diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 1dfd97ad7..bda7d3dbe 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.9,8.10,8.11,8.12,8.13,8.14' + default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14' jobs: pr: diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 7befb9d1a..71bd2f218 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -812,9 +812,8 @@ def update_navigator_gists(directory: Path, token: str, gist_id: str, print_mark @dev_group.command('trim-version-lock') @click.argument('stack_version') -@click.option('--skip-rule-updates', is_flag=True, help='Skip updating the rules') @click.option('--dry-run', is_flag=True, help='Print the changes rather than saving the file') -def trim_version_lock(stack_version: str, skip_rule_updates: bool, dry_run: bool): +def trim_version_lock(stack_version: str, dry_run: bool): """Trim all previous entries within the version lock file which are lower than the min_version.""" stack_versions = get_stack_versions() assert stack_version in stack_versions, \ @@ -822,78 +821,36 @@ def trim_version_lock(stack_version: str, skip_rule_updates: bool, dry_run: bool min_version = Version.parse(stack_version) version_lock_dict = default_version_lock.version_lock.to_dict() - removed = defaultdict(list) - rule_msv_drops = [] - - today = time.strftime('%Y/%m/%d') - rc: RuleCollection | None = None - if dry_run: - rc = RuleCollection() - else: - if not skip_rule_updates: - click.echo('Loading rules ...') - rc = RuleCollection.default() + removed = {} for rule_id, lock in version_lock_dict.items(): - file_min_stack: Version | None = None - if 'min_stack_version' in lock: - file_min_stack = Version.parse((lock['min_stack_version']), optional_minor_and_patch=True) - if file_min_stack <= min_version: - removed[rule_id].append( - f'locked min_stack_version <= {min_version} - {"will remove" if dry_run else "removing"}!' - ) - rule_msv_drops.append(rule_id) - file_min_stack = None - - if not dry_run: - lock.pop('min_stack_version') - if not skip_rule_updates: - # remove the min_stack_version and min_stack_comments from rules as well (and update date) - rule = rc.id_map.get(rule_id) - if rule: - new_meta = dataclasses.replace( - rule.contents.metadata, - updated_date=today, - min_stack_version=None, - min_stack_comments=None - ) - contents = dataclasses.replace(rule.contents, metadata=new_meta) - new_rule = TOMLRule(contents=contents, path=rule.path) - new_rule.save_toml() - removed[rule_id].append('rule min_stack_version dropped') - else: - removed[rule_id].append('rule not found to update!') - if 'previous' in lock: prev_vers = [Version.parse(v, optional_minor_and_patch=True) for v in list(lock['previous'])] - outdated_vers = [v for v in prev_vers if v < min_version] + outdated_vers = [f"{v.major}.{v.minor}" for v in prev_vers if v < min_version] if not outdated_vers: continue # we want to remove all "old" versions, but save the latest that is >= the min version supplied as the new # stack_version. - latest_version = max(outdated_vers) + if dry_run: + outdated_minus_current = [str(v) for v in outdated_vers if v < stack_version] + if outdated_minus_current: + removed[rule_id] = outdated_minus_current for outdated in outdated_vers: - short_outdated = f"{outdated.major}.{outdated.minor}" - popped = lock['previous'].pop(str(short_outdated)) - # the core of the update - we only need to keep previous entries that are newer than the min supported - # version (from stack-schema-map and stack-version parameter) and older than the locked - # min_stack_version for a given rule, if one exists - if file_min_stack and outdated == latest_version and outdated < file_min_stack: - lock['previous'][f'{min_version.major}.{min_version.minor}'] = popped - removed[rule_id].append(f'{short_outdated} updated to: {min_version.major}.{min_version.minor}') - else: - removed[rule_id].append(f'{outdated} dropped') + popped = lock['previous'].pop(str(outdated)) + if outdated >= stack_version: + lock['previous'][str(Version(stack_version[:2]))] = popped # remove the whole previous entry if it is now blank if not lock['previous']: lock.pop('previous') - click.echo(f'Changes {"that will be " if dry_run else ""} applied:' if removed else 'No changes') - click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items())) - if not dry_run: + if dry_run: + click.echo(f'The following versions would be collapsed to {stack_version}:' if removed else 'No changes') + click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items())) + else: new_lock = VersionLockFile.from_dict(dict(data=version_lock_dict)) new_lock.save_to_file() diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index f2ea604e4..9daf9547d 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -42,38 +42,39 @@ # beats: "8.2.1" # ecs: "8.2.1" # endgame: "1.9.0" -# "8.3.0": -# beats: "8.3.3" -# ecs: "8.3.1" -# endgame: "1.9.0" - -# "8.4.0": -# beats: "8.4.3" -# ecs: "8.4.0" -# endgame: "8.4.0" - -# "8.5.0": -# beats: "8.5.3" -# ecs: "8.5.2" -# endgame: "8.4.0" - -# "8.6.0": -# beats: "8.6.1" -# ecs: "8.6.1" -# endgame: "8.4.0" - -# "8.7.0": -# beats: "8.7.0" -# ecs: "8.7.0" -# endgame: "8.4.0" - -# "8.8.0": -# beats: "8.8.2" -# ecs: "8.8.0" -# endgame: "8.4.0" ## Supported +"8.3.0": + beats: "8.3.3" + ecs: "8.3.1" + endgame: "1.9.0" + +"8.4.0": + beats: "8.4.3" + ecs: "8.4.0" + endgame: "8.4.0" + +"8.5.0": + beats: "8.5.3" + ecs: "8.5.2" + endgame: "8.4.0" + +"8.6.0": + beats: "8.6.1" + ecs: "8.6.1" + endgame: "8.4.0" + +"8.7.0": + beats: "8.7.0" + ecs: "8.7.0" + endgame: "8.4.0" + +"8.8.0": + beats: "8.8.2" + ecs: "8.8.0" + endgame: "8.4.0" + "8.9.0": beats: "8.9.0" ecs: "8.9.0" diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index b59efb5d6..d28d74a83 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,7 +2,7 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", @@ -16,258 +16,346 @@ "version": 207 }, "00140285-b827-4aee-aa09-8113f58a08f3": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "ac7d08baf88d495e5767d5845ee47e22b500b643e11ca7e806309d30e958a1fc", "type": "eql", "version": 112 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { + "min_stack_version": "8.3", "rule_name": "System Shells via Services", "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", "type": "eql", "version": 110 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "Google Workspace Suspended User Account Renewed", "sha256": "cfbc6ffe95e39937d68146e42f932947e2c3c96cc9a42ab296e12bc8c613f5f1", "type": "query", "version": 2 }, "0136b315-b566-482f-866c-1d8e2477ba16": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 User Restricted from Sending Email", + "sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 User Restricted from Sending Email", "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", "type": "query", "version": 206 }, "015cca13-8832-49ac-a01b-a396114809f6": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Redshift Cluster Creation", + "sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Redshift Cluster Creation", "sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca", "type": "query", "version": 206 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { + "min_stack_version": "8.3", "rule_name": "Potential Network Scan Detected", "sha256": "931bd95c0fff284b33e383dce3f3fccaf7b0c36b8b6b946b1c39ff5ded2aa8e1", "type": "threshold", "version": 5 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { + "min_stack_version": "8.6", "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", "type": "new_terms", "version": 1 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { + "min_stack_version": "8.3", "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", "type": "eql", "version": 105 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", "type": "new_terms", "version": 1 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { + "min_stack_version": "8.4", "rule_name": "Process Created with an Elevated Token", "sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db", "type": "eql", "version": 6 }, "02a4576a-7480-4284-9327-548a806b5e48": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", + "sha256": "8f8844fda927ba3149c7d983e7f7619e33e5745f8b1f389c0e10f3b6ba852e0a", + "type": "eql", + "version": 106 + } + }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", "type": "eql", "version": 208 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { + "min_stack_version": "8.3", "rule_name": "Potential Ransomware Note File Dropped via SMB", "sha256": "dafd8f85b8e37f96aaabd0405826cb232ac4c2f22571f2878d3a875a0e141da8", "type": "eql", "version": 1 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { + "min_stack_version": "8.3", "rule_name": "Dumping Account Hashes via Built-In Commands", "sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb", "type": "query", "version": 106 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", "type": "query", "version": 206 }, "035889c4-2686-4583-a7df-67f89c292f2c": { + "min_stack_version": "8.3", "rule_name": "High Number of Process and/or Service Terminations", "sha256": "5bb8f568879a496363f640b8866b46e0a39fe4e15005cab6f5af9eb499e3584d", "type": "threshold", "version": 109 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { + "min_stack_version": "8.3", "rule_name": "Potential Memory Seeking Activity", "sha256": "4fa0b41dabe97414e45d4ae961a4c4fd9c445bca04d51659e7251547e80fe258", "type": "eql", "version": 2 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { + "min_stack_version": "8.3", "rule_name": "Suspicious Dynamic Linker Discovery via od", "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", "type": "eql", "version": 2 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { + "min_stack_version": "8.8", "rule_name": "SSH Process Launched From Inside A Container", "sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d", "type": "eql", "version": 2 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { + "min_stack_version": "8.3", "rule_name": "Potential Network Scan Executed From Host", "sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4", "type": "threshold", "version": 3 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { + "min_stack_version": "8.3", "rule_name": "Modification of OpenSSH Binaries", "sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494", "type": "query", "version": 109 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { + "min_stack_version": "8.3", "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", "sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047", "type": "query", "version": 105 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { + "min_stack_version": "8.3", "rule_name": "Azure AD Global Administrator Role Assigned", "sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9", "type": "query", "version": 102 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { + "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "08eeec4ed1f73497e06767edc13231268e1d647f7b29f0401175d1618d04affa", "type": "eql", "version": 110 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { + "min_stack_version": "8.6", "rule_name": "Potential Persistence Through Systemd-udevd", "sha256": "f62fb7313ec0d7a280a370adae0caf8ba65410a71d6574ade7ab588a95963763", "type": "new_terms", "version": 3 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { + "min_stack_version": "8.3", "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "a85b92effa53537c7a86f7871455c176bc2c48a6928248fa29dcf8a548677730", "type": "eql", "version": 110 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { + "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", "type": "eql", "version": 110 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { + "min_stack_version": "8.3", "rule_name": "Tainted Kernel Module Load", "sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4", "type": "query", "version": 4 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { + "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Perl", "sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754", "type": "query", "version": 108 }, "0635c542-1b96-4335-9b47-126582d2c19a": { + "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", "type": "eql", "version": 112 }, "06568a02-af29-4f20-929c-f3af281e41aa": { + "min_stack_version": "8.3", "rule_name": "System Time Discovery", "sha256": "c26f50ed371b312a315bf0bbbc399f65d446218ecd7f63e471538c0e145ea7c9", "type": "eql", "version": 7 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { + "min_stack_version": "8.9", "rule_name": "Unusual Remote File Size", "sha256": "db958e84da3e58cefee53ec77d608ff51199a4e721318451ce091585bb908cc1", "type": "machine_learning", "version": 3 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { + "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "4e653f97afcad71acd94ddf79e5534455c79986773fc543839900cc60e129d88", "type": "eql", "version": 7 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { + "min_stack_version": "8.3", "rule_name": "Potential Evasion via Filter Manager", "sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c", "type": "eql", "version": 110 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { + "min_stack_version": "8.3", "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "4682c4aac80de38bf56894acd47cac808366a9f47329763291361bb23756d3a8", "type": "eql", "version": 110 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { + "min_stack_version": "8.3", "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "092ecb6ac6f1197744e2e114398553fa810674561481b66f9665c3ed95ff0017", "type": "eql", "version": 2 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { + "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", "sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5", "type": "threshold", "version": 7 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { + "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", "type": "eql", "version": 8 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Drive Ownership Transferred via Google Workspace", + "sha256": "4ec0b63c545009d7d16d34cd9b95f34edbcf4135f498aa77a805f544b07e6310", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Drive Ownership Transferred via Google Workspace", "sha256": "9df4d9a342110c032419b2564bf6376a9357291ca8b3ead073faf9e5214419e6", "type": "query", "version": 106 }, "080bc66a-5d56-4d1f-8071-817671716db9": { + "min_stack_version": "8.3", "rule_name": "Suspicious Browser Child Process", - "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", + "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", "type": "eql", "version": 107 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { + "min_stack_version": "8.3", "rule_name": "Launch Agent Creation or Modification and Immediate Loading", "sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879", "type": "eql", "version": 106 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { + "min_stack_version": "8.3", "rule_name": "Suspicious Hidden Child Process of Launchd", "sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece", "type": "query", "version": 106 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { + "min_stack_version": "8.4", "rule_name": "First Time Seen Removable Device", "sha256": "085b5157400c5090fec630066b9c606cb33fa8334b9c49babca8242399a11b91", "type": "new_terms", "version": 4 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { + "min_stack_version": "8.3", "rule_name": "Windows Account or Group Discovery", "sha256": "45048599d6d9175e13e297d71afbd3a7d4d80e6d6421abd188c563a5c862bfbb", "type": "eql", @@ -280,18 +368,21 @@ "version": 100 }, "092b068f-84ac-485d-8a55-7dd9e006715f": { + "min_stack_version": "8.3", "rule_name": "Creation of Hidden Launch Agent or Daemon", "sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993", "type": "eql", "version": 107 }, "09443c92-46b3-45a4-8f25-383b028b258d": { + "min_stack_version": "8.3", "rule_name": "Process Termination followed by Deletion", "sha256": "8628999b147b10ff30f618a79c4aee2123744abc0e2bb05cc8c98d11017145ad", "type": "eql", "version": 109 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { + "min_stack_version": "8.3", "rule_name": "Member Removed From GitHub Organization", "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", "type": "eql", @@ -304,18 +395,21 @@ "version": 100 }, "09bc6c90-7501-494d-b015-5d988dc3f233": { + "min_stack_version": "8.3", "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "sha256": "bdc3b02c0073ad81ac689ad056327c1e74d84408ac65b51b4738e1fc7c3b5d13", "type": "eql", "version": 4 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { + "min_stack_version": "8.3", "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", "sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53", "type": "query", "version": 102 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { + "min_stack_version": "8.3", "rule_name": "Malware - Detected - Elastic Endgame", "sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2", "type": "query", @@ -331,7 +425,7 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", @@ -345,42 +439,58 @@ "version": 106 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { + "min_stack_version": "8.3", "rule_name": "Anomalous Windows Process Creation", "sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579", "type": "machine_learning", "version": 105 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { + "min_stack_version": "8.3", "rule_name": "User account exposed to Kerberoasting", "sha256": "830231e34039027f460477ed025efa9ef0a7efb45b9d97d43080f7d9deceeec3", "type": "query", "version": 109 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { + "min_stack_version": "8.3", "rule_name": "Potential Shell via Wildcard Injection Detected", "sha256": "d23957bdc3e4530971529039105978c60ef34d1dda87b408528c03a1d39da1ca", "type": "eql", "version": 5 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { + "min_stack_version": "8.3", "rule_name": "Processes with Trailing Spaces", "sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286", "type": "eql", "version": 2 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { + "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", "sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290", "type": "threat_match", "version": 6 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { + "min_stack_version": "8.3", "rule_name": "Peripheral Device Discovery", "sha256": "f01eac25f9c7d222bc6e12ea4b86f7b4a06d4b76608183e9be91aaf9671427b7", "type": "eql", "version": 109 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { + "min_stack_version": "8.5", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Threat Intel Indicator Match", + "sha256": "7d0bb73186b47e9fa99ec5b21fe2b862b5cbd6432100901fc476e30bced047a3", + "type": "threat_match", + "version": 105 + } + }, "rule_name": "Deprecated - Threat Intel Indicator Match", "sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a", "type": "threat_match", @@ -394,60 +504,97 @@ "version": 1 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", + "sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff", + "type": "query", + "version": 106 + } + }, "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", "type": "query", "version": 206 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { + "min_stack_version": "8.3", "rule_name": "Multiple Alerts Involving a User", "sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252", "type": "threshold", "version": 3 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { + "min_stack_version": "8.3", "rule_name": "Nping Process Activity", "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", "type": "eql", "version": 108 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { + "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", "sha256": "e6fecbbaa834a04e699f62857b0e60f7e8c9bb3cb40d033165265ace22ac1cbb", "type": "eql", "version": 110 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", "type": "new_terms", "version": 1 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "SharePoint Malware File Upload", + "sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579", + "type": "query", + "version": 106 + } + }, "rule_name": "SharePoint Malware File Upload", "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", "type": "query", "version": 206 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { + "min_stack_version": "8.3", "rule_name": "GCP Service Account Key Creation", "sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b", "type": "query", "version": 104 }, "0e79980b-4250-4a50-a509-69294c14e84b": { + "min_stack_version": "8.3", "rule_name": "MsBuild Making Network Connections", "sha256": "c8013d923873ed418f022b29c77bb4c548a392af89e2a3cd747186d534386880", "type": "eql", "version": 109 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "RC Script Creation", + "sha256": "56ff748867dc738357a731cfd37b4ae44c954383780d616e3d9034aed76dd9e1", + "type": "eql", + "version": 6 + } + }, "rule_name": "Potential Persistence Through Run Control Detected", "sha256": "6feb69680930d9a84dce295a56510b4938d7455565609a55b6f340a60f9eee5b", "type": "new_terms", "version": 110 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { + "min_stack_version": "8.3", "rule_name": "Netcat Listener Established via rlwrap", "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", "type": "eql", @@ -460,18 +607,30 @@ "version": 100 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "sha256": "62abee660a99e58c72f6c4c79047fea8effc510ba10448a766fc3d03d4a36720", + "type": "threshold", + "version": 106 + } + }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", "type": "threshold", "version": 208 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { + "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Root Crontab File Modification", "sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895", "type": "query", "version": 106 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { + "min_stack_version": "8.9", "rule_name": "AWS IAM Login Profile Added to User", "sha256": "aa8a7eac601e73065c58f11ee43537d79be77a14b5a766d34772f5b1cc74c2e9", "type": "query", @@ -484,30 +643,53 @@ "version": 100 }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "WebProxy Settings Modification", + "sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a", + "type": "query", + "version": 106 + } + }, "rule_name": "WebProxy Settings Modification", "sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af", "type": "query", "version": 206 }, "11013227-0301-4a8c-b150-4db924484475": { + "min_stack_version": "8.3", "rule_name": "Abnormally Large DNS Response", "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", "type": "query", "version": 105 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { + "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "47fb83a4f1705416ad0ba2cf6d42e319617bf0e145a68f21652116832e770309", "type": "eql", "version": 110 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "94905ad569d414ab1a3c0037dcdb641498c790debb11ceeea8d3354c9b7acd76", "type": "eql", "version": 111 }, "119c8877-8613-416d-a98a-96b6664ee73a": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Snapshot Export", + "sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Snapshot Export", "sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c", "type": "query", @@ -520,18 +702,30 @@ "version": 100 }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "049b0cbfdd71a4ec9ecdce8350842eb7d32d60c45681f6342878de029adf212a", "type": "query", "version": 11 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { + "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "c0a79cd64ff9bae3ad1545d8a18809dd34644d93ed177bd5f4586a2bb2cb4dba", "type": "eql", "version": 112 }, "12051077-0124-4394-9522-8f4f4db1d674": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", + "sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", "sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7", "type": "query", @@ -544,6 +738,7 @@ "version": 100 }, "1224da6c-0326-4b4f-8454-68cdc5ae542b": { + "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a User", "sha256": "37bda4461229741fa959b9d762f3bf17c0d03378734fbc1a04cbe4563675bea6", "type": "machine_learning", @@ -556,48 +751,83 @@ "version": 100 }, "128468bf-cab1-4637-99ea-fdf3780a4609": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Suspicious Lsass Process Access", + "sha256": "c30f6e62697cdaf210db4d6f79d2686bc91e4427ee7bbaea3468482a88373d5c", + "type": "eql", + "version": 5 + } + }, "rule_name": "Suspicious Lsass Process Access", "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", "type": "eql", "version": 107 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Suspicious Self-Subject Review", + "sha256": "658882e3d31e0988978c24743e8f15fb3423fde5b395cbfc75a641548a291359", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Suspicious Self-Subject Review", "sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec", "type": "query", "version": 203 }, "12cbf709-69e8-4055-94f9-24314385c27e": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod Created With HostNetwork", + "sha256": "00e261301692eeb8bc7453cbea5c4605ca9c6d2ae38199b35ad83ffd4a9d0c4b", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Pod Created With HostNetwork", "sha256": "e48fb5d94222f67fbea19233c7fea01163d00908c3844df80f9e36d5e87ad7b7", "type": "query", "version": 203 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { + "min_stack_version": "8.3", "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", "type": "eql", "version": 3 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "07748a896518875c7361a26af5beac29e29097fd6ec0285208e2e88d7df4a538", "type": "eql", "version": 