From 27262a585bc4d9cc59f83a68575febe4237bd168 Mon Sep 17 00:00:00 2001 From: sbousseaden Date: Wed, 17 Jan 2024 13:49:59 +0000 Subject: [PATCH] [Tuning] Add logs-system. index where applicable (#3390) * Update discovery_adfind_command_activity.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update initial_access_suspicious_ms_office_child_process.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update initial_access_suspicious_ms_exchange_process.toml * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update execution_from_unusual_path_cmdline.toml * Update execution_enumeration_via_wmiprvse.toml * Update execution_command_shell_started_by_svchost.toml * Update discovery_enumerating_domain_trusts_via_nltest.toml * Update discovery_enumerating_domain_trusts_via_dsquery.toml * Update defense_evasion_workfolders_control_execution.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_enable_inbound_rdp_with_netsh.toml * Update defense_evasion_disabling_windows_logs.toml * Update credential_access_wireless_creds_dumping.toml * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update command_and_control_remote_file_copy_desktopimgdownldr.toml * Update command_and_control_remote_file_copy_mpcmdrun.toml * Update command_and_control_dns_tunneling_nslookup.toml * Update persistence_webshell_detection.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update privilege_escalation_named_pipe_impersonation.toml * Update command_and_control_certreq_postdata.toml * Update defense_evasion_suspicious_certutil_commands.toml * Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update persistence_system_shells_via_services.toml * Update execution_suspicious_cmd_wmi.toml * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml * Update impact_deleting_backup_catalogs_with_wbadmin.toml * Update credential_access_dump_registry_hives.toml * Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_clearing_windows_console_history.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_code_signing_policy_modification_builtin_tools.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update defense_evasion_execution_control_panel_suspicious_args.toml * Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml * Update defense_evasion_wsl_kalilinux.toml * Update discovery_adfind_command_activity.toml * Update initial_access_suspicious_ms_outlook_child_process.toml * Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml * Update privilege_escalation_uac_bypass_event_viewer.toml * Update privilege_escalation_uac_bypass_mock_windir.toml * Update privilege_escalation_unusual_parentchild_relationship.toml * Update privilege_escalation_unusual_printspooler_childprocess.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_unusual_dir_ads.toml * Update defense_evasion_wsl_child_process.toml * Update defense_evasion_wsl_bash_exec.toml * Update defense_evasion_wsl_enabled_via_dism.toml * Update discovery_admin_recon.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update lateral_movement_alternate_creds_pth.toml * Update persistence_via_windows_management_instrumentation_event_subscription.toml * Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml * Update persistence_via_application_shimming.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update defense_evasion_clearing_windows_console_history.toml * Update discovery_adfind_command_activity.toml * Update defense_evasion_execution_msbuild_started_unusal_process.toml * Update execution_command_shell_started_by_svchost.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml * Update execution_command_shell_started_by_svchost.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../command_and_control_certreq_postdata.toml | 8 ++++---- .../command_and_control_dns_tunneling_nslookup.toml | 6 +++--- ..._control_remote_file_copy_desktopimgdownldr.toml | 8 ++++---- ...mmand_and_control_remote_file_copy_mpcmdrun.toml | 8 ++++---- ...al_access_copy_ntds_sam_volshadowcp_cmdline.toml | 12 ++++++------ .../credential_access_dump_registry_hives.toml | 8 ++++---- .../credential_access_iis_apppoolsa_pwd_appcmd.toml | 8 ++++---- ...ential_access_iis_connectionstrings_dumping.toml | 8 ++++---- .../credential_access_wireless_creds_dumping.toml | 8 ++++---- ...he_hidden_file_attribute_with_via_attribexe.toml | 13 +++++-------- ...se_evasion_clearing_windows_console_history.toml | 8 ++++---- ...defense_evasion_clearing_windows_event_logs.toml | 8 ++++---- ...e_signing_policy_modification_builtin_tools.toml | 8 ++++---- ...e_evasion_defender_exclusion_via_powershell.toml | 8 ++++---- ...asion_delete_volume_usn_journal_with_fsutil.toml | 8 ++++---- ...n_disable_windows_firewall_rules_with_netsh.toml | 6 +++--- .../defense_evasion_disabling_windows_logs.toml | 12 ++++++------ ...fense_evasion_enable_inbound_rdp_with_netsh.toml | 8 ++++---- ...ion_execution_control_panel_suspicious_args.toml | 6 +++--- .../defense_evasion_execution_lolbas_wuauclt.toml | 6 +++--- ...on_execution_msbuild_started_unusal_process.toml | 12 ++++++------ .../defense_evasion_iis_httplogging_disabled.toml | 8 ++++---- ...efense_evasion_suspicious_certutil_commands.toml | 8 ++++---- rules/windows/defense_evasion_unusual_dir_ads.toml | 6 +++--- ...fense_evasion_workfolders_control_execution.toml | 6 +++--- rules/windows/defense_evasion_wsl_bash_exec.toml | 10 +++++----- .../windows/defense_evasion_wsl_child_process.toml | 4 ++-- .../defense_evasion_wsl_enabled_via_dism.toml | 8 ++++---- rules/windows/defense_evasion_wsl_kalilinux.toml | 6 +++--- .../windows/discovery_adfind_command_activity.toml | 8 ++++---- rules/windows/discovery_admin_recon.toml | 12 ++++++------ ...overy_enumerating_domain_trusts_via_dsquery.toml | 8 ++++---- ...covery_enumerating_domain_trusts_via_nltest.toml | 6 +++--- ...pt_solarwinds_backdoor_child_cmd_powershell.toml | 6 +++--- .../execution_command_shell_started_by_svchost.toml | 9 ++++----- .../windows/execution_enumeration_via_wmiprvse.toml | 8 ++++---- .../execution_from_unusual_path_cmdline.toml | 6 +++--- rules/windows/execution_suspicious_cmd_wmi.toml | 6 +++--- ...mpact_deleting_backup_catalogs_with_wbadmin.toml | 8 ++++---- ...hadow_copy_deletion_or_resized_via_vssadmin.toml | 8 ++++---- ..._volume_shadow_copy_deletion_via_powershell.toml | 6 +++--- ...itial_access_suspicious_ms_exchange_process.toml | 6 +++--- ...suspicious_ms_exchange_worker_child_process.toml | 