateral movement. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"] interval = "60m" language = "eql" license = "Elastic License v2"