111 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { + "min_stack_version": "8.3", "rule_name": "Persistence via Scheduled Job Creation", "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", "type": "eql", "version": 108 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { + "min_stack_version": "8.3", "rule_name": "Rare User Logon", "sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679", "type": "machine_learning", "version": 104 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { + "min_stack_version": "8.3", "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", "sha256": "c119669a028d3ccf727586836356bcd2113986db9358089ed57907330b748a73", "type": "threshold", @@ -610,102 +840,137 @@ "version": 100 }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "sha256": "e4aac0fcc25bbc7121134faf7852704142d562d2c72bf9973c69b0dfd8d6046c", "type": "eql", "version": 4 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { + "min_stack_version": "8.3", "rule_name": "Azure External Guest User Invitation", "sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1", "type": "query", "version": 102 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { + "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) from the Internet", "sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214", "type": "query", "version": 103 }, "14dab405-5dd9-450c-8106-72951af2391f": { + "min_stack_version": "8.3", "rule_name": "Office Test Registry Persistence", "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", "type": "eql", "version": 3 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes User Exec into Pod", + "sha256": "3d39cfe20aef41ad7da949c25c18b33868177276c2c4ee9af234be4282e68392", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes User Exec into Pod", "sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9", "type": "query", "version": 203 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { + "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "d3adc721588e0ae5b24bc4f24e2615b84100397158efd20f6fa50212746fb697", "type": "eql", "version": 109 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { + "min_stack_version": "8.3", "rule_name": "Execution from a Removable Media with Network Connection", "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", "type": "eql", "version": 3 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { + "min_stack_version": "8.3", "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "6bc3367c8bea5ce3680aa60ee8341e332dc12fe82786393e1b98fa8130a817c4", "type": "query", "version": 110 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { + "min_stack_version": "8.3", "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "f31b60069f41b2547dfb226805c62256ec852c2b5ec5014524230d20ca42a646", "type": "eql", "version": 112 }, "15dacaa0-5b90-466b-acab-63435a59701a": { + "min_stack_version": "8.3", "rule_name": "Virtual Private Network Connection Attempt", "sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0", "type": "eql", "version": 107 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { + "min_stack_version": "8.8", "rule_name": "Potential Container Escape via Modified release_agent File", "sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3", "type": "eql", "version": 1 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { + "min_stack_version": "8.3", "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633", "type": "query", "version": 102 }, "166727ab-6768-4e26-b80c-948b228ffc06": { + "min_stack_version": "8.3", "rule_name": "File Creation Time Changed", "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", "type": "eql", "version": 5 }, "16904215-2c95-4ac8-bf5c-12354e047192": { + "min_stack_version": "8.3", "rule_name": "Potential Kerberos Attack via Bifrost", "sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d", "type": "query", "version": 106 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Group Creation", + "sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Group Creation", "sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1", "type": "query", "version": 206 }, "16a52c14-7883-47af-8745-9357803f0d4c": { + "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", "sha256": "0895ba08cf37c96cf8d9fa25aa47f21883cbb621246244853ae74168e9818f08", "type": "eql", "version": 113 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { + "min_stack_version": "8.3", "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "59d27ffb2150faa1ebe4b4b332f29ed9b1a561166aa568c6b699a55de0aec81f", "type": "query", @@ -719,54 +984,63 @@ "version": 1 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Username", "sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120", "type": "machine_learning", "version": 104 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Service", "sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a", "type": "machine_learning", "version": 103 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { + "min_stack_version": "8.3", "rule_name": "Suspicious Powershell Script", "sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3", "type": "machine_learning", "version": 104 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5", "type": "machine_learning", "version": 103 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Remote User", "sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9", "type": "machine_learning", "version": 103 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { + "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", "sha256": "a5967e9202be0f4e0df4d0f82dfd5f067e8bc9eea60585cbc5664b744761966d", "type": "new_terms", "version": 9 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { + "min_stack_version": "8.3", "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "23f4030c21a08bb1eb019a328b8fe62aeea2683957f343f0399abdff84347b22", "type": "eql", "version": 109 }, "17e68559-b274-4948-ad0b-f8415bb31126": { + "min_stack_version": "8.3", "rule_name": "Unusual Network Destination Domain Name", "sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8", "type": "machine_learning", "version": 103 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { + "min_stack_version": "8.3", "rule_name": "GCP Logging Sink Modification", "sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2", "type": "query", @@ -779,114 +1053,169 @@ "version": 100 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { + "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made to a Destination IP", "sha256": "3e6623fdaad77b45863a2c6f198c7624d4b02fa0f1934011776802944a3348fb", "type": "machine_learning", "version": 3 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", "type": "eql", "version": 4 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Rare AWS Error Code", + "sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Rare AWS Error Code", "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", "type": "machine_learning", "version": 208 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { + "min_stack_version": "8.9", "rule_name": "Spike in Number of Processes in an RDP Session", "sha256": "fc1329361d122f9fce2eca535c54dd0b8a1fee4f8d33775b225227e2d4084002", "type": "machine_learning", "version": 3 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { + "min_stack_version": "8.8", "rule_name": "Suspicious Network Tool Launched Inside A Container", "sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc", "type": "eql", "version": 2 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { + "min_stack_version": "8.3", "rule_name": "Azure Application Credential Modification", "sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a", "type": "query", "version": 102 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { + "min_stack_version": "8.3", "rule_name": "Execution of COM object via Xwizard", "sha256": "069735bb9cd4e472acbdcba371bd44bb50df1f225267d294773ac746e8ecc9e5", "type": "eql", "version": 109 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Suspended", + "sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Suspended", "sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b", "type": "query", "version": 209 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { + "min_stack_version": "8.3", "rule_name": "User Account Creation", "sha256": "96534addae6874564d720b53fb0d2b7f621702dd58f3fdebb1d3c69a80f55abb", "type": "eql", "version": 109 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { + "min_stack_version": "8.4", "rule_name": "Process Created with a Duplicated Token", "sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802", "type": "eql", "version": 3 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { + "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", "type": "eql", "version": 107 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS ElastiCache Security Group Modified or Deleted", + "sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS ElastiCache Security Group Modified or Deleted", "sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d", "type": "query", "version": 206 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { + "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", "sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516", "type": "eql", "version": 11 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { + "min_stack_version": "8.3", "rule_name": "Potential Process Injection from Malicious Document", "sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1", "type": "eql", "version": 2 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 211, + "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", + "sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45", + "type": "query", + "version": 112 + } + }, "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", "type": "query", "version": 212 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", "sha256": "dde38b44453671943b7ae6cb4d6fef20e85307ac3723a158fe57ee96d8b1f29d", "type": "eql", "version": 113 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { + "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Rolebindings Created", "sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce", "type": "query", "version": 102 }, "1ca62f14-4787-4913-b7af-df11745a49da": { + "min_stack_version": "8.3", "rule_name": "New GitHub App Installed", "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", "type": "eql", "version": 1 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { + "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", "type": "eql", @@ -900,42 +1229,49 @@ "version": 2 }, "1d276579-3380-4095-ad38-e596a01bc64f": { + "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", "type": "eql", "version": 110 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { + "min_stack_version": "8.3", "rule_name": "External IP Lookup from Non-Browser Process", "sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433", "type": "eql", "version": 108 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "56bbf0cae42f67fdd41f149363a1891554948e2dbd182c1e0c9fed1a39f36100", "type": "query", "version": 6 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "b09a3222c4eab9324474c30ec5eddb3cd13c0f86e3b9776fc690aa77d8fe9e9d", "type": "eql", "version": 109 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { + "min_stack_version": "8.4", "rule_name": "Suspicious Inter-Process Communication via Outlook", "sha256": "eb4c56089e3f5a64944ea09016b315e24d78a78381989d1d29939502318b82f1", "type": "eql", "version": 6 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { + "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", "type": "eql", "version": 108 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Hack Tool Launched", "sha256": "d83c19a46e9401aef5cd62ba06786de63e0ea6448479965630475a6b00667731", "type": "eql", @@ -944,7 +1280,7 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", @@ -958,84 +1294,107 @@ "version": 107 }, "1e0b832e-957e-43ae-b319-db82d228c908": { + "min_stack_version": "8.3", "rule_name": "Azure Storage Account Key Regenerated", "sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e", "type": "query", "version": 102 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { + "min_stack_version": "8.3", "rule_name": "Creation of a DNS-Named Record", "sha256": "9b97868151d1bdb1c5754a996d30cf988232f389c492b7f9132402adae176f75", "type": "eql", "version": 1 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { + "min_stack_version": "8.3", "rule_name": "Creation of SettingContent-ms Files", "sha256": "411958937e7a1d399c000c3ee9bc6e256d0b92a5aea3474e468b84f5991e8bed", "type": "eql", "version": 3 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", "type": "new_terms", "version": 1 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { + "min_stack_version": "8.3", "rule_name": "Unusual Sudo Activity", "sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c", "type": "machine_learning", "version": 103 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { + "min_stack_version": "8.3", "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", "type": "query", "version": 8 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { + "min_stack_version": "8.3", "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "3e850845c9653b3956dd9ccfe15415b8f6399a899dd58c87a592f2ae81b921de", "type": "eql", "version": 2 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9", "type": "machine_learning", "version": 103 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { + "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "276423364d5b8bf0affee9f5efd056cba314fa27ef1d574a4ebe6f5b4e0e542e", "type": "eql", "version": 111 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { + "min_stack_version": "8.3", "rule_name": "Exploit - Detected - Elastic Endgame", "sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2", "type": "query", "version": 103 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { + "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", "sha256": "5fd6637d01d25848657a37779415e23778a84ee81a913351ee2bbb54701fe88a", "type": "eql", "version": 110 }, "202829f6-0271-4e88-b882-11a655c590d4": { + "min_stack_version": "8.3", "rule_name": "Executable Masquerading as Kernel Process", "sha256": "fa7e58294659262a26ba947cc59044854477a5a49edc98f0d6f896d91e1d9f6d", "type": "eql", "version": 2 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { + "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", "sha256": "a137b8929c8afb05318cec2dac421d5e03d1bba700cb7978151e0429bb7a6e53", "type": "eql", "version": 110 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route 53 Domain Transferred to Another Account", + "sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route 53 Domain Transferred to Another Account", "sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297", "type": "query", @@ -1044,7 +1403,7 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Access of Stored Browser Credentials", "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", @@ -1058,12 +1417,14 @@ "version": 207 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { + "min_stack_version": "8.3", "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", "type": "eql", "version": 2 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { + "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Handle Access", "sha256": "407aa36a170976cc90021ba2e2b10b9d211b7142cb685d4fcdede10a65073287", "type": "eql", @@ -1076,102 +1437,137 @@ "version": 100 }, "210d4430-b371-470e-b879-80b7182aa75e": { + "min_stack_version": "8.3", "rule_name": "Mofcomp Activity", "sha256": "a7bd50e06e9eecee6eb4de339db9e9e7ffc5b08ce32a9bc2a119b2aa4f2fdf45", "type": "eql", "version": 2 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Child", "sha256": "cda609fdc97eb250f4f9c03ad3abf9c6760ae78ab03cc3f8fad23789f6ca8ade", "type": "eql", "version": 2 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "sha256": "8b83d7d20910ac09b5cd9f7b2e96a38f9b03f38f314ecf1f779637906818161b", "type": "new_terms", "version": 3 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { + "min_stack_version": "8.3", "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "9252233dd00ddb80533d2b70ccda0987fc97cab21f4fe935dcb0806e07dc9354", "type": "eql", "version": 7 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "SSH Authorized Keys File Modification", + "sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c", + "type": "query", + "version": 104 + } + }, "rule_name": "SSH Authorized Keys File Modification", "sha256": "093ec92b83608b188904a800b2dc5dc20b93d5e0b11e10e6da27f754f44a18e0", "type": "new_terms", "version": 205 }, "22599847-5d13-48cb-8872-5796fee8692b": { + "min_stack_version": "8.3", "rule_name": "SUNBURST Command and Control Activity", "sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7", "type": "eql", "version": 108 }, "227dc608-e558-43d9-b521-150772250bae": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "AWS S3 Bucket Configuration Deletion", + "sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17", + "type": "query", + "version": 106 + } + }, "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629", "type": "query", "version": 207 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { + "min_stack_version": "8.3", "rule_name": "Potential Shell via Web Server", "sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1", "type": "query", "version": 105 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { + "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Permissions Modification", "sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604", "type": "query", "version": 104 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { + "min_stack_version": "8.3", "rule_name": "Kernel Module Load via insmod", "sha256": "3327b2f3c9c739028f181cd20b7cf3e768c7eae5f4363b478ef982fee21b8eb2", "type": "eql", "version": 109 }, "2377946d-0f01-4957-8812-6878985f515d": { + "min_stack_version": "8.9", "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", "sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4", "type": "eql", "version": 2 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { + "min_stack_version": "8.6", "rule_name": "Unknown Execution of Binary with RWX Memory Region", "sha256": "b160874aab9501cba7d0344a3fcb2181a25f3d7a5067a23804bc3f8abb705dd1", "type": "new_terms", "version": 1 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { + "min_stack_version": "8.3", "rule_name": "New GitHub Owner Added", "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", "type": "eql", "version": 3 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { + "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", "sha256": "dcf5239bdf937bd790a721fc5c7fceea3af8c5377ce0b466359a5ebb23a57ed6", "type": "eql", "version": 108 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { + "min_stack_version": "8.3", "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "cbf8a4fc5c8f2ee86365483602e84f800fbd791c3e29fe467f20a6333d47dfc3", "type": "query", "version": 1 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Background Process", "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", "type": "eql", "version": 4 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { + "min_stack_version": "8.6", "rule_name": "Network Activity Detected via Kworker", "sha256": "6169ab76be1ab1b6d165bc6e91e309957523da07f42cfa74c0b2eabc0fff457b", "type": "new_terms", @@ -1185,36 +1581,51 @@ "version": 1 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { + "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", "sha256": "412a8490a6178fe02adf3eb8d88b4b119d8af57a0e8583ca4a61a6504c554ab5", "type": "eql", "version": 5 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { + "min_stack_version": "8.3", "rule_name": "Azure Blob Container Access Level Modification", "sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534", "type": "query", "version": 102 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { + "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", "type": "eql", "version": 111 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { + "min_stack_version": "8.3", "rule_name": "Privileges Elevation via Parent Process PID Spoofing", "sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517", "type": "eql", "version": 7 }, "26edba02-6979-4bce-920a-70b080a7be81": { + "min_stack_version": "8.3", "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", "sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7", "type": "query", "version": 105 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", + "sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633", "type": "threshold", @@ -1223,7 +1634,7 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", @@ -1237,36 +1648,60 @@ "version": 105 }, "2724808c-ba5d-48b2-86d2-0002103df753": { + "min_stack_version": "8.3", "rule_name": "Attempt to Clear Kernel Ring Buffer", "sha256": "b84e6128363d24d3503b13f1a618bc430f08140f5a82611c3c3e4f3a5271d2b5", "type": "eql", "version": 4 }, "272a6484-2663-46db-a532-ef734bf9a796": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Transport Rule Modification", + "sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Transport Rule Modification", "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", "type": "query", "version": 206 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { + "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", "type": "eql", "version": 109 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { + "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Modification", "sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf", "type": "query", "version": 104 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Teams External Access Enabled", + "sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Teams External Access Enabled", "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", "type": "query", "version": 206 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { + "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", "sha256": "b3b4c980cf7d25e52dfb1d1cc53500ac0a87c2b13922dccaf6b9de0b389532e7", "type": "eql", @@ -1280,18 +1715,21 @@ "version": 1 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { + "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", "type": "eql", "version": 111 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { + "min_stack_version": "8.3", "rule_name": "Exploit - Prevented - Elastic Endgame", "sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d", "type": "query", "version": 103 }, "28738f9f-7427-4d23-bc69-756708b5f624": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", "sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67", "type": "eql", @@ -1311,30 +1749,44 @@ "version": 2 }, "28d39238-0c01-420a-b77a-24e5a7378663": { + "min_stack_version": "8.3", "rule_name": "Sudo Command Enumeration Detected", "sha256": "70ed05b5053d1ac43542f1f8ffef64b0cfb2cb35c0a94eb8be86882438034320", "type": "eql", "version": 5 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { + "min_stack_version": "8.6", "rule_name": "Shell Configuration Modification", "sha256": "1082bfbb3e988caa2fc49527f3dcd4024a4657a591fb5edc4d08e2ba311ca62c", "type": "new_terms", "version": 1 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Security Group Configuration Change Detection", + "sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Security Group Configuration Change Detection", "sha256": "193c2c66e45942d40a519ed5a0c174f69daf4d7c4057ce0af2cc77baa1e9658c", "type": "query", "version": 206 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "f64dc97be4c992f52e4ecf99c9d964a2d99544bea2d8d33d80ba5e96d62d8f80", "type": "eql", "version": 112 }, "2917d495-59bd-4250-b395-c29409b76086": { + "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", "type": "eql", @@ -1343,7 +1795,14 @@ "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3", + "type": "eql", + "version": 108 + }, + "8.6": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", @@ -1364,96 +1823,148 @@ "version": 1 }, "29ef5686-9b93-433e-91b5-683911094698": { + "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", "type": "new_terms", "version": 1 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { + "min_stack_version": "8.3", "rule_name": "Potential Linux SSH X11 Forwarding", "sha256": "359e41830e4fd4bfc9775176917b335b3c9188c05a983a056b52e796d20b6fd7", "type": "eql", "version": 3 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { + "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", "sha256": "8bfe7f061ea6409e5ec8657a58cc81d8fd705e930ef358d31347a1ee67035391", "type": "eql", "version": 6 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "sha256": "bd95cc69164fae41e991e31ae5435c01f2785e2c361dafea62766db0b0f66a10", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", "sha256": "2704808ccae32f5b44395171db755258b7e7a248df4bab32a33cddb2ac181df0", "type": "query", "version": 203 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { + "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Grep", "sha256": "7f6bc06878f5c089508b21b556ed4a227c059d655b54717af4863db317dd6504", "type": "eql", "version": 6 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { + "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", "sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d", "type": "eql", "version": 111 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { + "min_stack_version": "8.3", "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "df6ed2953eabd8c292df3200fc51dd9222b2c0c3fd5b9174f66efb61a28bcd5b", "type": "eql", "version": 110 