2 +- ...l_access_suspicious_ms_office_child_process.toml | 6 +++--- ..._access_suspicious_ms_outlook_child_process.toml | 6 +++--- .../lateral_movement_alternate_creds_pth.toml | 4 ++-- .../persistence_system_shells_via_services.toml | 6 +++--- .../persistence_via_application_shimming.toml | 6 +++--- ...ia_telemetrycontroller_scheduledtask_hijack.toml | 6 +++--- ...nagement_instrumentation_event_subscription.toml | 8 ++++---- ...ence_via_xp_cmdshell_mssql_stored_procedure.toml | 12 ++++++------ rules/windows/persistence_webshell_detection.toml | 6 +++--- ...ivilege_escalation_named_pipe_impersonation.toml | 8 ++++---- ...e_escalation_tokenmanip_sedebugpriv_enabled.toml | 6 +++--- ...ge_escalation_uac_bypass_diskcleanup_hijack.toml | 8 ++++---- ...rivilege_escalation_uac_bypass_event_viewer.toml | 6 +++--- ...privilege_escalation_uac_bypass_mock_windir.toml | 6 +++--- ...escalation_unusual_parentchild_relationship.toml | 6 +++--- ...scalation_unusual_printspooler_childprocess.toml | 11 +++++------ 59 files changed, 219 insertions(+), 224 deletions(-) diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index b02b039d9..8b84edfb6 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/01/13" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/03" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -37,7 +37,7 @@ description = """ Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential File Transfer via Certreq" @@ -104,7 +104,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "CertReq.exe" or process.pe.original_file_name == "CertReq.exe") and process.args : "-Post" + (process.name : "CertReq.exe" or ?process.pe.original_file_name == "CertReq.exe") and process.args : "-Post" ''' diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index cb20e2c2f..0dcaf105b 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/11" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index c71d69c29..50ff497ab 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2023/12/07" +updated_date = "2024/01/16" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -70,7 +70,7 @@ Identifies the desktopimgdownldr utility being used to download a remote file. A download arbitrary files as an alternative to certutil. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via Desktopimgdownldr Utility" @@ -160,7 +160,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "desktopimgdownldr.exe" or process.pe.original_file_name == "desktopimgdownldr.exe") and + (process.name : "desktopimgdownldr.exe" or ?process.pe.original_file_name == "desktopimgdownldr.exe") and process.args : "/lockscreenurl:http*" ''' diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 9315508f7..9345fb896 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2023/12/07" +updated_date = "2024/01/16" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -67,7 +67,7 @@ providers = [ author = ["Elastic"] description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via MpCmdRun" @@ -157,7 +157,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "MpCmdRun.exe" or process.pe.original_file_name == "MpCmdRun.exe") and + (process.name : "MpCmdRun.exe" or ?process.pe.original_file_name == "MpCmdRun.exe") and process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path" ''' diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 38643c532..57a2012e6 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/24" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/03" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -38,7 +38,7 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o Those files contain sensitive information including hashed domain and/or local credentials. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -122,12 +122,12 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and + ((?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") or process.name : ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE")) and process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") ) or - (process.pe.original_file_name : "esentutl.exe" and process.args : ("*/y*", "*/vss*", "*/d*")) + ((?process.pe.original_file_name : "esentutl.exe" or process.name : "esentutl.exe") and process.args : ("*/y*", "*/vss*", "*/d*")) ) and - process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*") + process.command_line : ("*\\ntds.dit*", "*\\config\\SAM*", "*\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*", "*\\User Data\\*") ''' diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index c349b2846..9326a51e8 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/11/23" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Credential Acquisition via Registry Hive Dumping" @@ -83,7 +83,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.pe.original_file_name == "reg.exe" and + (?process.pe.original_file_name == "reg.exe" or process.name : "reg.exe") and process.args : ("save", "export") and process.args : ("hklm\\sam", "hklm\\security") ''' diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 7a83198eb..9cf10e51c 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -36,7 +36,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and + (process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and process.args : "/list" and process.args : "/text*password" ''' diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 048769189..c170a7091 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ access via a webshell or alike can decrypt and dump any hardcoded connection str password using aspnet_regiis command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -40,7 +40,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and + (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and process.args : "connectionStrings" and process.args : "-pdf" ''' diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index b823fd517..ff99b68d6 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/11/01" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -36,7 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Wireless Credential Dumping using Netsh Command" @@ -103,7 +103,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and + (process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and process.args : "wlan" and process.args : "key*clear" ''' diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 2a405d0cf..979145a4b 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -35,7 +35,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Adding Hidden File Attribute via Attrib" @@ -103,11 +103,8 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "attrib.exe" or process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and - not - (process.parent.name: "cmd.exe" and - process.command_line: "attrib +R +H +S +A *.cui" and - process.parent.command_line: "?:\\WINDOWS\\system32\\cmd.exe /c \"?:\\WINDOWS\\system32\\*.bat\"") + (process.name : "attrib.exe" or ?process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and + not (process.parent.name: "cmd.exe" and process.command_line: "attrib +R +H +S +A *.cui") ''' diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index d1d098db3..e40f04161 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/11/22" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Austin Songer"] @@ -13,7 +13,7 @@ Identifies when a user attempts to clear console history. An adversary may clear account to conceal the actions undertaken during an intrusion. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Clearing Windows Console History" @@ -80,7 +80,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name == "PowerShell.EXE") and (process.args : "*Clear-History*" or (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")) diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 324fa7d92..9e8d1f529 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies attempts to clear or disable Windows event log stores using Windows w attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Clearing Windows Event Logs" @@ -77,7 +77,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and ( ( - (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and + (process.name : "wevtutil.exe" or ?process.pe.original_file_name == "wevtutil.exe") and process.args : ("/e:false", "cl", "clear-log") ) or ( diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index f16b2f62d..20eec4eaf 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/01/31" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -27,7 +27,7 @@ authenticity on a program, and grants the user with the ability to check whether By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Code Signing Policy Modification Through Built-in tools" @@ -96,7 +96,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name: "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and + (process.name: "bcdedit.exe" or ?process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS") ''' diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 2850893ae..68c94907a 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/07/20" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies modifications to the Windows Defender configuration settings using Po directory or process level. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Windows Defender Exclusions Added via PowerShell" @@ -93,7 +93,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and process.args : ("*-Exclusion*") ''' diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 2a30c5176..e99aec0e7 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is of files created during post-exploitation activities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Delete Volume USN Journal with Fsutil" @@ -58,7 +58,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and + (process.name : "fsutil.exe" or ?process.pe.original_file_name == "fsutil.exe") and process.args : "deletejournal" and process.args : "usn" ''' diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 25f6a75a6..97ce1fc16 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies use of the netsh.exe to disable or weaken the local firewall. Attacke disable the firewall during troubleshooting or to enable network mobility. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Disable Windows Firewall Rules via Netsh" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 799cb062c..fed450861 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/06" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -13,7 +13,7 @@ Identifies attempts to disable EventLog via the logman Windows utility, PowerShe attackers in an attempt to evade detection on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Disable Windows Event and Security Logs Using Built-in Tools" @@ -79,14 +79,14 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and + ((process.name:"logman.exe" or ?process.pe.original_file_name == "Logman.exe") and process.args : "EventLog-*" and process.args : ("stop", "delete")) or - ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or process.pe.original_file_name in + ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled") or - ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable") + ((process.name:"auditpol.exe" or ?process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable") ) ''' diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 167099248..227bf31ce 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/10/13" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote the Windows Firewall. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Remote Desktop Enabled in Windows Firewall by Netsh" @@ -79,7 +79,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and + (process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and process.args : ("action=allow", "enable=Yes", "enable") ''' diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 6a4883a2e..990318c2e 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/09/08" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies unusual instances of Control Panel with suspicious keywords or paths Adversaries may abuse control.exe to proxy execution of malicious code. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 7cb68ff53..55597604d 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2020/10/13" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -38,7 +38,7 @@ Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load as a defense evasion technique to blend-in malicious activity with legitimate Windows software. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "ImageLoad via Windows Update Auto Update Client" @@ -120,7 +120,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and + (?process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and /* necessary windows update client args to load a dll */ process.args : "/RunHandlerComServer" and process.args : "/UpdateDeploymentProvider" and /* common paths writeable by a standard user where the target DLL can be placed */ diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 3c28b88ce..b7d8acd9c 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/03/25" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" @@ -47,8 +47,8 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:process and event.type:start and process.parent.name:"MSBuild.exe" and -process.name.caseless:("csc.exe" or "iexplore.exe" or "powershell.exe") +host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and +process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") ''' [[rule.threat]] @@ -82,7 +82,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.name", "process.parent.command_line"] +value = ["host.id", "user.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index edfe9668d..2479e6e97 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/04/14" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies when Internet Information Services (IIS) HTTP Logging is disabled on access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -70,7 +70,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and + (process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and process.args : "/dontLog*:*True" and not process.parent.name : "iissetup.exe" ''' diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 94d27818b..bf01926ac 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ Certificate Services. CertUtil is often abused by attackers to live off the land data exfiltration. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious CertUtil Commands" @@ -110,7 +110,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and + (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") and process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX") ''' diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index a2ec539c7..f74305fd0 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/04" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies processes running from an Alternate Data Stream. This is uncommon for by adversaries to hide malware. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index fdfa9ffaa..13261e73d 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/03/02" -integration = ["windows"] +integration = ["windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -13,7 +13,7 @@ Identifies the use of Windows Work Folders to execute a potentially masqueraded directory. Misuse of Windows Work Folders could indicate malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Signed Proxy Execution via MS Work Folders" diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 06ddbf82b..ac4f936a7 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/01/13" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2023/12/21" +updated_date = "2024/01/16" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -13,7 +13,7 @@ Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversarie and use WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Windows Subsystem for Linux" @@ -33,12 +33,12 @@ query = ''' process where host.os.type == "windows" and event.type : "start" and ( ( - (process.executable : "?:\\Windows\\System32\\bash.exe" or process.pe.original_file_name == "Bash.exe") and + (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and not process.command_line : ("bash", "bash.exe") ) or process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or ( - process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe" + process.parent.name : "wsl.exe" and ?process.parent.command_line : "bash*" and not process.name : "wslhost.exe" ) or ( process.name : "wsl.exe" and process.args : ( diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index cf82698d6..0698a10b1 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2023/01/12" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" updated_date = "2023/12/21" min_stack_comments = "New fields added: required_fields, related_integrations, setup" @@ -13,7 +13,7 @@ Detects attempts to execute a program on the host from the Windows Subsystem for Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution via Windows Subsystem for Linux" diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index c4880706b..1a18a197e 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/01/13" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2023/09/13" +updated_date = "2024/01/16" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -13,7 +13,7 @@ Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism and use WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Windows Subsystem for Linux Enabled via Dism Utility" @@ -63,7 +63,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type : "start" and - (process.name : "Dism.exe" or process.pe.original_file_name == "DISM.EXE") and + (process.name : "Dism.exe" or ?process.pe.original_file_name == "DISM.EXE") and process.command_line : "*Microsoft-Windows-Subsystem-Linux*" ''' diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 4fa4ca573..2eaba0546 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/01/12" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2023/07/20" +updated_date = "2024/01/16" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -13,7 +13,7 @@ Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. A enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Attempt to Install Kali Linux via WSL" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index b50a6d7c5..c36e70533 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/10/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ leveraged by threat actors to perform post-exploitation Active Directory reconna observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "AdFind Command Activity" @@ -79,7 +79,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and + (process.name : "AdFind.exe" or ?process.pe.original_file_name == "AdFind.exe") and process.args : ("objectcategory=computer", "(objectcategory=computer)", "objectcategory=person", "(objectcategory=person)", "objectcategory=subnet", "(objectcategory=subnet)", diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 63e1b81b4..d4af75b94 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/04" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/21" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies instances of lower privilege accounts enumerating Administrator accou tools. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Administrator Accounts" @@ -77,15 +77,15 @@ process where host.os.type == "windows" and event.type == "start" and ( ( ( - (process.name : "net.exe" or process.pe.original_file_name == "net.exe") or - ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe") + (process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or + ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe") ) and process.args : ("group", "user", "localgroup") and process.args : ("*admin*", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") and not process.args : ("/add", "/delete") ) or ( - (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and + (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and process.args : ("group", "useraccount") ) ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 8882470a0..2bf0d795f 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/01/27" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/27" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ "Domain administrators may use this command-line utility for legitimate information gathering purposes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via DSQUERY.EXE" @@ -65,7 +65,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "dsquery.exe" or process.pe.original_file_name: "dsquery.exe") and + (process.name : "dsquery.exe" or ?process.pe.original_file_name: "dsquery.exe") and process.args : "*objectClass=trustedDomain*" ''' diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index b730a1526..5fb0a360a 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/05/31" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/14" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via NLTEST.EXE" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index fbadfaebf..6ab39799f 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/14" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = [ "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.", ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 010d9dfb2..69b930cb2 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -35,7 +35,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Svchost spawning Cmd" @@ -117,8 +117,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and -process.name.caseless:"cmd.exe" +host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") ''' [[rule.threat]] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index a8859e609..9cd5edf52 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/01/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies native Windows host and network enumeration commands spawned by the W Provider Service (WMIPrvSE). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" @@ -39,7 +39,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "windows" and event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.command_line != null and process.name: ( "arp.exe", diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index d832bc27c..f53e68dba 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/10/30" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ Identifies process execution from suspicious default Windows directories. This m malware in trusted paths. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 41a514ec9..523272517 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/10/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta be indicative of adversary lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index ff44a981c..383ad79ed 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and o system recovery. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Deleting Backup Catalogs with Wbadmin" @@ -74,7 +74,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "wbadmin.exe" or process.pe.original_file_name == "WBADMIN.EXE") and + (process.name : "wbadmin.exe" or ?process.pe.original_file_name == "WBADMIN.EXE") and process.args : "catalog" and process.args : "delete" ''' diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index a26440e37..f796bff57 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints ransomware or other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deleted or Resized via VssAdmin" @@ -93,7 +93,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" - and (process.name : "vssadmin.exe" or process.pe.original_file_name == "VSSADMIN.EXE") and + and (process.name : "vssadmin.exe" or ?process.pe.original_file_name == "VSSADMIN.EXE") and process.args in ("delete", "resize") and process.args : "shadows*" ''' diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index db00af32e..9362ffe1d 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/07/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -13,7 +13,7 @@ Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve occurs in tandem with ransomware or other destructive attacks. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via PowerShell" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 78c98471f..2d843c186 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/03/04" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/03" +updated_date = "2024/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Spawning Suspicious Processes" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index fc18149c8..70c33993e 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -41,7 +41,7 @@ query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or - process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) ''' diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index f2d6d2004..826433d90 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ These child processes are often launched during exploitation of Office applicati macros. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious MS Office Child Process" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 425294262..c3d73e655 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index e4e2a9ff0..2e4d081e5 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -4,7 +4,7 @@ integration = ["windows", "system"] maturity = "production" min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ bypassing normal system access controls. Pass the hash (PtH) is a method of auth without having access to the user's cleartext password. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"] +index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "Potential Pass-the-Hash (PtH) Attempt" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index c348ba669..9062eeb0e 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -34,7 +34,7 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati testers may run a shell as a service to gain SYSTEM permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "System Shells via Services" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 911c7a349..7d3490ee7 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ changes over time. This Windows functionality has been abused by attackers to st code execution in legitimate Windows processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index d08d13ab7..7642c76dd 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/17" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/17" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Detects the successful hijack of Microsoft Compatibility Appraiser scheduled tas integrity level of system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 5a7c0cca4..13df16250 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/04" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ bindings that execute code when a defined event occurs. Adversaries may use the event and execute arbitrary code when that event occurs, providing persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Persistence via WMI Event Subscription" @@ -36,7 +36,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and + (process.name : "wmic.exe" or ?process.pe.original_file_name == "wmic.exe") and process.args : "create" and process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") ''' diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 20e0543a4..230c794dd 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/14" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" @@ -74,11 +74,11 @@ process where host.os.type == "windows" and event.type == "start" and process.pa not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")) or - (process.name : "vpnbridge.exe" or process.pe.original_file_name : "vpnbridge.exe") or + (process.name : "vpnbridge.exe" or ?process.pe.original_file_name : "vpnbridge.exe") or - (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") or + (process.name : "certutil.exe" or ?process.pe.original_file_name == "CertUtil.exe") or - (process.name : "bitsadmin.exe" or process.pe.original_file_name == "bitsadmin.exe") + (process.name : "bitsadmin.exe" or ?process.pe.original_file_name == "bitsadmin.exe") ) ''' diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 3643d6f4c..1d7fdbc1f 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/08/24" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/09" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Web Shell Detection: Script Process Child of Common Web Processes" diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index a47a4d24b..5e40617e4 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/23" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ Identifies a privilege escalation attempt via named pipe impersonation. An adver utilizing a framework such Metasploit's meterpreter getsystem command. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Named Pipe Impersonation" @@ -124,7 +124,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE") and + (process.name : ("Cmd.Exe", "PowerShell.EXE") or ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE")) and process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*" ''' diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 520a097c6..3a60368ab 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/10/20" -integration = ["windows"] +integration = ["windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the creation of a process running as SYSTEM and impersonating a Windo may create a new process with a different token to escalate privileges and bypass access controls. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "SeDebugPrivilege Enabled by a Suspicious Process" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 24ea538f1..b647df7f1 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" @@ -34,7 +34,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.args : "/autoclean" and process.args : "/d" and + process.args : "/autoclean" and process.args : "/d" and process.executable != null and not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", "C:\\Windows\\SysWOW64\\cleanmgr.exe", "C:\\Windows\\System32\\taskhostw.exe") diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 555a7b93b..fb2d5635c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/17" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2023/10/23" +updated_date = "2024/01/16" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Bypass UAC via Event Viewer" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 86f284981..862cf641f 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/10/26" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2023/10/23" +updated_date = "2024/01/16" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Attackers may bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Windows Directory Masquerading" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index b5bf495b3..f0a4e899c 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2023/10/23" +updated_date = "2024/01/16" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies Windows programs run from unexpected parent processes. This could ind activity on a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent-Child Relationship" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 6f900b52f..d6db30bd5 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/07/06" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/16" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Unusual Print Spooler Child Process" @@ -41,9 +41,8 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "spoolsv.exe" and - (?process.Ext.token.integrity_level_name : "System" or - ?winlog.event_data.IntegrityLevel : "System") and + process.parent.name : "spoolsv.exe" and process.command_line != null and + (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and /* exclusions for FP control below */ not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and