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "de455f667043e9cf42dd5fe4ac1a588f29bf04c9e5ac3c78bf84f5849ae48494", "type": "eql", "version": 109 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Enumeration of Kernel Modules", + "sha256": "b3bad6443210cec62c090d0872efcafedb7565ac5fed882aa46afab6073c4e08", + "type": "eql", + "version": 105 + } + }, "rule_name": "Enumeration of Kernel Modules", "sha256": "4f8354117b7013f27de2b6338d831ecebb494b5dd5dc310f3d36de2e9df3e46e", "type": "new_terms", "version": 209 }, "2dd480be-1263-4d9c-8672-172928f6789a": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Suspicious Process Access via Direct System Call", + "sha256": "9aa09b7a6367bc4d21531ae1e5860ac4f0f89b9a2331c0c63032d8fa85c753e5", + "type": "eql", + "version": 108 + } + }, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", "type": "eql", "version": 211 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { + "min_stack_version": "8.3", "rule_name": "Potential SSH-IT SSH Worm Downloaded", "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", "type": "eql", "version": 3 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "O365 Excessive Single Sign-On Logon Errors", + "sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e", + "type": "threshold", + "version": 107 + } + }, "rule_name": "O365 Excessive Single Sign-On Logon Errors", "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", "type": "threshold", "version": 207 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { + "min_stack_version": "8.3", "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "469f29380de3612562dd52d96cf08b2590670a1f0ed5c09882c3caa6420fc78f", "type": "eql", "version": 8 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { + "min_stack_version": "8.3", "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "a23203b35000455d7e15f08f4aa4523ffb4cf37e6277c5ad2afff5dfb75f06d4", "type": "eql", "version": 110 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { + "min_stack_version": "8.3", "rule_name": "Potential Process Injection via PowerShell", "sha256": "81ff8ad3429868b3ae4e62b20cdf7861c5912ea5ea56a373eb053a9ba8cafb2d", "type": "query", "version": 110 }, "2e311539-cd88-4a85-a301-04f38795007c": { + "min_stack_version": "8.3", "rule_name": "Accessing Outlook Data Files", "sha256": "d2e5a15c87b68da8ded83c3f04fd1cc0b2f38a858d9d58825ea43aa5b4d13c9d", "type": "eql", @@ -1467,192 +1978,233 @@ "version": 1 }, "2e580225-2a58-48ef-938b-572933be06fe": { + "min_stack_version": "8.3", "rule_name": "Halfbaked Command and Control Beacon", "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", "type": "query", "version": 104 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { + "min_stack_version": "8.3", "rule_name": "Creation of a Hidden Local User Account", "sha256": "04e25e2a367da2d230efdd2c089caf2310ebc0b4555468d52654ae40cd73624f", "type": "eql", "version": 110 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { + "min_stack_version": "8.3", "rule_name": "GCP Kubernetes Rolebindings Created or Patched", "sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830", "type": "query", "version": 101 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { + "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", "type": "query", "version": 110 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { + "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", "sha256": "8780262dbf51119a57e1482fdc257e16b74e0e78063f08f70039f0e84bd8e10e", "type": "eql", "version": 109 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { + "min_stack_version": "8.3", "rule_name": "Suspicious /proc/maps Discovery", "sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93", "type": "eql", "version": 2 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { + "min_stack_version": "8.3", "rule_name": "Startup Folder Persistence via Unsigned Process", "sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813", "type": "eql", "version": 109 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { + "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "c25dfc5c295e5fe0ef6c4bd03401308cc79d8069474d9a66e34a91f53a75d793", "type": "eql", "version": 111 }, "301571f3-b316-4969-8dd0-7917410030d3": { + "min_stack_version": "8.9", "rule_name": "Malicious Remote File Creation", "sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0", "type": "eql", "version": 1 }, "30562697-9859-4ae0-a8c5-dab45d664170": { + "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Creation", "sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e", "type": "query", "version": 104 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { + "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", "type": "eql", "version": 8 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { + "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via Sudo Binary", "sha256": "7c7f71f10f08bbfa8f116046faf6e9487e82a654dc7c8ff4155bbb67fb267058", "type": "eql", "version": 2 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { + "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Mismatched Agent ID", "sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46", "type": "query", "version": 101 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { + "min_stack_version": "8.3", "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", "type": "query", "version": 104 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { + "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", "sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c", "type": "eql", "version": 112 }, "3202e172-01b1-4738-a932-d024c514ba72": { + "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Deletion", "sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0", "type": "query", "version": 104 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { + "min_stack_version": "8.6", "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "2037bc6827adab74cd7f5d34cc9724885806f9d8b3ca6aad279ca53096b8b6f6", "type": "eql", "version": 1 }, "323cb487-279d-4218-bcbd-a568efe930c6": { + "min_stack_version": "8.3", "rule_name": "Azure Network Watcher Deletion", "sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a", "type": "query", "version": 102 }, "32923416-763a-4531-bb35-f33b9232ecdb": { + "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) to the Internet", "sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea", "type": "query", "version": 103 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { + "min_stack_version": "8.3", "rule_name": "Program Files Directory Masquerading", "sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa", "type": "eql", "version": 109 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { + "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", "type": "eql", "version": 111 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM User Addition to Group", + "sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM User Addition to Group", "sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46", "type": "query", "version": 209 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { + "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Find", "sha256": "65285808d7e3a2abc4e4eafa9288e8e9c5d82f2dc7fd8f2cf160f7c224988f04", "type": "eql", "version": 6 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { + "min_stack_version": "8.3", "rule_name": "Remote File Download via PowerShell", "sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976", "type": "eql", "version": 110 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { + "min_stack_version": "8.8", "rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", "sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6", "type": "eql", "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { + "min_stack_version": "8.3", "rule_name": "GitHub Repository Deleted", "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", "type": "eql", "version": 2 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { + "min_stack_version": "8.3", "rule_name": "Accepted Default Telnet Port Connection", "sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1", "type": "query", "version": 104 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { + "min_stack_version": "8.3", "rule_name": "Execution via Electron Child Process Node.js Module", "sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934", "type": "query", "version": 106 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { + "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", "type": "eql", "version": 110 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { + "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device", "sha256": "67a35f156241abf955e83450c9f9e4de70743aa2b982ae6e96fe95b1734847ac", "type": "machine_learning", "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { + "min_stack_version": "8.3", "rule_name": "Unusual Parent-Child Relationship", "sha256": "1984aac08fb341387ffbc60fed85f41724c02408e79a0837eebfaff0eea168c3", "type": "eql", "version": 111 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { + "min_stack_version": "8.3", "rule_name": "Network Traffic to Rare Destination Country", "sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82", "type": "machine_learning", @@ -1665,36 +2217,51 @@ "version": 100 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { + "min_stack_version": "8.3", "rule_name": "Process Started from Process ID (PID) File", "sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e", "type": "eql", "version": 109 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { + "min_stack_version": "8.3", "rule_name": "Suspicious ImagePath Service Creation", "sha256": "dd157344f60c0f8cdf534de6a25fd8ec70ae6b174250971f224102c56b1ed3d2", "type": "eql", "version": 107 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { + "min_stack_version": "8.9", "rule_name": "High Mean of Process Arguments in an RDP Session", "sha256": "9fa7888003d814e16febe8363b55e5c5d98fbebc187b1134b988a70bfa227457", "type": "machine_learning", "version": 3 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { + "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", "sha256": "ad661308418ae98d99acfbe93160fc7b79bd560af7e212b8b2d582ca93665254", "type": "eql", "version": 4 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Security Group Creation", + "sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Security Group Creation", "sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0", "type": "query", "version": 206 }, "37994bca-0611-4500-ab67-5588afe73b77": { + "min_stack_version": "8.3", "rule_name": "Azure Active Directory High Risk Sign-in", "sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a", "type": "query", @@ -1707,6 +2274,16 @@ "version": 100 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Execution via System Manager", + "sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Execution via System Manager", "sha256": "5262f35d3a77b7ea661f2c08269986f36b47c9e01836ec71acf45e6f3653b88e", "type": "query", @@ -1715,7 +2292,7 @@ "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", @@ -1731,7 +2308,7 @@ "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", @@ -1745,54 +2322,81 @@ "version": 207 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Certutil", "sha256": "6f47f5ed6240c55d50a34719a69f8cc06e2e1a96b3d7dbf8caed23d34f6fb612", "type": "eql", "version": 111 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Prompt for Credentials with OSASCRIPT", + "sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08", + "type": "eql", + "version": 107 + } + }, "rule_name": "Prompt for Credentials with OSASCRIPT", "sha256": "3032a13d5103580a7a71c386fb3b0871d65a29e3b195d7c15ef594679579b277", "type": "eql", "version": 207 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { + "min_stack_version": "8.3", "rule_name": "User Added as Owner for Azure Service Principal", "sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f", "type": "query", "version": 102 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "External User Added to Google Workspace Group", "sha256": "5b576006ba63579d8d410c1b6a505b7129e0e534887b142f08e9778bab82d1a1", "type": "eql", "version": 2 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Network Access Control List Creation", + "sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee", "type": "query", "version": 206 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { + "min_stack_version": "8.3", "rule_name": "Downloaded Shortcut Files", "sha256": "a78fe7706bba28d2e8916c6285d2aa614ab127534029912e8e9ad9ab133792dc", "type": "eql", "version": 2 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { + "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", "type": "eql", "version": 107 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { + "min_stack_version": "8.3", "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035", "type": "eql", "version": 110 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { + "min_stack_version": "8.3", "rule_name": "Suspicious Module Loaded by LSASS", "sha256": "b774f07509146c401d27897d918bded4c1725c4bf5e8b457e9a749116e912d1f", "type": "eql", @@ -1805,48 +2409,56 @@ "version": 100 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { + "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3", "type": "query", "version": 104 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { + "min_stack_version": "8.3", "rule_name": "Azure Full Network Packet Capture Detected", "sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d", "type": "query", "version": 103 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", "type": "new_terms", "version": 1 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { + "min_stack_version": "8.3", "rule_name": "Malware - Prevented - Elastic Endgame", "sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442", "type": "query", "version": 103 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { + "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", "type": "eql", "version": 110 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { + "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", "sha256": "9b7f98ccce2835bb0f4a66f0d771402a60aa80c0516f3c461f25258464d92dde", "type": "eql", "version": 112 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Port Activity", "sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9", "type": "machine_learning", "version": 103 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { + "min_stack_version": "8.3", "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "b8cf058fc04d31b542a9af0b67afca6876cd61ca3cbae997f11f1750d0e5c24c", "type": "eql", @@ -1855,7 +2467,7 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", @@ -1869,138 +2481,197 @@ "version": 105 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Updated", + "sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Updated", "sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262", "type": "query", "version": 209 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { + "min_stack_version": "8.9", "rule_name": "Spike in Number of Connections Made from a Source IP", "sha256": "e0f94b4cfe4ca344a1904651585a27509c31993709b1767adc5d92d1e020eb62", "type": "machine_learning", "version": 3 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "2a6df6ecfdcec0cacd6cd3fbe669354f173ae5e52c45c067290621e97758d904", "type": "eql", "version": 6 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { + "min_stack_version": "8.3", "rule_name": "Kernel Driver Load", "sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc", "type": "eql", "version": 4 }, "3e3d15c6-1509-479a-b125-21718372157e": { + "min_stack_version": "8.3", "rule_name": "Suspicious Emond Child Process", "sha256": "7d78dc70f6217f921486f43f26839cb0fe33c9dcd5bfc983e0a3117ce260f1db", "type": "eql", "version": 106 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { + "min_stack_version": "8.3", "rule_name": "Potential Remote File Execution via MSIEXEC", "sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684", "type": "eql", "version": 3 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { + "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "f7be2ac3e9aac82f91122e2416bba98480072d50a299c9fb593ea60bf876b8d8", "type": "eql", "version": 110 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Suspicious Process Creation CallTrace", + "sha256": "ef3b36cfe9937ac9e94d85f43e7c8d1eb725f6edec2353a6c3df2745f5d06fbb", + "type": "eql", + "version": 107 + } + }, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", "type": "eql", "version": 208 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", + "sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39", "type": "threshold", "version": 207 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { + "min_stack_version": "8.3", "rule_name": "CyberArk Privileged Access Security Error", "sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a", "type": "query", "version": 102 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { + "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Client", "sha256": "506ac5257e3fbd5947ce89f51b4a1154eea0e4245f3b8d26f1579ed36d7de792", "type": "eql", "version": 5 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { + "min_stack_version": "8.3", "rule_name": "Binary Executed from Shared Memory Directory", "sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d", "type": "eql", "version": 110 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { + "min_stack_version": "8.3", "rule_name": "Process Discovery via Built-In Applications", "sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07", "type": "eql", "version": 3 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { + "min_stack_version": "8.9", "rule_name": "Unusual Time or Day for an RDP Session", "sha256": "2d41f9c292e0cfb545738b9fefb92890c35a74f559c525d8882ff69abb589281", "type": "machine_learning", "version": 3 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { + "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a User", "sha256": "605a890392cba9a22d8ca7c2285cf0fe0e562dfeccb201126b50540f02b6567b", "type": "machine_learning", "version": 4 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { + "min_stack_version": "8.3", "rule_name": "GitHub User Blocked From Organization", "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", "type": "eql", "version": 1 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { + "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", "sha256": "ff437c6e2c47619b352ee9e1a2afc7a9efc07196a586924803b1daaf14e3c9d6", "type": "eql", "version": 108 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Suspicious Modprobe File Event", + "sha256": "57d346776e2d53dc371be91bf8eee48d1a5551497057024f0cba657e1b22f6d0", + "type": "eql", + "version": 4 + } + }, "rule_name": "Suspicious Modprobe File Event", "sha256": "2a6caaea58f921647c925b776c5a3263205f0e14402adfb96fe9784742822f0c", "type": "new_terms", "version": 107 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { + "min_stack_version": "8.3", "rule_name": "Unix Socket Connection", "sha256": "3205e8361a1f086b49b3af871c969ed11481015e0dff4ac8a9a0d72db9843e22", "type": "eql", "version": 2 }, "416697ae-e468-4093-a93d-59661fa619ec": { + "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "aa2506ef37c17be2ee06aaebfabb669748b8247f50e0664debb0e789db74ca71", "type": "eql", "version": 111 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", "type": "new_terms", "version": 1 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { + "min_stack_version": "8.3", "rule_name": "EggShell Backdoor Execution", "sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb", "type": "query", "version": 103 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { + "min_stack_version": "8.3", "rule_name": "Potential Hidden Local User Account Creation", "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", "type": "query", @@ -2014,6 +2685,7 @@ "version": 1 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { + "min_stack_version": "8.8", "rule_name": "Interactive Exec Command Launched Against A Running Container", "sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063", "type": "eql", @@ -2022,7 +2694,7 @@ "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621", @@ -2036,108 +2708,126 @@ "version": 208 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { + "min_stack_version": "8.3", "rule_name": "Process Creation via Secondary Logon", "sha256": "02389fa2b314a4c1b09a7516f22580f4b91f255f5f87e61cad90039acb6a26b0", "type": "eql", "version": 9 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { + "min_stack_version": "8.3", "rule_name": "Unusual Login Activity", "sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c", "type": "machine_learning", "version": 103 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { + "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: No User Agent", "sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919", "type": "query", "version": 101 }, "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { + "min_stack_version": "8.3", "rule_name": "Linux User Added to Privileged Group", "sha256": "3d53c3cf46875865535f808e7c6c2ef22a6d516d653fd23e37c8faaf4d477438", "type": "eql", "version": 6 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { + "min_stack_version": "8.3", "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "83d79f7e35b069d84ce239901a6f3aaabd224e0494355f02c61e2650de4099c6", "type": "eql", "version": 110 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Path Activity", "sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e", "type": "machine_learning", "version": 104 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as VLC DLL", "sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb", "type": "eql", "version": 3 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { + "min_stack_version": "8.3", "rule_name": "Multiple Vault Web Credentials Read", "sha256": "24ee5dd513d2411aadcf6700b279d44bb0d803d6514f3d920e7071076e34d242", "type": "eql", "version": 10 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "Route53 Resolver Query Log Configuration Deleted", "sha256": "98d3f47b38a2e490eb32fe435fb1a3cdc74636dabc5fe7a97b731551b87ec8cd", "type": "query", "version": 1 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { + "min_stack_version": "8.3", "rule_name": "Permission Theft - Prevented - Elastic Endgame", "sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a", "type": "query", "version": 103 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { + "min_stack_version": "8.3", "rule_name": "Windows Event Logs Cleared", "sha256": "fc09cce15ed08c912228c02d8c8a913febbcfde1263a2410a281a5b780cbc1bd", "type": "query", "version": 108 }, "45d273fb-1dca-457d-9855-bcb302180c21": { + "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "b3b214a87a2d7efdda2a6e79454b84fdbae8dbfdb3834d1b51bdc0524f4e0b41", "type": "eql", "version": 111 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { + "min_stack_version": "8.3", "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "f28a8d21784231d74baa3c2c1bc50c52047b904b90baf5f454eff45f52d1ca07", "type": "eql", "version": 111 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { + "min_stack_version": "8.3", "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "532a6ef376ad303e213a6c18952dbfd541118f748ed30402beff2be0870e927f", "type": "eql", "version": 109 }, "46f804f5-b289-43d6-a881-9387cf594f75": { + "min_stack_version": "8.3", "rule_name": "Unusual Process For a Linux Host", "sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782", "type": "machine_learning", "version": 104 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { + "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", "sha256": "cd769b23546bc7c66a492fb80d7c336f31823e527982f3185a9ad7b4c3686ee1", "type": "new_terms", "version": 9 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { + "min_stack_version": "8.8", "rule_name": "Sensitive Files Compression Inside A Container", "sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939", "type": "eql", "version": 2 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { + "min_stack_version": "8.3", "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "78feac62454588684cd56fc409cf666bba314b8537b67f5c8c1ee01afada874f", "type": "eql", @@ -2150,186 +2840,244 @@ "version": 100 }, "47f76567-d58a-4fed-b32b-21f571e28910": { + "min_stack_version": "8.3", "rule_name": "Apple Script Execution followed by Network Connection", "sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a", "type": "eql", "version": 106 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { + "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "daa833de111fdd82adf05f6795ee87754f8dd5a0631fdc3857995779eeb0743e", "type": "eql", "version": 109 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { + "min_stack_version": "8.8", + "previous": { + "8.6": { + "max_allowable_version": 104, + "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", + "sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea", + "type": "new_terms", + "version": 5 + } + }, "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea", "type": "new_terms", "version": 105 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", "sha256": "d2d12619cc88da5d442a1f223e4ccf1cdb06d037c5ab3440a7814cb9d6b11736", "type": "eql", "version": 8 }, "48b6edfc-079d-4907-b43c-baffa243270d": { + "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "9ab25d365ce5c55e8b3447548326215241c5e3e269772cfda3d53460a796bd70", "type": "eql", "version": 9 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { + "min_stack_version": "8.3", "rule_name": "Unexpected Child Process of macOS Screensaver Engine", "sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312", "type": "eql", "version": 107 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { + "min_stack_version": "8.3", "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6", "type": "query", "version": 106 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { + "min_stack_version": "8.3", "rule_name": "Remote XSL Script Execution via COM", "sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc", "type": "eql", "version": 3 }, "493834ca-f861-414c-8602-150d5505b777": { + "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", "sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0", "type": "threshold", "version": 101 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Backdoor User Account Creation", "sha256": "13db3c2d1fc38751e03a07125ee9720d077032ecc780b0474951dcffa438ece8", "type": "eql", "version": 6 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Application Removed from Blocklist in Google Workspace", + "sha256": "e61b1bbcf81ae0a39c5740592307709fdd354ac9c7ca1cff724f403f2683e67e", + "type": "query", + "version": 5 + } + }, "rule_name": "Application Removed from Blocklist in Google Workspace", "sha256": "458d45e2d4ec3ad54e104516c1bf827f241392740f457d0b358ed439cea466f4", "type": "query", "version": 106 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { + "min_stack_version": "8.6", "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", "sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7", "type": "eql", "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { + "min_stack_version": "8.3", "rule_name": "Process Discovery Using Built-in Tools", "sha256": "3760e37b4f14a48147ffb42a0e6ac8615c7a41564dcffc483719244adf4aac52", "type": "eql", "version": 4 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { + "min_stack_version": "8.3", "rule_name": "Possible FIN7 DGA Command and Control Behavior", "sha256": "42113dd49a2b2df45e90301ac64feac172a5fe2d5ae21baddb22e62943b28082", "type": "query", "version": 105 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { + "min_stack_version": "8.3", "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", "type": "eql", "version": 5 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { + "min_stack_version": "8.3", "rule_name": "Potential Cross Site Scripting (XSS)", "sha256": "0ddba68a65a560e542542a531d9b0222a706b62e38442f5afb342b989f8d70fa", "type": "eql", "version": 1 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { + "min_stack_version": "8.3", "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982", "type": "eql", "version": 6 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { + "min_stack_version": "8.3", "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "b071ea55c3cd817e5aec99970cd493053e2b94783f1aafb56e89004674a69b22", "type": "eql", "version": 110 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { + "min_stack_version": "8.8", "rule_name": "Container Workload Protection", "sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24", "type": "query", "version": 4 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { + "min_stack_version": "8.3", "rule_name": "ProxyChains Activity", "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", "type": "eql", "version": 4 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { + "min_stack_version": "8.9", "rule_name": "Unusual Process Writing Data to an External Device", "sha256": "3659127431f2145c49922aa110bbe7be12f4776825ee1a24f2409945b3f414f0", "type": "machine_learning", "version": 3 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { + "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", "type": "eql", "version": 109 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { + "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", "type": "query", "version": 9 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { + "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", "sha256": "8cdb4afadd73272dc07ee9b31b8a8f1e2ab6d9ba07e75a228d827eb5cedf236e", "type": "eql", "version": 6 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Management Console Brute Force of Root User Identity", + "sha256": "09c72f469d0aca040785500480c6c4086070ace209803e2f0b4f1d79de394a3f", + "type": "threshold", + "version": 106 + } + }, "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1", "type": "threshold", "version": 207 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { + "min_stack_version": "8.3", "rule_name": "Attempt to Disable Gatekeeper", "sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba", "type": "query", "version": 106 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { + "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "8bf850df70b51fc76b714e18cd7a173376cb3f8b205d59d19bf4656ff704fada", "type": "eql", "version": 112 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { + "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "8ed9b11012b3ceb54e839102d8ba6f90c8bc6f8e9c7d2069f8c01d504d8b13ce", "type": "eql", "version": 10 }, "4ec47004-b34a-42e6-8003-376a123ea447": { + "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", "sha256": "5c74f520f2356f579a86fc666a87af41bd62c8e52f1edc1521b9f7bd58b3f461", "type": "eql", "version": 8 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { + "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "46dc5171e6385fc71511dfe5c62bbfb3d211317614112565e2dbd8a177803a7b", "type": "eql", "version": 111 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { + "min_stack_version": "8.3", "rule_name": "Suspicious Script Object Execution", "sha256": "604ff31b37bb88ec61794d51e66317597ae32e1b24ffcd6bc110afddaf9259ed", "type": "eql", @@ -2338,7 +3086,7 @@ "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", @@ -2359,6 +3107,7 @@ "version": 1 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { + "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", "sha256": "7e36c4f41ffd47e55fb0504fb3dee66108c384d0a06ec60f2c6de1e2b5d702ef", "type": "eql", @@ -2372,78 +3121,109 @@ "version": 2 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { + "min_stack_version": "8.3", "rule_name": "Windows System Information Discovery", "sha256": "e7f81d69a9300bde47134faf67e74e663bf52d62682494acfafebc8afa114273", "type": "eql", "version": 4 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { + "min_stack_version": "8.3", "rule_name": "Hidden Files and Directories via Hidden Flag", "sha256": "997601d0253b1c3fc65712c6e0e2784ffba03a5f7b3926a5cf5e183aea3006d7", "type": "eql", "version": 2 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { + "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", "type": "eql", "version": 108 }, "514121ce-c7b6-474a-8237-68ff71672379": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", "type": "query", "version": 206 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { + "min_stack_version": "8.3", "rule_name": "GCP Logging Sink Deletion", "sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827", "type": "query", "version": 104 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { + "min_stack_version": "8.3", "rule_name": "Tainted Out-Of-Tree Kernel Module Load", "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", "type": "query", "version": 2 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { + "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", "type": "eql", "version": 108 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { + "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", "sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325", "type": "eql", "version": 7 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS GuardDuty Detector Deletion", + "sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce", "type": "query", "version": 206 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { + "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", "sha256": "1bda048bcd9c1bf57b4b123d710a6c78eb505e8a06f8d13ced365be3a3abfa5d", "type": "eql", "version": 112 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { + "min_stack_version": "8.3", "rule_name": "Execution via Microsoft DotNet ClickOnce Host", "sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7", "type": "eql", "version": 1 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { + "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", "type": "eql", "version": 109 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Activity", "sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7", "type": "machine_learning", @@ -2462,24 +3242,37 @@ "version": 100 }, "530178da-92ea-43ce-94c2-8877a826783d": { + "min_stack_version": "8.3", "rule_name": "Suspicious CronTab Creation or Modification", "sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab", "type": "eql", "version": 106 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { + "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "sha256": "f88c3c6d45fbe0bb6e1869423ab9e7667f5019abcead82c85039f1775a2b37ca", "type": "new_terms", "version": 8 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EFS File System or Mount Deleted", + "sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EFS File System or Mount Deleted", "sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990", "type": "query", "version": 206 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { + "min_stack_version": "8.3", "rule_name": "Azure Diagnostic Settings Deletion", "sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2", "type": "query", @@ -2493,18 +3286,21 @@ "version": 4 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { + "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", "sha256": "e67568b9c981e928c8780997ad8a1ad3532c6816c7ba4e0eaf9b8b18c5f3923b", "type": "eql", "version": 110 }, "53dedd83-1be7-430f-8026-363256395c8b": { + "min_stack_version": "8.3", "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "5932e2f55f6f1e70ca53785865b24d7c502633270fe5df05d898167c0c36ab43", "type": "eql", "version": 3 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { + "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", "sha256": "62ae21bef70ecd1965d7f2e666f067077780c120bcbef93083911dea04b33b17", "type": "eql", @@ -2513,7 +3309,7 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", @@ -2527,30 +3323,35 @@ "version": 108 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { + "min_stack_version": "8.3", "rule_name": "Network Logon Provider Registry Modification", "sha256": "c432bc081898b9f4cbbf9aca1bfde2c778015db0534e78dddccc213f25c9ed59", "type": "eql", "version": 109 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { + "min_stack_version": "8.3", "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "522f9edf21b4768c2f43e0e448fb38e2603d76177730b764dd66e50b145aa56c", "type": "query", "version": 108 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { + "min_stack_version": "8.3", "rule_name": "PsExec Network Connection", "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", "type": "eql", "version": 109 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { + "min_stack_version": "8.3", "rule_name": "Windows Installer with Suspicious Properties", "sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753", "type": "eql", "version": 1 }, "56004189-4e69-4a39-b4a9-195329d226e9": { + "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Host", "sha256": "60181e72437ae398200e9082d83f05217fb1a24754604f6147a583f83048b853", "type": "machine_learning", @@ -2564,6 +3365,7 @@ "version": 1 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { + "min_stack_version": "8.3", "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "aac24b839c4f5e1399effca0ee9a8800cd8ceebd4467a9a2785fab8cf4ae6576", "type": "query", @@ -2572,7 +3374,7 @@ "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Potential Admin Group Account Addition", "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", @@ -2586,12 +3388,14 @@ "version": 206 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { + "min_stack_version": "8.3", "rule_name": "Dumping of Keychain Content via Security Command", "sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb", "type": "eql", "version": 107 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { + "min_stack_version": "8.3", "rule_name": "GCP Logging Bucket Deletion", "sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a", "type": "query", @@ -2600,7 +3404,7 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", @@ -2614,156 +3418,218 @@ "version": 210 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Execution of an Unsigned Service", + "sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc", + "type": "eql", + "version": 2 + } + }, "rule_name": "Execution of an Unsigned Service", "sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9", "type": "new_terms", "version": 105 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { + "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06", "type": "query", "version": 104 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { + "min_stack_version": "8.3", "rule_name": "Credential Dumping - Detected - Elastic Endgame", "sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234", "type": "query", "version": 103 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { + "min_stack_version": "8.3", "rule_name": "Azure Virtual Network Device Modified or Deleted", "sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762", "type": "query", "version": 102 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { + "min_stack_version": "8.3", "rule_name": "PowerShell MiniDump Script", "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", "type": "query", "version": 108 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { + "min_stack_version": "8.3", "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "8529bac526d51a184db69b13d9f15bf676bc2b0c6152f40ae73019f4dc20c408", "type": "eql", "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { + "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "abc7e66357468013a69f39627f5e9976245ba741d55515881174e59942bf5edc", "type": "eql", "version": 111 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { + "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", "sha256": "509028755d9bbaaabe41c984eebff548de67f107f346e42b1b4ee27cd12d5fdb", "type": "eql", "version": 111 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { + "min_stack_version": "8.3", "rule_name": "Zoom Meeting with no Passcode", "sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff", "type": "query", "version": 103 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { + "min_stack_version": "8.3", "rule_name": "Potential Lateral Tool Transfer via SMB Share", "sha256": "09b2312a59b33f13a4be41c88d7b5a3177bc1c158c0fa3c8118d4f33d7ccfe08", "type": "eql", "version": 108 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", "sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13", "type": "eql", "version": 111 }, "5919988c-29e1-4908-83aa-1f087a838f63": { + "min_stack_version": "8.3", "rule_name": "File or Directory Deletion Command", "sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a", "type": "eql", "version": 3 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "O365 Email Reported by User as Malware or Phish", + "sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935", + "type": "query", + "version": 106 + } + }, "rule_name": "O365 Email Reported by User as Malware or Phish", "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", "type": "query", "version": 206 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "AWS CloudTrail Log Created", + "sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26", + "type": "query", + "version": 106 + } + }, "rule_name": "AWS CloudTrail Log Created", "sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7", "type": "query", "version": 207 }, "59756272-1998-4b8c-be14-e287035c4d10": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux User Discovery Activity", "sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225", "type": "machine_learning", "version": 104 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", "type": "eql", "version": 109 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", "sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1", "type": "eql", "version": 8 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { + "min_stack_version": "8.3", "rule_name": "Potential Chroot Container Escape via Mount", "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", "type": "eql", "version": 2 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { + "min_stack_version": "8.3", "rule_name": "Remote SSH Login Enabled via systemsetup Command", "sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058", "type": "query", "version": 106 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { + "min_stack_version": "8.3", "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", "type": "eql", "version": 109 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { + "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting", "sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2", "type": "query", "version": 108 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { + "min_stack_version": "8.3", "rule_name": "SUID/SGUID Enumeration Detected", "sha256": "9374dc2038bb7999021a8e926287cd2cda2bd1abfa06f2f01d0af8be01679b40", "type": "eql", "version": 5 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { + "min_stack_version": "8.3", "rule_name": "Suspicious which Enumeration", "sha256": "ffbcf6b936ee4ef4c9b312ca9bb5da9d942f9a8680301b5f0debf394ad42c5fa", "type": "eql", "version": 5 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Browser Process", "sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5", "type": "eql", "version": 4 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { + "min_stack_version": "8.3", "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "2e72ae9c5ca64669617999cec691b8f282cbf159464363b5d821bdddd4edd5d3", "type": "eql", "version": 108 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS WAF Rule or Rule Group Deletion", + "sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", "type": "query", @@ -2777,84 +3643,116 @@ "version": 2 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", "type": "query", "version": 1 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { + "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", "sha256": "efaf2b94fb44203864342cbbad263757cf61dfe7c9be647fe038694e810170f4", "type": "new_terms", "version": 10 }, "5c81fc9d-1eae-437f-ba07-268472967013": { + "min_stack_version": "8.3", "rule_name": "Segfault Detected", "sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8", "type": "query", "version": 1 }, "5c895b4f-9133-4e68-9e23-59902175355c": { + "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", "sha256": "eba0d9a274b902396a98f70bf3464b3faba30514532b52d48f11de4f46572076", "type": "eql", "version": 6 }, "5c983105-4681-46c3-9890-0c66d05e776b": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380", "type": "machine_learning", "version": 103 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { + "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", "type": "eql", "version": 7 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { + "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "63aa403181709c3d123a628bdd843aacbbc3fff0eca0f17fccf30788068d58ef", "type": "eql", "version": 108 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { + "min_stack_version": "8.3", "rule_name": "User Added to Privileged Group", "sha256": "b33d6cc34a4b101cc79bc0c7f84cb361bcd02e5318b2295a57ebf4505ef0824d", "type": "eql", "version": 109 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { + "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", "type": "eql", "version": 9 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { + "min_stack_version": "8.3", "rule_name": "Persistence via Login or Logout Hook", "sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8", "type": "eql", "version": 107 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "4051d22fd7d1721a31073f7a8b1173bdced88d11e883da07bafb67030c11d4fd", "type": "eql", "version": 108 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { + "min_stack_version": "8.3", "rule_name": "Suspicious Automator Workflows Execution", "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", "type": "eql", "version": 106 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace 2SV Policy Disabled", + "sha256": "ddbea6e8e6fead49ee6b7eb17b83de0996fdabfef882164c7f04a134f1438293", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace 2SV Policy Disabled", "sha256": "90ed7cc03c1d2f50cb22cde81cefe5234690d44b19be19c4b0029735fa3e4f3a", "type": "query", "version": 106 }, "5e552599-ddec-4e14-bad1-28aa42404388": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Teams Guest Access Enabled", + "sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Teams Guest Access Enabled", "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", "type": "query", @@ -2874,42 +3772,58 @@ "version": 1 }, "5f2f463e-6997-478c-8405-fb41cc283281": { + "min_stack_version": "8.3", "rule_name": "Potential File Download via a Headless Browser", "sha256": "30c24a512438771d6de13cf9fbc3b909d451f6017b033ea015c1a99fc779f8b5", "type": "eql", "version": 1 }, "60884af6-f553-4a6c-af13-300047455491": { + "min_stack_version": "8.3", "rule_name": "Azure Command Execution on Virtual Machine", "sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12", "type": "query", "version": 102 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { + "min_stack_version": "8.3", "rule_name": "Azure Service Principal Addition", "sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2", "type": "query", "version": 105 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange DLP Policy Removed", + "sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange DLP Policy Removed", "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", "type": "query", "version": 206 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { + "min_stack_version": "8.3", "rule_name": "Unusual Process Network Connection", "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", "type": "eql", "version": 108 }, "61336fe6-c043-4743-ab6e-41292f439603": { + "min_stack_version": "8.3", "rule_name": "New User Added To GitHub Organization", "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", "type": "eql", "version": 1 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { + "min_stack_version": "8.3", "rule_name": "Interactive Logon by an Unusual Process", "sha256": "371c92a53ff6fe2812871b685def6102afb58b89c536d718eb67344227d117d2", "type": "eql", @@ -2918,7 +3832,7 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", @@ -2938,6 +3852,7 @@ "version": 100 }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { + "min_stack_version": "8.3", "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "596066dff727c29d10294ff6d205113bf4bc37e185127d4586a4a53eb1ed9cb0", "type": "eql", @@ -2951,60 +3866,70 @@ "version": 1 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { + "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", "type": "eql", "version": 107 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { + "min_stack_version": "8.3", "rule_name": "Account Configured with Never-Expiring Password", "sha256": "bff6971b2108d22178fe7e1ba59610ea438646b4c81a203c7c85e90f0b42b640", "type": "query", "version": 108 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { + "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", "sha256": "cda94f2b58b70076662143a46548455aa8e987cf042b4b051776a276aa0c495f", "type": "eql", "version": 4 }, "63c05204-339a-11ed-a261-0242ac120002": { + "min_stack_version": "8.4", "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", "type": "query", "version": 6 }, "63c056a0-339a-11ed-a261-0242ac120002": { + "min_stack_version": "8.4", "rule_name": "Kubernetes Denied Service Account Request", "sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86", "type": "query", "version": 5 }, "63c057cc-339a-11ed-a261-0242ac120002": { + "min_stack_version": "8.4", "rule_name": "Kubernetes Anonymous Request Authorized", "sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd", "type": "query", "version": 6 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Signed Binary", "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", "type": "eql", "version": 108 }, "647fc812-7996-4795-8869-9c4ea595fe88": { + "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Linux Population", "sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096", "type": "machine_learning", "version": 104 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { + "min_stack_version": "8.3", "rule_name": "Modification of Safari Settings via Defaults Command", "sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012", "type": "query", "version": 106 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Recently Compiled Executable", "sha256": "602b297ae58effa807f0bca106916c4f1902c7fa8f5c62bfd282b5b65de72f7b", "type": "eql", @@ -3017,42 +3942,58 @@ "version": 100 }, "65f9bccd-510b-40df-8263-334f03174fed": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Exposed Service Created With Type NodePort", + "sha256": "c6cf6184bd1e4f3add0ac786022ed97b13163f8ef7278c905b94bcea8447509f", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Exposed Service Created With Type NodePort", "sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e", "type": "query", "version": 203 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { + "min_stack_version": "8.3", "rule_name": "Attempt to Mount SMB Share via Command Line", "sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4", "type": "eql", "version": 107 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { + "min_stack_version": "8.5", "rule_name": "Suspicious Termination of ESXI Process", "sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2", "type": "eql", "version": 6 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { + "min_stack_version": "8.3", "rule_name": "WebServer Access Logs Deleted", "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", "type": "eql", "version": 105 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { + "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", "sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a", "type": "eql", "version": 7 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { + "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", "sha256": "fd8374f717cf2af735052c2e6070cf34a2f345ffc0817d3633deedef52e54e18", "type": "eql", "version": 113 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { + "min_stack_version": "8.3", "rule_name": "Linux Process Hooking via GDB", "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", "type": "eql", @@ -3061,7 +4002,7 @@ "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", @@ -3075,6 +4016,7 @@ "version": 206 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { + "min_stack_version": "8.3", "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "9a207172558146d200bc0297376b645cc44023db1b7a8202a16c432936fad1ab", "type": "query", @@ -3083,7 +4025,7 @@ "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", @@ -3097,6 +4039,16 @@ "version": 206 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "O365 Mailbox Audit Logging Bypass", + "sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d", + "type": "query", + "version": 106 + } + }, "rule_name": "O365 Mailbox Audit Logging Bypass", "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", "type": "query", @@ -3105,7 +4057,7 @@ "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", @@ -3125,6 +4077,7 @@ "version": 100 }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { + "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", "sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3", "type": "threshold", @@ -3137,12 +4090,23 @@ "version": 100 }, "6839c821-011d-43bd-bd5b-acff00257226": { + "min_stack_version": "8.3", "rule_name": "Image File Execution Options Injection", "sha256": "413e961dc4797bf3701be20c749258009705733592d081c9b030aed6a7b8e75c", "type": "eql", "version": 107 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "New or Modified Federation Domain", + "sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6", + "type": "query", + "version": 106 + } + }, "rule_name": "New or Modified Federation Domain", "sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8", "type": "query", @@ -3151,7 +4115,7 @@ "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", @@ -3165,162 +4129,252 @@ "version": 205 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { + "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "ca27a9f60eec10c769a8b530ccb040f0a6c4218b6af386a6daa5e6ffb6ca381f", "type": "eql", "version": 110 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Google Workspace Admin Role Assigned to a User", + "sha256": "a8a7d4e956c4cd2733f3d5e26871a367b937a0944420b3eaaca82370b8246a55", + "type": "query", + "version": 105 + } + }, "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "6efdcc0936767be2538639bc2b7dfc028b4f7d02b590bbfac757314fcec9ce2a", "type": "query", "version": 206 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { + "min_stack_version": "8.3", "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "9e2d92b09b248d78181d6b8283ed595c2560ea046d17365515a8e57f6cb1679c", "type": "eql", "version": 107 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Log Group Deletion", + "sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399", "type": "query", "version": 209 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { + "min_stack_version": "8.3", "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "307219345f44551ce020e8edcdc4a77f54cae4a0431f6fdd2dd7b9553c93519d", "type": "eql", "version": 1 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459", "type": "eql", "version": 109 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd", + "type": "query", + "version": 5 + } + }, "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e", "type": "query", "version": 106 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { + "min_stack_version": "8.5", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", + "sha256": "32f01788e2000cbf97dfe76446aa173db05e8a73eac467ec634aec29072ba7e8", + "type": "threat_match", + "version": 105 + } + }, "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", "type": "threat_match", "version": 204 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { + "min_stack_version": "8.3", "rule_name": "Modification of Boot Configuration", "sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525", "type": "eql", "version": 109 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Password Recovery Requested", + "sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Password Recovery Requested", "sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df", "type": "query", "version": 206 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "EC2 AMI Shared with Another Account", "sha256": "269a6ce9b13aedfce015a85a679e1a55ebf3974fdd7cb9b3c9f84411ed85cafc", "type": "query", "version": 1 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { + "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", "type": "eql", "version": 110 }, "6aace640-e631-4870-ba8e-5fdda09325db": { + "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", "type": "eql", "version": 111 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { + "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", "type": "eql", "version": 7 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Sensitive Files Compression", + "sha256": "271c0de47099ee8a5e049d68bf4d49801b884b81f673df03edceab970daebe19", + "type": "query", + "version": 106 + } + }, "rule_name": "Sensitive Files Compression", "sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50", "type": "new_terms", "version": 208 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { + "min_stack_version": "8.3", "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "4a3308713c74898d9a52d894105c3a41556786008f169b725436c4dbc018ee99", "type": "eql", "version": 107 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { + "min_stack_version": "8.8", "rule_name": "Container Management Utility Run Inside A Container", "sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d", "type": "eql", "version": 2 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { + "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", "type": "eql", "version": 108 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { + "min_stack_version": "8.3", "rule_name": "GitHub Repo Created", "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", "type": "eql", "version": 1 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { + "min_stack_version": "8.3", "rule_name": "Unusual Process For a Windows Host", "sha256": "f65a12afc06498c72c6fe35834ef48f2c6cee057748963b300cae83e7a411f78", "type": "machine_learning", "version": 107 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { + "min_stack_version": "8.6", "rule_name": "Potential Privilege Escalation via CVE-2023-4911", "sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0", "type": "eql", "version": 4 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", "sha256": "296e88e08cfeb38dd5bfe7c3719ed7ce80f41022b51190abddbedacc66220afa", "type": "new_terms", "version": 5 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { + "min_stack_version": "8.3", "rule_name": "Anomalous Process For a Windows Population", "sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd", "type": "machine_learning", "version": 105 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { + "min_stack_version": "8.3", "rule_name": "AdminSDHolder Backdoor", "sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1", "type": "query", "version": 106 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Enumeration of Users or Groups via Built-in Commands", + "sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e", + "type": "eql", + "version": 107 + } + }, "rule_name": "Enumeration of Users or Groups via Built-in Commands", "sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd", "type": "eql", "version": 207 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { + "min_stack_version": "8.3", "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "f66c92e627ba4aabff1fb546ee38cbdf15e88ad11a4e5fc9059ba9be41db31f3", "type": "eql", "version": 108 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { + "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", "sha256": "191d08e949cb9f57e2853a307b82f336896da072f4dea0054f301ee50bebfd89", "type": "eql", @@ -3333,6 +4387,7 @@ "version": 100 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", "type": "eql", @@ -3352,6 +4407,16 @@ "version": 1 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Role Modified", + "sha256": "8917dd169608ea491ef3f4c15d53b08aa6747b200e3b62a4bc22da3afb71fc9a", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace Role Modified", "sha256": "cc27c5d907038ca85c5d0c991e541013163f6fccc0bf95c84ac0b4ed62175081", "type": "query", @@ -3364,66 +4429,113 @@ "version": 100 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Deleted", + "sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Deleted", "sha256": "f23d0872d802001bbc030b70a5f6be00760eb331e2c1ea06a5e57d15d2e336c9", "type": "query", "version": 209 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Config Resource Deletion", + "sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Config Resource Deletion", "sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f", "type": "query", "version": 209 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846", "type": "eql", "version": 2 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { + "min_stack_version": "8.3", "rule_name": "Persistence via WMI Standard Registry Provider", "sha256": "db796cbae0d063b4f1a54079e8f00e82b333a78701059a9a9962630dd48cc857", "type": "eql", "version": 108 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { + "min_stack_version": "8.3", "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47", "type": "query", "version": 106 }, "7164081a-3930-11ed-a261-0242ac120002": { + "min_stack_version": "8.4", "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", "sha256": "86bf8bc61640a49c610c81cef5cb6bd417d85a5160637971eb56c908af7a3bec", "type": "query", "version": 4 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Modification of Dynamic Linker Preload Shared Object", + "sha256": "dc67793718c16d2d90d8be38bf310b0ce87c25f4e9c56a66f7a231b80d9922f0", + "type": "query", + "version": 107 + } + }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", "sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40", "type": "new_terms", "version": 209 }, "71bccb61-e19b-452f-b104-79a60e546a95": { + "min_stack_version": "8.3", "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "a3fdba9254d6e0decace5b3bbe34f7365bdb09fb0ab62ce49b0058dc63af0cbc", "type": "eql", "version": 114 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { + "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "e9a9062beb0713d366bd638f7cf733c19ec8aed20b8603b3b0d460618a78aaa2", "type": "eql", "version": 109 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { + "min_stack_version": "8.3", "rule_name": "Suspicious Passwd File Event Action", "sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2", "type": "eql", "version": 3 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Potential ransomware activity", + "sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Potential ransomware activity", "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", "type": "query", @@ -3432,7 +4544,7 @@ "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", @@ -3452,18 +4564,21 @@ "version": 100 }, "72ed9140-fe9d-4a34-a026-75b50e484b17": { + "min_stack_version": "8.6", "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", "sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9", "type": "new_terms", "version": 2 }, "730ed57d-ae0f-444f-af50-78708b57edd5": { + "min_stack_version": "8.3", "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578", "type": "eql", "version": 1 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { + "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "65d25ee5fe0482453ec857754eb6d2d3273c48bcef76cea6d9c3843f555d19eb", "type": "eql", @@ -3472,7 +4587,7 @@ "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Modification of Environment Variable via Launchctl", "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", @@ -3486,168 +4601,232 @@ "version": 206 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { + "min_stack_version": "8.3", "rule_name": "Unusual Hour for a User to Logon", "sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c", "type": "machine_learning", "version": 104 }, "746edc4c-c54c-49c6-97a1-651223819448": { + "min_stack_version": "8.3", "rule_name": "Unusual DNS Activity", "sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577", "type": "machine_learning", "version": 103 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Suspicious Sysctl File Event", + "sha256": "dc62f12237c63e7f170343cc5fcf2587a078f5af5e823d46e6545f8b11a01b90", + "type": "eql", + "version": 4 + } + }, "rule_name": "Suspicious Sysctl File Event", "sha256": "a98b507603e191d5d7b9018614f89020e94baf48aa9ab69666128517e8a282c8", "type": "new_terms", "version": 107 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { + "min_stack_version": "8.3", "rule_name": "Service Disabled via Registry Modification", "sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a", "type": "eql", "version": 3 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { + "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: Unauthorized Method", "sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961", "type": "query", "version": 102 }, "76152ca1-71d0-4003-9e37-0983e12832da": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Sudoers File Modification", "sha256": "6dfec898ca5b57352a078ff6ea65a0452985eeac88bb6ca491399544d57be902", "type": "query", "version": 103 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod Created With HostIPC", + "sha256": "88a76082a0b05f8b848047174d1517f7746506e91ed2bb2d203255a52f38a8e2", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Pod Created With HostIPC", "sha256": "beed3f7f4d2a86f155bd96e2903ded43fe8eb75d27f85650778e44bdf7e50982", "type": "query", "version": 203 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { + "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "1ae31d3cb536669955d44bdf92b5c53dfd9868ad3ff5813fe8acee8502eecc41", "type": "eql", "version": 10 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { + "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", "type": "eql", "version": 110 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { + "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", "type": "eql", "version": 106 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", "sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953", "type": "eql", "version": 9 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { + "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", "type": "eql", "version": 110 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { + "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "8ad7865bb2ea255f74f4010cbc3df77b3480c3878500abf1c5ebf0b7c924a7cf", "type": "eql", "version": 111 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { + "min_stack_version": "8.3", "rule_name": "User Added as Owner for Azure Application", "sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26", "type": "query", "version": 102 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { + "min_stack_version": "8.6", "rule_name": "UID Elevation from Previously Unknown Executable", "sha256": "2b60afa9037795b630f1d33a76fcd68f49f3c1ccf9b0da8445765575a2508534", "type": "new_terms", "version": 2 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { + "min_stack_version": "8.3", "rule_name": "Adversary Behavior - Detected - Elastic Endgame", "sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d", "type": "query", "version": 104 }, "781f8746-2180-4691-890c-4c96d11ca91d": { + "min_stack_version": "8.3", "rule_name": "Potential Network Sweep Detected", "sha256": "a076fa96b47fb15ed66e6f90750fdc91ac7f7cf9e496f47150eba1253dcbc6db", "type": "threshold", "version": 5 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Application Added to Google Workspace Domain", + "sha256": "7fa64b656ada94baa0a8d76c00231f99bfd63f0925722bdfeb6528ff90cdef76", + "type": "query", + "version": 104 + } + }, "rule_name": "Application Added to Google Workspace Domain", "sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6", "type": "query", "version": 205 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { + "min_stack_version": "8.3", "rule_name": "Azure Privilege Identity Management Role Modified", "sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e", "type": "query", "version": 105 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Spike in AWS Error Messages", + "sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Spike in AWS Error Messages", "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", "type": "machine_learning", "version": 208 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { + "min_stack_version": "8.3", "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", "type": "eql", "version": 1 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Renamed via SMB", "sha256": "fc6be263784c700668a9eb4f67231f1786f1750bc929af29d6655989375915c0", "type": "eql", "version": 1 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { + "min_stack_version": "8.4", "rule_name": "Unsigned DLL Loaded by Svchost", "sha256": "693613eaf1e2584a9bc56d598ff28225091c888aa886521384faf26f2cc43a45", "type": "eql", "version": 6 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { + "min_stack_version": "8.3", "rule_name": "File Compressed or Archived into Common Format", "sha256": "75b814ddab9122b2dde8034d1daadc9731ff977dce815207b7565aad49cda555", "type": "eql", "version": 4 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { + "min_stack_version": "8.3", "rule_name": "Azure Key Vault Modified", "sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87", "type": "query", "version": 103 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as System32 Executable", "sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912", "type": "eql", "version": 4 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { + "min_stack_version": "8.3", "rule_name": "Potential File Transfer via Certreq", "sha256": "45f8eda9995222bc895d40fc9bab8fea41954def40702271c8a6b7af7bd09eef", "type": "eql", "version": 8 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { + "min_stack_version": "8.3", "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "696545e871e59971a9c77d60fb7f5cb25cbbec8a62cdf6fd167b9ec939efa675", "type": "query", @@ -3660,12 +4839,14 @@ "version": 100 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation through Writable Docker Socket", "sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2", "type": "eql", "version": 5 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { + "min_stack_version": "8.3", "rule_name": "Potential Execution via XZBackdoor", "sha256": "3b5e1d6fe931166937ac8b2540f9f001897d52336750147eef0f13925a5f0c39", "type": "eql", @@ -3678,36 +4859,69 @@ "version": 100 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS ElastiCache Security Group Created", + "sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS ElastiCache Security Group Created", "sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4", "type": "query", "version": 206 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { + "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", "sha256": "76d42ebe68f574a31fb590b3d96321d2e8d048306a8159b2f0b36be83255e855", "type": "eql", "version": 111 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Suspicious LSASS Access via MalSecLogon", + "sha256": "cfb5125f0705e215f8dc00f7a38fe7454cf24077181b6b9c70068c7e46fbadb6", + "type": "eql", + "version": 106 + } + }, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", "type": "eql", "version": 208 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { + "min_stack_version": "8.3", "rule_name": "Tampering of Shell Command-Line History", "sha256": "106aa939e4c87db6570ee327ed6ca3e7f889aca17a71e09044b0b8dc3bed815c", "type": "eql", "version": 105 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace Bitlocker Setting Disabled", + "sha256": "b7f72377e6e5c62220a4932b83c0343a304f9e32c6f8df1a2320f97dc666d857", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55", "type": "query", "version": 106 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { + "min_stack_version": "8.3", "rule_name": "GCP Service Account Creation", "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", "type": "query", @@ -3720,66 +4934,104 @@ "version": 100 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { + "min_stack_version": "8.3", "rule_name": "Suspicious Kworker UID Elevation", "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", "type": "eql", "version": 2 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { + "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", "type": "eql", "version": 109 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 100, + "rule_name": "Discovery of Internet Capabilities via Built-in Tools", + "sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66", + "type": "eql", + "version": 1 + } + }, "rule_name": "Discovery of Internet Capabilities via Built-in Tools", "sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee", "type": "new_terms", "version": 102 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { + "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", "sha256": "c5bf7a856bf289f0687f5916c01098906650541047b786e7a120cd6ec3fbb948", "type": "new_terms", "version": 9 }, "80084fa9-8677-4453-8680-b891d3c0c778": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Enumeration of Kernel Modules via Proc", + "sha256": "e8cbeafae45cf6592034b68de6f2166705890d49c7a6e5821b387dfa6c535dc9", + "type": "eql", + "version": 4 + } + }, "rule_name": "Enumeration of Kernel Modules via Proc", "sha256": "a673dd1c8988721179c42b0b788a1b229fce05298dfe5664b54ca535750e4587", "type": "new_terms", "version": 106 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { + "min_stack_version": "8.3", "rule_name": "Unusual Process Extension", "sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a", "type": "eql", "version": 4 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { + "min_stack_version": "8.3", "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "237bea63ac52782481baf16b92d59c08e0e799105d378bec92197c4ad8fad8b4", "type": "eql", "version": 2 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual City For an AWS Command", + "sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual City For an AWS Command", "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", "type": "machine_learning", "version": 208 }, "80c52164-c82a-402c-9964-852533d58be1": { + "min_stack_version": "8.3", "rule_name": "Process Injection - Detected - Elastic Endgame", "sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be", "type": "query", "version": 103 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { + "min_stack_version": "8.9", "rule_name": "Unusual Remote File Extension", "sha256": "e5eeb038f9aa39433fcea8c9410b24a6a1337512da397d2818fc96f5698f767b", "type": "machine_learning", "version": 3 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "93f0d3a27ec93093c91f59d6a1bcd1a34b1f007ff0304b857a730c1c6c35f186", "type": "eql", @@ -3794,7 +5046,7 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", @@ -3808,6 +5060,7 @@ "version": 211 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { + "min_stack_version": "8.3", "rule_name": "Temporarily Scheduled Task Creation", "sha256": "b9eb095355ecc02a827ca56e41a3ccd5fd5fff3c57c2f1a1e16e0f32082bcd46", "type": "eql", @@ -3816,7 +5069,7 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", @@ -3830,12 +5083,14 @@ "version": 207 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", "sha256": "7951c32071a4f27cf235f88d6d4af14655a24aca293681878a970dc3e3973c1f", "type": "eql", "version": 6 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { + "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Pods Deleted", "sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9", "type": "query", @@ -3848,84 +5103,143 @@ "version": 100 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { + "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "1814e77d691d41da88a1ba4c922ef445c031e653b86b5dd166f99cba587157f1", "type": "eql", "version": 7 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { + "min_stack_version": "8.3", "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", "sha256": "ca0cdbc0af36d4bf4a78a1a5f82fca391580b9507566dd67dd281c61cd510c7a", "type": "new_terms", "version": 2 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { + "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Transport Agent Install Script", "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", "type": "query", "version": 5 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { + "min_stack_version": "8.3", "rule_name": "Potential Upgrade of Non-interactive Shell", "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", "type": "eql", "version": 3 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { + "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "7a9ce57d7b2a5c723facc456a26c549cb5acacc09fe4844360c1af34366c0744", "type": "eql", "version": 110 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { + "min_stack_version": "8.3", "rule_name": "Potential Remote Credential Access via Registry", "sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32", "type": "eql", "version": 111 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Suspicious PowerShell Engine ImageLoad", + "sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47", + "type": "eql", + "version": 108 + } + }, "rule_name": "Suspicious PowerShell Engine ImageLoad", "sha256": "8fb4c5a6040d9edf0a32b6e6fd809d366eea096495438e323e148d684c871404", "type": "new_terms", "version": 210 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Network Access Control List Deletion", + "sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006", "type": "query", "version": 206 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Security Group Deletion", + "sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Security Group Deletion", "sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9", "type": "query", "version": 206 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Group Deletion", + "sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Group Deletion", "sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781", "type": "query", "version": 206 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Reverse Connection through Port Knocking", "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc", "type": "eql", "version": 1 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { + "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", "sha256": "de3ae123fbc7d0cb0596b3c5cc6467fdf51f545053665c4f5afdeb758983bc76", "type": "eql", "version": 109 }, "871ea072-1b71-4def-b016-6278b505138d": { + "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", "sha256": "6a87be3b93e4a75c3dbfeba82b7aaa420dd43f042ec1bc9641d5649f8f6850b5", "type": "eql", "version": 112 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EventBridge Rule Disabled or Deleted", + "sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", "type": "query", @@ -3938,30 +5252,53 @@ "version": 100 }, "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { + "min_stack_version": "8.6", "rule_name": "Potential Suspicious Clipboard Activity Detected", "sha256": "0177e89bdd890b3651f0d3bc7bb08aa7a71cc97d95e6f965d2131a132599a839", "type": "new_terms", "version": 4 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Global Administrator Role Assigned", + "sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Global Administrator Role Assigned", "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", "type": "query", "version": 206 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { + "min_stack_version": "8.3", "rule_name": "Sublime Plugin or Application Script Modification", "sha256": "e1e70345125002f7b837c9c87a54b449497d0b8a5d4f32f30e24b28185445925", "type": "eql", "version": 107 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Potential Sudo Hijacking Detected", + "sha256": "28eba13edb2d9454c08d86938d6bf41ed614c2c32879ec8719cd571c0c9cbef5", + "type": "eql", + "version": 3 + } + }, "rule_name": "Potential Sudo Hijacking Detected", "sha256": "3d49290bdfa2269196ce840768887b0c20588d07f406eef1f33e10c6117246e0", "type": "new_terms", "version": 105 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { + "min_stack_version": "8.3", "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", "type": "eql", @@ -3974,24 +5311,28 @@ "version": 100 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { + "min_stack_version": "8.3", "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", "type": "eql", "version": 110 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { + "min_stack_version": "8.3", "rule_name": "Command Prompt Network Connection", "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", "type": "eql", "version": 108 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { + "min_stack_version": "8.3", "rule_name": "Persistence via DirectoryService Plugin Modification", "sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b", "type": "query", "version": 106 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { + "min_stack_version": "8.3", "rule_name": "Suspicious Symbolic Link Created", "sha256": "6041852ef2da176bb02a69879e30441c9842802e2b5e06678aaca5653322cf32", "type": "eql", @@ -4005,18 +5346,21 @@ "version": 3 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { + "min_stack_version": "8.3", "rule_name": "GitHub PAT Access Revoked", "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", "type": "eql", "version": 1 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { + "min_stack_version": "8.3", "rule_name": "Setuid / Setgid Bit Set via chmod", "sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5", "type": "query", "version": 103 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", "type": "eql", @@ -4025,7 +5369,7 @@ "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", @@ -4039,120 +5383,149 @@ "version": 206 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Suspicious JAVA Child Process", + "sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16", + "type": "eql", + "version": 105 + } + }, "rule_name": "Suspicious JAVA Child Process", "sha256": "c73d3fa21849f702bf7a08d4182ce1e62bbf2096eef54418fd5faf94e042da75", "type": "new_terms", "version": 208 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { + "min_stack_version": "8.3", "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", "type": "eql", "version": 4 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { + "min_stack_version": "8.3", "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298", "type": "eql", "version": 108 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { + "min_stack_version": "8.3", "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "78eb240c8eeeb4d9df8d9454ba4f91306bbffcdf8b395c3a62c87009f89504de", "type": "eql", "version": 109 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { + "min_stack_version": "8.3", "rule_name": "Azure Kubernetes Events Deleted", "sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9", "type": "query", "version": 102 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { + "min_stack_version": "8.3", "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b", "type": "query", "version": 103 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { + "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", "sha256": "a6ecf9a561d41bac0bb75fbf33f868dc71ed4fc5e07f914780fd73c29dcdb1ba", "type": "eql", "version": 110 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { + "min_stack_version": "8.3", "rule_name": "Potential SharpRDP Behavior", "sha256": "133e1acd35b1b06ce036bf672f04203863a4f2e1c535cc722321f198d71bffda", "type": "eql", "version": 106 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { + "min_stack_version": "8.3", "rule_name": "Ransomware - Detected - Elastic Endgame", "sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2", "type": "query", "version": 103 }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { + "min_stack_version": "8.3", "rule_name": "Potential Successful SSH Brute Force Attack", "sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483", "type": "eql", "version": 11 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { + "min_stack_version": "8.3", "rule_name": "File with Suspicious Extension Downloaded", "sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0", "type": "eql", "version": 3 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { + "min_stack_version": "8.8", "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", "sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e", "type": "eql", "version": 2 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via PKEXEC", "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", "type": "eql", "version": 108 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { + "min_stack_version": "8.3", "rule_name": "Azure Automation Runbook Deleted", "sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c", "type": "query", "version": 102 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { + "min_stack_version": "8.3", "rule_name": "Potential Outgoing RDP Connection by Unusual Process", "sha256": "e724d32f7d8923ac1608a48ba78404bda59c6db4b1475a392ad766f4e0853459", "type": "eql", "version": 3 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { + "min_stack_version": "8.3", "rule_name": "Bitsadmin Activity", "sha256": "39ca4c3ed7500f428501bf32d7b5361c687e94b712b9d7742406bb4c804bb53b", "type": "eql", "version": 2 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { + "min_stack_version": "8.3", "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "60451d80b47ef91bfe8095934b32b4899ae705a33e3df155894a58dc67c97ce6", "type": "eql", "version": 1 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { + "min_stack_version": "8.3", "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", "sha256": "bb44b0120653077a52d8fbfb935aa73998db23fe25b3c188024f3a96b09b8e4c", "type": "eql", "version": 106 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { + "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", "type": "eql", "version": 107 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { + "min_stack_version": "8.3", "rule_name": "GCP Service Account Deletion", "sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb", "type": "query", @@ -4165,24 +5538,37 @@ "version": 100 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { + "min_stack_version": "8.3", "rule_name": "Hping Process Activity", "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", "type": "eql", "version": 108 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Deletion of RDS Instance or Cluster", + "sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Deletion of RDS Instance or Cluster", "sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241", "type": "query", "version": 206 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { + "min_stack_version": "8.3", "rule_name": "Keychain Password Retrieval via Command Line", "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", "type": "eql", "version": 108 }, "90babaa8-5216-4568-992d-d4a01a105d98": { + "min_stack_version": "8.3", "rule_name": "InstallUtil Activity", "sha256": "b3e654521bd77a07433f951786a8b37f3f4bb9ef9459f8cbfd080af927ebf5f9", "type": "eql", @@ -4195,36 +5581,51 @@ "version": 100 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { + "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79", "type": "query", "version": 104 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS WAF Access Control List Deletion", + "sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS WAF Access Control List Deletion", "sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1", "type": "query", "version": 206 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { + "min_stack_version": "8.3", "rule_name": "Unusual Web User Agent", "sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347", "type": "machine_learning", "version": 103 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { + "min_stack_version": "8.3", "rule_name": "Unusual Web Request", "sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1", "type": "machine_learning", "version": 103 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { + "min_stack_version": "8.3", "rule_name": "DNS Tunneling", "sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea", "type": "machine_learning", "version": 103 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { + "min_stack_version": "8.3", "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", "type": "threshold", @@ -4233,7 +5634,7 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", @@ -4247,102 +5648,173 @@ "version": 108 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { + "min_stack_version": "8.3", "rule_name": "A scheduled task was created", "sha256": "d54ac464d0549dec4468d4706dfce032e2e8bed176f5ece56f3c6430378aff76", "type": "eql", "version": 8 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { + "min_stack_version": "8.3", "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "1985305e54165a73be2bdfd8d6de615ed21edde213a17f11911f0a25cdd28c0c", "type": "eql", "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", + "sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", "sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860", "type": "query", "version": 206 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Sudoers File Modification", + "sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef", + "type": "query", + "version": 103 + } + }, "rule_name": "Sudoers File Modification", "sha256": "f4d948d4c06ecb8fae9ce5be98bc19d8200ccb0e271913c4b2c41c01a45233b2", "type": "new_terms", "version": 204 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS VPC Flow Logs Deletion", + "sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS VPC Flow Logs Deletion", "sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6", "type": "query", "version": 209 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { + "min_stack_version": "8.3", "rule_name": "Suspicious SolarWinds Child Process", "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", "type": "eql", "version": 110 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { + "min_stack_version": "8.3", "rule_name": "Encoded Executable Stored in the Registry", "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", "type": "eql", "version": 107 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Admin Role Deletion", + "sha256": "723578f77b081beb3b8a8da703208e1279aa15eba410de837d67b390c4334bbe", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace Admin Role Deletion", "sha256": "cab219f6e8b4ccaf91b7f6190f1d098c08ddc5b898d2e1566965ba6039a72657", "type": "query", "version": 205 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Modification of Standard Authentication Module or Configuration", + "sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f", + "type": "query", + "version": 104 + } + }, "rule_name": "Modification of Standard Authentication Module or Configuration", "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", "type": "new_terms", "version": 204 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { + "min_stack_version": "8.3", "rule_name": "Creation of Kernel Module", "sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533", "type": "eql", "version": 3 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { + "min_stack_version": "8.3", "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "31677cdb4cb00d90106a66e1b086ad61ada306117acf7b0af9e17d13a96b91f0", "type": "eql", "version": 8 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace Custom Gmail Route Created or Modified", + "sha256": "0c7bcbc73caec8df64f6e5d9c2430357baaef7371ef1f47b25b5f5bd7f6edf7f", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1", "type": "query", "version": 106 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { + "min_stack_version": "8.3", "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "7675d578e4dd24bc57bd2bbf670bfc9415f87ba8a2f3ddf8e8a7c00d3641d5f6", "type": "query", "version": 1 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { + "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation", "sha256": "efc5bf9425039882bd50862795a48859ffe194bee570ae43e2268a9fbea9fe80", "type": "eql", "version": 108 }, "959a7353-1129-4aa7-9084-30746b256a70": { + "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", "type": "query", "version": 108 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { + "min_stack_version": "8.8", "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", "type": "eql", "version": 2 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { + "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", "sha256": "c2d2cfe2f74f7c4a8901ab56d95245ba900ce8e18c828bf0a2ad894b6260731e", "type": "eql", @@ -4351,7 +5823,7 @@ "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Attempt to Create Okta API Token", "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", @@ -4365,30 +5837,53 @@ "version": 205 }, "96d11d31-9a79-480f-8401-da28b194608f": { + "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", "sha256": "bc9916d1a1cd785c77d6f24073b3b607cdcefc196480e1f09e5e734866ac7fb1", "type": "new_terms", "version": 9 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Access to Keychain Credentials Directories", + "sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de", + "type": "eql", + "version": 107 + } + }, "rule_name": "Access to Keychain Credentials Directories", "sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63", "type": "eql", "version": 207 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { + "min_stack_version": "8.3", "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "a3cff32c0bdbd78533b034070c4a270116087312c08ff8511d9bfd520be44f36", "type": "eql", "version": 7 }, "97314185-2568-4561-ae81-f3e480e5e695": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", "type": "query", "version": 206 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { + "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Configuration Modification", "sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6", "type": "query", @@ -4402,6 +5897,16 @@ "version": 1 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS SAML Activity", + "sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS SAML Activity", "sha256": "37af41b152c5085758547bee67d9f0387f5f07fcba690c925338905f100cc43d", "type": "query", @@ -4410,7 +5915,7 @@ "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Potential Abuse of Repeated MFA Push Notifications", "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", @@ -4424,6 +5929,7 @@ "version": 209 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { + "min_stack_version": "8.3", "rule_name": "Suspicious Zoom Child Process", "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", "type": "eql", @@ -4436,6 +5942,7 @@ "version": 100 }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { + "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI Files", "sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39", "type": "eql", @@ -4448,108 +5955,169 @@ "version": 100 }, "97fc44d3-8dae-4019-ae83-298c3015600f": { + "min_stack_version": "8.3", "rule_name": "Startup or Run Key Registry Modification", "sha256": "361fc9bece9212d2816e83198a13e6951dc8e63c878162f552778218c8711684", "type": "eql", "version": 111 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "sha256": "bca34a9cc93d913e9dd7b38378787f84bffb714c7a1ff0e76fe33c0b81cce627", "type": "eql", "version": 3 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { + "min_stack_version": "8.3", "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "1a205cf65c5d3958f5a75ef9944f9e7c7f8edc9dce54de95c5cc236303ed1416", "type": "eql", "version": 2 }, "9890ee61-d061-403d-9bf6-64934c51f638": { + "min_stack_version": "8.3", "rule_name": "GCP IAM Service Account Key Deletion", "sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff", "type": "query", "version": 104 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", + "sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", "type": "query", "version": 206 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS EC2 Snapshot Activity", + "sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS EC2 Snapshot Activity", "sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1", "type": "query", "version": 209 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { + "min_stack_version": "8.3", "rule_name": "Process Injection - Prevented - Elastic Endgame", "sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa", "type": "query", "version": 103 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { + "min_stack_version": "8.3", "rule_name": "MacOS Installer Package Spawns Network Event", "sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584", "type": "eql", "version": 107 }, "994e40aa-8c85-43de-825e-15f665375ee8": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "482926261657f74d6e44dd1fcdcd25df11184139e079a28e9558d172a94bc94f", "type": "eql", "version": 4 }, "9960432d-9b26-409f-972b-839a959e79e2": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential Credential Access via LSASS Memory Dump", + "sha256": "51227a6967396d84ff70c0b13a8a92fe16f45b0f6824b1cafb1b648ea5d5fddd", + "type": "eql", + "version": 106 + } + }, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "2a6ab34b2777b1c0c5811839d0fb72b2778f887ef1ff8f877e8c2a1d8158a292", "type": "eql", "version": 209 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { + "min_stack_version": "8.3", "rule_name": "Spike in Failed Logon Events", "sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f", "type": "machine_learning", "version": 104 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { + "min_stack_version": "8.3", "rule_name": "Endpoint Security", "sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d", "type": "query", "version": 103 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { + "min_stack_version": "8.3", "rule_name": "Unsigned BITS Service Client Process", "sha256": "6c6b0a4cca70f6f55c5b73ca65607b2b546521f99bef8c3eeec5a873a4cebdcf", "type": "eql", "version": 2 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Potential Shadow File Read via Command Line Utilities", + "sha256": "956ccfb72b0b0545eedcac7869c1de45bcdc05490d5bf7c07da51f94442f4cf8", + "type": "eql", + "version": 6 + }, + "8.4": { + "max_allowable_version": 207, + "rule_name": "Potential Shadow File Read via Command Line Utilities", + "sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0", + "type": "new_terms", + "version": 108 + } + }, "rule_name": "Potential Shadow File Read via Command Line Utilities", "sha256": "6d3b04cf53c9662f1a011b9b8d0b412aa1fb0f3bfe1771f6a1807b4bf76c1780", "type": "new_terms", "version": 208 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { + "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", "type": "eql", "version": 109 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { + "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "70c14e4efec28255020d7227acf60ade921f89c6f4f6f20df7eefe9f083993ce", "type": "eql", "version": 109 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { + "min_stack_version": "8.3", "rule_name": "GitHub Owner Role Granted To User", "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", "type": "eql", "version": 3 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { + "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", "sha256": "36be7f5bc34d95f4e0db0866f200db91e20c57104c47535e70c0579f42c47d7c", "type": "eql", @@ -4563,30 +6131,44 @@ "version": 2 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { + "min_stack_version": "8.3", "rule_name": "Hosts File Modified", "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", "type": "eql", "version": 108 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { + "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "0f64c28a181949a1efa09b4f30225af7c831dc379510fde5484cb91ebbe9059e", "type": "eql", "version": 8 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { + "min_stack_version": "8.3", "rule_name": "Potential Enumeration via Active Directory Web Service", "sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1", "type": "eql", "version": 2 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { + "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", "type": "eql", "version": 110 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace User Group Access Modified to Allow External Access", + "sha256": "4ca64be8b81634872abafdfb31ec9ad8ac4825ceb19369bc47a5f59f0cd15968", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace User Group Access Modified to Allow External Access", "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd", "type": "query", @@ -4599,168 +6181,248 @@ "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Microsoft Build Engine Started by a Script Process", + "sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2", + "type": "eql", + "version": 105 + } + }, "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", "type": "new_terms", "version": 209 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { + "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "c485e1358f4158ae03a14255b6d46e7c55467c0fadf17bb618b1ea57366ef1e1", "type": "eql", "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { + "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "9821305b0eebf7cd0540a8a4af112f0cb88abf4dc3bbbe323ade7a203ccf4b08", "type": "eql", "version": 112 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", "type": "eql", "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft Build Engine Started an Unusual Process", + "sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d", + "type": "eql", + "version": 106 + } + }, "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "88f6d6c995a534b5becc1676681e9c43a25e4a30332448f195ec5ae641b8b870", "type": "new_terms", "version": 211 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { + "min_stack_version": "8.3", "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "91a18c0e34d966e4822caade08e77bf1677f953f76672f72c51ed95c86968438", "type": "query", "version": 106 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { + "min_stack_version": "8.3", "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", "sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8", "type": "eql", "version": 106 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5", "type": "machine_learning", "version": 103 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { + "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", "type": "eql", "version": 110 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", "sha256": "d4d6d4838b5cf551986e8f7b4335f15eb0910a85ed8f40f695e52e1141147407", "type": "eql", "version": 113 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "File Permission Modification in Writable Directory", + "sha256": "6c93604ac3f7c4e56ba67f913a4b594887a31706b87f87c25ce6fe48e9608fc3", + "type": "eql", + "version": 106 + } + }, "rule_name": "File Permission Modification in Writable Directory", "sha256": "bb48a554acead2212b1c7f843dc9352b7f546a24999c026f249e82bfb88acd46", "type": "new_terms", "version": 210 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Access Secret in Secrets Manager", + "sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe", + "type": "query", + "version": 106 + }, + "8.6": { + "max_allowable_version": 307, + "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", + "sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263", + "type": "new_terms", + "version": 208 + } + }, "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "378a46774155bf6146f1d357c4e693e994e2122c127ec368b79c9186c4eea17e", "type": "new_terms", "version": 310 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { + "min_stack_version": "8.3", "rule_name": "A scheduled task was updated", "sha256": "f72866c48ccae69c487c9485afbf8ca05fc67403d5bda38d738920206c830645", "type": "eql", "version": 8 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Python cap_setuid", "sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3", "type": "eql", "version": 3 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { + "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93", "type": "query", "version": 105 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { + "min_stack_version": "8.3", "rule_name": "InstallUtil Process Making Network Connections", "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", "type": "eql", "version": 107 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { + "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", "type": "eql", "version": 109 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { + "min_stack_version": "8.3", "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "90670896181f2ae7afdbd86f7ba48b393d39687df3d9ff84a3061265a8c90486", "type": "eql", "version": 106 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { + "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "45960ca284b367be8f1699088f866e56e2c72c2a5205c1c1ac4a309354ab6119", "type": "eql", "version": 7 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { + "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99", "type": "query", "version": 104 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { + "min_stack_version": "8.7", "rule_name": "My First Rule", "sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29", "type": "threshold", "version": 3 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell Activity via Terminal", "sha256": "abc7a656bb0d4f63a1a6e01241d5070bd79d95767ddf50a96416c4cb1e21c0ea", "type": "eql", "version": 108 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { + "min_stack_version": "8.3", "rule_name": "Linux Group Creation", "sha256": "7fc88cc105fb44e6b06fe74f60102105a5d43b6174d0e52f9dafb31eda5b1bb7", "type": "eql", "version": 5 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { + "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "6c0ebc416f6fb4c7549a97d6a862ad6d780640637db60c907841fa20c7c70d8a", "type": "eql", "version": 109 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", + "sha256": "337d1765f1495c27d1a5daf28740c34409d3a57bbf7be559211000d47dd66469", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", "sha256": "89b0c47b77b31a2b7c84dfe6195e371e6678e7153a116dd44c14e22eae50b16c", "type": "query", "version": 106 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { + "min_stack_version": "8.3", "rule_name": "PowerShell Mailbox Collection Script", "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", "type": "query", "version": 7 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { + "min_stack_version": "8.3", "rule_name": "Execution via local SxS Shared Module", "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", "type": "eql", "version": 108 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { + "min_stack_version": "8.3", "rule_name": "Windows Registry File Creation in SMB Share", "sha256": "e99c94faaac0789d4c0eb4168bdc6ce7813ec01a2cecbf150147733d63850942", "type": "eql", @@ -4773,6 +6435,7 @@ "version": 100 }, "a52a9439-d52c-401c-be37-2785235c6547": { + "min_stack_version": "8.8", "rule_name": "Netcat Listener Established Inside A Container", "sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146", "type": "eql", @@ -4786,78 +6449,100 @@ "version": 2 }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { + "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", "sha256": "1576ee101633693a68c7a223bc0bf033bf243cde11d3831ca0ba638c6761c681", "type": "eql", "version": 6 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { + "min_stack_version": "8.3", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", "sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22", "type": "eql", "version": 5 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Assume Role Policy Update", + "sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df", "type": "query", "version": 209 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { + "min_stack_version": "8.3", "rule_name": "Azure Active Directory PowerShell Sign-in", "sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372", "type": "query", "version": 105 }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { + "min_stack_version": "8.5", "rule_name": "Threat Intel Windows Registry Indicator Match", "sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6", "type": "threat_match", "version": 6 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { + "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", "sha256": "255c381e83fba4080d9c7a3ab7f1997d7a8cb5d664c64a8cd19f0be970ca8ae4", "type": "eql", "version": 112 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { + "min_stack_version": "8.3", "rule_name": "Emond Rules Creation or Modification", "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", "type": "eql", "version": 107 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { + "min_stack_version": "8.9", "rule_name": "High Mean of RDP Session Duration", "sha256": "22baca917bf8d8852f30384b7d4813aa7a370126e0338be3886963d94f2e6b8a", "type": "machine_learning", "version": 3 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { + "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", "sha256": "ee29d9d05c756fbec35c09510be9ed92564671e5159b5e4afe4d9c4ff65d31ef", "type": "eql", "version": 111 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { + "min_stack_version": "8.3", "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "09276f9e697db4a2e29daddbecd34ad8fae5dcd59a2a81e1f5ef2bcfe9c3ba02", "type": "eql", "version": 110 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { + "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: POST Request Declined", "sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88", "type": "query", "version": 102 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Downloaded from Google Drive", "sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295", "type": "eql", "version": 3 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { + "min_stack_version": "8.9", "rule_name": "High Variance in RDP Session Duration", "sha256": "0c85e6c7047aef4143e8ed835f2d0fcafad301de7eb334082e04ff5a498e5539", "type": "machine_learning", @@ -4870,126 +6555,183 @@ "version": 100 }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", "type": "query", "version": 206 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Password Policy Modified", + "sha256": "6b7426c4610c0d99417b08152597279e42d5e7fb9b2a510913b106dddafe7abb", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace Password Policy Modified", "sha256": "de0ced40cd29bb489ca1a27d785bb3d66ba4d0711f5d8d42268c9f8cab7c7df9", "type": "query", "version": 205 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { + "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "269e37223d35d504bd02023f1fc605e200979bbabb0ee082953950adaf35c4fd", "type": "eql", "version": 108 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { + "min_stack_version": "8.3", "rule_name": "IPSEC NAT Traversal Port Activity", "sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee", "type": "query", "version": 104 }, "aa8007f0-d1df-49ef-8520-407857594827": { + "min_stack_version": "8.3", "rule_name": "GCP IAM Custom Role Creation", "sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f", "type": "query", "version": 104 }, "aa895aea-b69c-4411-b110-8d7599634b30": { + "min_stack_version": "8.3", "rule_name": "System Log File Deletion", "sha256": "88dcf75e81a5a91c9684e0298310a93c5b5106d24091836c69728729c85e6246", "type": "eql", "version": 110 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { + "min_stack_version": "8.3", "rule_name": "Remotely Started Services via RPC", "sha256": "e72234fda58c725e6bbfb3c02d000a1276fc1ff4868a63532863b43b2780d3f8", "type": "eql", "version": 112 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { + "min_stack_version": "8.3", "rule_name": "Veeam Backup Library Loaded by Unusual Process", "sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3", "type": "eql", "version": 2 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { + "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", "sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe", "type": "threat_match", "version": 7 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { + "min_stack_version": "8.3", "rule_name": "Remote Execution via File Shares", "sha256": "8f4c528243e4b7fe54e84e7f66324d47f06fa299e52a0069c9f5d1cdea337050", "type": "eql", "version": 111 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51", "type": "machine_learning", "version": 103 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { + "min_stack_version": "8.3", "rule_name": "Potential Persistence via Login Hook", "sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9", "type": "query", "version": 108 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { + "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", "type": "eql", "version": 112 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual AWS Command for a User", + "sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual AWS Command for a User", "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", "type": "machine_learning", "version": 208 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { + "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", "sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9", "type": "eql", "version": 6 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { + "min_stack_version": "8.3", "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", "type": "query", "version": 108 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "sha256": "9977bfb82687f6ee557f2f9474b1cac3eb4b8c16af795908ef9b4a20ab600653", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "sha256": "dff7c67640bd01423d897e090d914f6661f2ccbd00d363315a58d011cac71b65", "type": "query", "version": 205 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { + "min_stack_version": "8.3", "rule_name": "Potential Command and Control via Internet Explorer", "sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924", "type": "eql", "version": 106 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { + "min_stack_version": "8.3", "rule_name": "Potential macOS SSH Brute Force Detected", "sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9", "type": "threshold", "version": 108 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { + "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", "type": "eql", "version": 108 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { + "min_stack_version": "8.3", "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "692d68785822926e449adf234c3a45035f0a8e73dd87386acac77931c9491543", "type": "eql", @@ -5002,96 +6744,121 @@ "version": 100 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Custom Admin Role Created", + "sha256": "e28b9f491eae0c8a606f9d315389ac4a117e5d30674f8e4f4e1d3be16bc8d9c4", + "type": "query", + "version": 104 + } + }, "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "d1699c4738c1bd1387584e6a38c367c2f869b0045f7b6e2c635535f2dded6307", "type": "query", "version": 205 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", "type": "query", "version": 110 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { + "min_stack_version": "8.3", "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6", "type": "query", "version": 106 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { + "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Execution", "sha256": "9cbc1daea47fb821c72c3e512bbb09b857e9a4b44454631dfe45b495c8adc9fa", "type": "eql", "version": 2 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { + "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", "type": "eql", "version": 110 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { + "min_stack_version": "8.3", "rule_name": "Suspicious Communication App Child Process", "sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c", "type": "eql", "version": 4 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { + "min_stack_version": "8.3", "rule_name": "Suspicious File Creation via Kworker", "sha256": "80da89056385e4d385d191289e923d9442a852f1c96b7aeb235b36a9e4a0ca35", "type": "eql", "version": 3 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", "type": "eql", "version": 5 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { + "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", "sha256": "d43a905984d229cdcd4e06eb6b7f44f165c335ebfb4840dde015f22b680c1f92", "type": "new_terms", "version": 7 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { + "min_stack_version": "8.3", "rule_name": "Unusual User Privilege Enumeration via id", "sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123", "type": "eql", "version": 4 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { + "min_stack_version": "8.3", "rule_name": "Local Scheduled Task Creation", "sha256": "5291c4a420b199ea0cda7c00ad93a5114d95d9fcd73a07e12060d164eb0601e6", "type": "eql", "version": 107 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { + "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", "sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6", "type": "eql", "version": 6 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", "sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19", "type": "eql", "version": 5 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { + "min_stack_version": "8.3", "rule_name": "Timestomping using Touch Command", "sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4", "type": "eql", "version": 106 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { + "min_stack_version": "8.3", "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", "sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f", "type": "query", "version": 106 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { + "min_stack_version": "8.3", "rule_name": "Netsh Helper DLL", "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", "type": "eql", @@ -5111,66 +6878,95 @@ "version": 100 }, "b2318c71-5959-469a-a3ce-3a0768e63b9c": { + "min_stack_version": "8.3", "rule_name": "Potential Network Share Discovery", "sha256": "fda7288ed57e11d03d2af7b74755b704d96c32f3c69abe245de1378438bd144f", "type": "eql", "version": 3 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { + "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic", "sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6", "type": "machine_learning", "version": 103 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { + "min_stack_version": "8.3", "rule_name": "Remote File Copy via TeamViewer", "sha256": "f9c74dae522f96b99ef91c8690d3294d5bb57ed3568290e9c6c2b4877c99bbd4", "type": "eql", "version": 111 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Unusual Volume of File Deletion", + "sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Unusual Volume of File Deletion", "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", "type": "query", "version": 206 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Compiled HTML File", "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", "type": "eql", "version": 108 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Username", "sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016", "type": "machine_learning", "version": 103 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { + "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "01e8d9f7974e3c66e2916edad7f04fe3fbd842ed064a7ac1067df9d6d61ecadf", "type": "eql", "version": 111 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { + "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "204caab60a2c4641de7b31aaedca2147bb76d02c5e8bae82907f04607536563e", "type": "eql", "version": 7 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { + "min_stack_version": "8.3", "rule_name": "Potential Persistence via Atom Init Script Modification", "sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900", "type": "query", "version": 106 }, "b45ab1d2-712f-4f01-a751-df3826969807": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS STS GetSessionToken Abuse", + "sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS STS GetSessionToken Abuse", "sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670", "type": "query", "version": 206 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { + "min_stack_version": "8.3", "rule_name": "At.exe Command Lateral Movement", "sha256": "041e17a0cd55085d79466cf06aaa8ca81ef2b30a9e42291395534ce27ba0062a", "type": "eql", @@ -5179,7 +6975,7 @@ "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", @@ -5193,42 +6989,49 @@ "version": 206 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via OverlayFS", "sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93", "type": "eql", "version": 5 }, "b5877334-677f-4fb9-86d5-a9721274223b": { + "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", "sha256": "0d87128fdfdcb58febe6605148de68b8ab413e129191227eca12360248a76681", "type": "eql", "version": 111 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { + "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "7a7554033f500cdd7964ffd328c581dfbdd9b26c040569d42581504a70e468d3", "type": "eql", "version": 111 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { + "min_stack_version": "8.3", "rule_name": "Elastic Agent Service Terminated", "sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671", "type": "eql", "version": 106 }, "b64b183e-1a76-422d-9179-7b389513e74d": { + "min_stack_version": "8.3", "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "1e8be0b94b78d86bb0d30e6a4e6d28c81c9c5bdf2b9494ac9c0d7fb465491bae", "type": "eql", "version": 109 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { + "min_stack_version": "8.3", "rule_name": "Potential Veeam Credential Access Command", "sha256": "e589053c5a7013b3bb2c3d76d1617fcdda617b6aa8dbfa31adf5e34b95f095d2", "type": "eql", "version": 1 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { + "min_stack_version": "8.3", "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", "type": "query", @@ -5237,7 +7040,7 @@ "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", @@ -5251,6 +7054,7 @@ "version": 206 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { + "min_stack_version": "8.3", "rule_name": "Potential Buffer Overflow Attack Detected", "sha256": "3e26fdf6574102a4aa2b239c1e4420684c6f3527b1aca67cf62cc4b42858a6f4", "type": "threshold", @@ -5259,7 +7063,7 @@ "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", @@ -5273,132 +7077,190 @@ "version": 205 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { + "min_stack_version": "8.3", "rule_name": "Linux System Information Discovery", "sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61", "type": "eql", "version": 3 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { + "min_stack_version": "8.3", "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "40c977b1f7dad3726a8f0c97749e00256994f75580fd498135538a04857e663d", "type": "query", "version": 5 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { + "min_stack_version": "8.3", "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", "type": "eql", "version": 108 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { + "min_stack_version": "8.3", "rule_name": "Network Connection via MsXsl", "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", "type": "eql", "version": 106 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { + "min_stack_version": "8.3", "rule_name": "Kirbi File Creation", "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", "type": "eql", "version": 5 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", "type": "eql", "version": 109 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { + "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", "sha256": "762949859141699af6a491db1a4f5b059db590cbadd27aa2267653760c23d23d", "type": "eql", "version": 111 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { + "min_stack_version": "8.3", "rule_name": "Discovery of Domain Groups", "sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677", "type": "eql", "version": 2 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { + "min_stack_version": "8.3", "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", "sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c", "type": "threshold", "version": 4 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { + "min_stack_version": "8.3", "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "7e1d07811eee139eca2af001c453e529a605e642fafc1cadfeac9817862c3f0c", "type": "query", "version": 109 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { + "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", "sha256": "bbdba9f735a270571a5a0f1df636cdd573417d76ebf91c3ee006046ae88f685d", "type": "eql", "version": 110 }, "b9960fef-82c6-4816-befa-44745030e917": { + "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "6cf76bf28c6818bd0c1e9cacc68a44909ca3c50f197b96e96bd34ffd2f935ec8", "type": "eql", "version": 109 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows Network Activity", "sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad", "type": "machine_learning", "version": 103 }, "ba81c182-4287-489d-af4d-8ae834b06040": { + "min_stack_version": "8.3", "rule_name": "Kernel Driver Load by non-root User", "sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844", "type": "eql", "version": 3 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { + "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", "type": "eql", "version": 109 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { + "min_stack_version": "8.3", "rule_name": "Azure Resource Group Deletion", "sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576", "type": "query", "version": 102 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Encryption Disabled", + "sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Encryption Disabled", "sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834", "type": "query", "version": 206 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "OneDrive Malware File Upload", + "sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814", + "type": "query", + "version": 106 + } + }, "rule_name": "OneDrive Malware File Upload", "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", "type": "query", "version": 206 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { + "min_stack_version": "8.3", "rule_name": "Potential SYN-Based Network Scan Detected", "sha256": "8413e204b3d4d4145ea9cfe859daf5ecaf39fd776bf87f7090a82205de0b5b52", "type": "threshold", "version": 5 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee", + "type": "query", + "version": 107 + } + }, "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", "type": "query", "version": 207 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Root Login Without MFA", + "sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Root Login Without MFA", "sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157", "type": "query", "version": 209 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { + "min_stack_version": "8.3", "rule_name": "GCP Storage Bucket Deletion", "sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d", "type": "query", @@ -5412,168 +7274,223 @@ "version": 2 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { + "min_stack_version": "8.3", "rule_name": "Attempt to Install Root Certificate", "sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972", "type": "query", "version": 106 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { + "min_stack_version": "8.3", "rule_name": "Azure Conditional Access Policy Modified", "sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c", "type": "query", "version": 102 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { + "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port SSH connection", "sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26", "type": "eql", "version": 5 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { + "min_stack_version": "8.3", "rule_name": "File and Directory Permissions Modification", "sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139", "type": "eql", "version": 2 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { + "min_stack_version": "8.3", "rule_name": "GCP Service Account Disabled", "sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace", "type": "query", "version": 104 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "sha256": "37e01c0b463876a5acee70bb565d205c8a2e8c5a7b3d99a24e16939f97360a9f", "type": "query", "version": 3 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { + "min_stack_version": "8.3", "rule_name": "PowerShell Keylogging Script", "sha256": "92008de004bfec5733b4d1f7cd48ddbe75ac79f7f3c92d54d71bd7f5447d260d", "type": "query", "version": 112 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { + "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "f9a5163bfb60ec1ac26ac681518a193a85b03a87dac342a3579a7b2ae3628e0b", "type": "eql", "version": 2 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { + "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "6214fb2abc887c66d7d514ccfc914faf98cb9befe4cb35f2f58a0e300787eb5c", "type": "eql", "version": 106 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { + "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", "sha256": "3ebba1b3c0653e611e5c1abc4e917c868371220b6fb55954eafa7a8d7c6cf5fe", "type": "eql", "version": 7 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { + "min_stack_version": "8.3", "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "c437d0e4938701b867702b775bb69d57f44e45a03be5d63d90f0dcde14ccbf39", "type": "eql", "version": 108 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { + "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", "sha256": "84baf4890842c179a0724a3835388a16dedfe1046dfd94a9b617aa56b37a7a2f", "type": "machine_learning", "version": 4 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { + "min_stack_version": "8.9", "rule_name": "Unusual Remote File Directory", "sha256": "f6b1ce1e97f8a9dd95bb99809d5d9a7bab6a0922fb0861afadc24970477e3b3f", "type": "machine_learning", "version": 3 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { + "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "a22b02dc207eed11a68b3bf9569d0f06d0bfcc3b14a71b32fc505ee86b53aed4", "type": "eql", "version": 109 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Snapshot Restored", + "sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Snapshot Restored", "sha256": "867302d2c993c7e6bb06acb3bb9784e8de51117e6d0fdd1a5a8e040e24fab59f", "type": "query", "version": 206 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { + "min_stack_version": "8.3", "rule_name": "System Owner/User Discovery Linux", "sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df", "type": "eql", "version": 3 }, "bfba5158-1fd6-4937-a205-77d96213b341": { + "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", "sha256": "385716bc0770d6b023580d5b0a92a34581e351560a3bd43bd4ce2b3b01ef84c1", "type": "machine_learning", "version": 3 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { + "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "630b95897e137de2d3ff315926d388d39ed6ad5c19948a8fe0cb4c564d32b99e", "type": "eql", "version": 111 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { + "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", "sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579", "type": "eql", "version": 107 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { + "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8", "type": "eql", "version": 109 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { + "min_stack_version": "8.3", "rule_name": "Memory Dump File with Unusual Extension", "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", "type": "eql", "version": 2 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { + "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Detected - Elastic Endgame", "sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3", "type": "query", "version": 103 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { + "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI index.html File", "sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa", "type": "eql", "version": 6 }, "c1812764-0788-470f-8e74-eb4a14d47573": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Full Network Packet Capture Detected", + "sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Full Network Packet Capture Detected", "sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63", "type": "query", "version": 206 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 100, + "rule_name": "Unsigned DLL Loaded by a Trusted Process", + "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", + "type": "eql", + "version": 1 + } + }, "rule_name": "Unsigned DLL Loaded by a Trusted Process", "sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43", "type": "eql", "version": 102 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { + "min_stack_version": "8.3", "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "03334e1d43f8d53c06b92628435b5af954f2211ff41ff4ed7467bf8a8065cdef", "type": "eql", "version": 110 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d", "type": "machine_learning", "version": 103 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { + "min_stack_version": "8.3", "rule_name": "Persistence via Folder Action Script", "sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa", "type": "eql", @@ -5587,96 +7504,112 @@ "version": 2 }, "c2d90150-0133-451c-a783-533e736c12d7": { + "min_stack_version": "8.3", "rule_name": "Mshta Making Network Connections", "sha256": "7b3bec275d247d0cc1c4772be5f41fcfca282df6146f830777ed87b4c663f7e5", "type": "eql", "version": 107 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { + "min_stack_version": "8.3", "rule_name": "Permission Theft - Detected - Elastic Endgame", "sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5", "type": "query", "version": 103 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { + "min_stack_version": "8.3", "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", "type": "eql", "version": 107 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { + "min_stack_version": "8.3", "rule_name": "Potential JAVA/JNDI Exploitation Attempt", "sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8", "type": "eql", "version": 104 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { + "min_stack_version": "8.3", "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "a814b9dc474566b81d9b80f83a1fbb21d506490be5d1a791c6a040402576193e", "type": "eql", "version": 109 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { + "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", "type": "eql", "version": 107 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { + "min_stack_version": "8.3", "rule_name": "Windows System Network Connections Discovery", "sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4", "type": "eql", "version": 4 }, "c55badd3-3e61-4292-836f-56209dc8a601": { + "min_stack_version": "8.3", "rule_name": "Attempted Private Key Access", "sha256": "92447cf8bb6de4a626ecd420b9c64922484cb49f216d13292e833c1abdb4786c", "type": "eql", "version": 3 }, "c5677997-f75b-4cda-b830-a75920514096": { + "min_stack_version": "8.3", "rule_name": "Service Path Modification via sc.exe", "sha256": "6d70ac346b080bca5ad2083c56ff66bd01f63204483b047353855e7898b39862", "type": "eql", "version": 3 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { + "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", "type": "eql", "version": 109 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { + "min_stack_version": "8.3", "rule_name": "GCP Virtual Private Cloud Network Deletion", "sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276", "type": "query", "version": 104 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", "type": "eql", "version": 108 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { + "min_stack_version": "8.3", "rule_name": "Installation of Custom Shim Databases", "sha256": "7ea702b1b6d7a8309d8d11e16505cb9ca2a3b1c906e7aeadacdefea24d0397b6", "type": "eql", "version": 108 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { + "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "a8e1a000f912f5f42f3894fdca0458d10666994f165781a4fbd5db031f5a6712", "type": "eql", "version": 110 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { + "min_stack_version": "8.3", "rule_name": "CyberArk Privileged Access Security Recommended Monitor", "sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f", "type": "query", "version": 102 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { + "min_stack_version": "8.3", "rule_name": "Remote File Download via MpCmdRun", "sha256": "3338fefccfc7c7d86404c1a054f09f2b43fdbeadba93b27dcfe7c04d6994303f", "type": "eql", @@ -5691,7 +7624,7 @@ "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", @@ -5707,7 +7640,7 @@ "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Attempt to Modify an Okta Application", "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", @@ -5721,48 +7654,65 @@ "version": 205 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { + "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via DllHost", "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", "type": "eql", "version": 107 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Privileged Pod Created", + "sha256": "e431240326e0ddb66017b695a15db0269ad7b4e5bde7cf37b10f01159fb9da19", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Privileged Pod Created", "sha256": "276c33d57b4e3046ff3bf3eab838110627d9f8d9214a01036a62561084c6073a", "type": "query", "version": 203 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { + "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", "sha256": "b865aba340d622e5f6840586849e814be1e565d1c59e1fcba5509683315c91cf", "type": "eql", "version": 110 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { + "min_stack_version": "8.3", "rule_name": "Spike in Network Traffic To a Country", "sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61", "type": "machine_learning", "version": 104 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { + "min_stack_version": "8.3", "rule_name": "Persistence via Docker Shortcut Modification", "sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37", "type": "query", "version": 107 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { + "min_stack_version": "8.3", "rule_name": "SMB (Windows File Sharing) Activity to the Internet", "sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67", "type": "query", "version": 103 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { + "min_stack_version": "8.3", "rule_name": "Direct Outbound SMB Connection", "sha256": "a30cf230b1215a2e0fd884167dfbb8fd92e5b63fa7a5cb2c9e9a8a306316de4d", "type": "eql", "version": 110 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { + "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting via Grep", "sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827", "type": "eql", @@ -5775,48 +7725,65 @@ "version": 100 }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { + "min_stack_version": "8.3", "rule_name": "Parent Process PID Spoofing", "sha256": "43c26bdd413e7e6c52b50b9c579663b2ab48285b83a1f794fd636727baf21733", "type": "eql", "version": 106 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", "sha256": "a6ee22bb7fef22f21c9792186337bc557bd1aaba670d4de8d077fd7892d46ad2", "type": "eql", "version": 8 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { + "min_stack_version": "8.3", "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "a3f4ddc31c6570250920dc60269e68ec6344884c88aba870fb9998c5c1fb5319", "type": "eql", "version": 110 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { + "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "2326092f64de27cbf684cdd4130d6f8695d0a42277b02fff7ebcc62350e56411", "type": "eql", "version": 110 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Communication Apps", "sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51", "type": "eql", "version": 5 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { + "min_stack_version": "8.3", "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", "sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3", "type": "query", "version": 103 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", "type": "query", "version": 206 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { + "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", "sha256": "6b71d73f704e96ab028ab9aa5fef9a3b487e35fe5cc322c1a118c9102720af9a", "type": "eql", @@ -5829,18 +7796,39 @@ "version": 100 }, "cac91072-d165-11ec-a764-f661ea17fbce": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Abnormal Process ID or Lock File Created", + "sha256": "6ab73acfdcd8636a87c0fd8b1342d5e96de8cbd74ed0e4f4dbb689c32a3cbffa", + "type": "eql", + "version": 108 + } + }, "rule_name": "Abnormal Process ID or Lock File Created", "sha256": "b4f2c9fe5dcc43eb113d00600fc6a7ca5091c0957af96c084ee2d9a790aa3a2a", "type": "new_terms", "version": 213 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Google Workspace MFA Enforcement Disabled", + "sha256": "a8e10bb292478990aa0c82694fcd3621b81383a8058b87a25449238641d59e3b", + "type": "query", + "version": 107 + } + }, "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "8a1f92b90737453373b48d24dd4dfd6e29615794a9ccaf5df7ba1a0ecf5d5e2a", "type": "query", "version": 207 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { + "min_stack_version": "8.3", "rule_name": "Suspicious Calendar File Modification", "sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da", "type": "query", @@ -5853,6 +7841,7 @@ "version": 100 }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { + "min_stack_version": "8.3", "rule_name": "Attempt to Enable the Root Account", "sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d", "type": "query", @@ -5866,18 +7855,30 @@ "version": 2 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { + "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", "sha256": "fe1015d6d9d15270cdedd676b577c3057d2552db4ce585e3c82437e7999cc037", "type": "machine_learning", "version": 3 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace User Organizational Unit Changed", + "sha256": "50eab7a58d52dc1eb0e8d8af2d5ca140762dfdf60970d1e7d5fcbf80aff362f4", + "type": "query", + "version": 5 + } + }, "rule_name": "Google Workspace User Organizational Unit Changed", "sha256": "98638b8378e232c3d8a54f3b4ec12fa3eae908ba56a658c7557b22c25766b823", "type": "query", "version": 106 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { + "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Subscription Deletion", "sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408", "type": "query", @@ -5886,7 +7887,7 @@ "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", @@ -5900,6 +7901,7 @@ "version": 207 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { + "min_stack_version": "8.3", "rule_name": "Potential Process Herpaderping Attempt", "sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2", "type": "eql", @@ -5908,7 +7910,7 @@ "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", @@ -5928,18 +7930,21 @@ "version": 100 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { + "min_stack_version": "8.3", "rule_name": "Anomalous Linux Compiler Activity", "sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793", "type": "machine_learning", "version": 103 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { + "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", "sha256": "8e7fd75b780b1265825a7a783ea3000b983acf3ce3100a49edb797139b01e31f", "type": "eql", "version": 109 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { + "min_stack_version": "8.3", "rule_name": "Downloaded URL Files", "sha256": "1a31489f793c58d433963910d8327747a3e7824bf11685358836a38183e8aca0", "type": "eql", @@ -5948,7 +7953,7 @@ "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate MFA for an Okta User Account", "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", @@ -5964,7 +7969,7 @@ "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Okta User Session Impersonation", "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", @@ -5980,7 +7985,7 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", @@ -5994,84 +7999,107 @@ "version": 111 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { + "min_stack_version": "8.8", "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", "type": "new_terms", "version": 1 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { + "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "38c701cbddca58faa29370862beddbbc9839ee8f8ef4985c006e2f03acecfdb7", "type": "eql", "version": 109 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { + "min_stack_version": "8.3", "rule_name": "Cobalt Strike Command and Control Beacon", "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", "type": "query", "version": 105 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Domain Added to Google Workspace Trusted Domains", + "sha256": "c773965d1c83361d3745d38a93d9ac9380056a79a5f3d4ebff542d94a9a369ce", + "type": "query", + "version": 104 + } + }, "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "15e692b56a4792a0434440ea85ef264cbfb31e1ebd9bdc618a03987f928a53a1", "type": "query", "version": 205 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { + "min_stack_version": "8.6", "rule_name": "Unusual Discovery Activity by User", "sha256": "2dec950ffa14b4863a879f391b045196709a774f032c8bc35d8f61ba20e2bfff", "type": "new_terms", "version": 1 }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { + "min_stack_version": "8.3", "rule_name": "Trap Signals Execution", "sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4", "type": "eql", "version": 2 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { + "min_stack_version": "8.3", "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "1e5d776df1e502f5d444b1a1e6cdcfc3de4ad784a603e7e0f23aaed9eae2f766", "type": "eql", "version": 112 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { + "min_stack_version": "8.3", "rule_name": "Archive File with Unusual Extension", "sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3", "type": "eql", "version": 2 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { + "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", "type": "eql", "version": 9 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { + "min_stack_version": "8.8", "rule_name": "AWS Credentials Searched For Inside A Container", "sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e", "type": "eql", "version": 1 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { + "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", "sha256": "4ec85ed3f6241a6015c998b91cdbbcf438629be2a40cdbfce1a173ebabd7c292", "type": "eql", "version": 110 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { + "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "c8d1d7cc4181248cc8906dbc6d37aa62c162ed9bde92f7b4daf42b912e451197", "type": "eql", "version": 111 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { + "min_stack_version": "8.3", "rule_name": "Expired or Revoked Driver Loaded", "sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2", "type": "eql", "version": 5 }, "d197478e-39f0-4347-a22f-ba654718b148": { + "min_stack_version": "8.3", "rule_name": "Compression DLL Loaded by Unusual Process", "sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce", "type": "eql", @@ -6084,36 +8112,42 @@ "version": 100 }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { + "min_stack_version": "8.3", "rule_name": "Potential Microsoft Office Sandbox Evasion", "sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2", "type": "query", "version": 106 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { + "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "603191c9e9fe22a6f972c18bfb548360ab4f4b1378a58e8a4a24479548e8b1d0", "type": "eql", "version": 110 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { + "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", "sha256": "1c0780a844be282bd8fdfb0d608fa65473ba2d01d1a5be9e50e2e08039542576", "type": "eql", "version": 112 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { + "min_stack_version": "8.3", "rule_name": "Remote Windows Service Installed", "sha256": "63102ba4aec4aaab713fffceebe688d706bb41cdf8bcf23d4055467011cb9fb9", "type": "eql", "version": 6 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { + "min_stack_version": "8.3", "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "76b2081709ea9b401fc695d779a14dfa839fbd99eb19c8510b2ea6c5f7e7b4f4", "type": "eql", "version": 2 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { + "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", "sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd", "type": "eql", @@ -6122,7 +8156,7 @@ "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Attempt to Delete an Okta Application", "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", @@ -6136,30 +8170,35 @@ "version": 205 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { + "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", "sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7", "type": "query", "version": 102 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f", "type": "machine_learning", "version": 103 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { + "min_stack_version": "8.3", "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041", "type": "machine_learning", "version": 103 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { + "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", "type": "eql", "version": 6 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { + "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", "sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924", "type": "eql", @@ -6173,6 +8212,7 @@ "version": 3 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { + "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "42e3e1682134a7ed8c26d9a5ce2bcf4830d6a7af85268a0d2455a75e23119f6c", "type": "eql", @@ -6181,7 +8221,7 @@ "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", @@ -6195,18 +8235,30 @@ "version": 206 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { + "min_stack_version": "8.3", "rule_name": "Service Command Lateral Movement", "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", "type": "eql", "version": 107 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Log Stream Deletion", + "sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578", "type": "query", "version": 209 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { + "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Subscription Creation", "sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4", "type": "query", @@ -6219,102 +8271,155 @@ "version": 100 }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { + "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "e564b576c629a29ec8088864b78c7c81c8d46453cc5e038a33fdd24d4a3a2641", "type": "eql", "version": 10 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", "type": "query", "version": 206 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { + "min_stack_version": "8.3", "rule_name": "Modification of WDigest Security Provider", "sha256": "c7b2137213e37ccba915d2c30fa260188c065d8e939c56b72e4fd1f4001d72df", "type": "eql", "version": 109 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { + "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", "sha256": "84b33e85f61fe174e8ec6980e6480028773e96980d267505f090cfa2d2460192", "type": "eql", "version": 111 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", "type": "query", "version": 206 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { + "min_stack_version": "8.3", "rule_name": "Suspicious Memory grep Activity", "sha256": "b142483255de74b46aa32d1dd3a28f2821bb97997be6bae899e84c0d30fa9165", "type": "eql", "version": 2 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { + "min_stack_version": "8.7", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "SystemKey Access via Command Line", + "sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d", + "type": "query", + "version": 106 + } + }, "rule_name": "SystemKey Access via Command Line", "sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091", "type": "query", "version": 206 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { + "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", "type": "eql", "version": 110 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { + "min_stack_version": "8.3", "rule_name": "Azure Blob Permissions Modification", "sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f", "type": "query", "version": 103 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { + "min_stack_version": "8.3", "rule_name": "Spike in Logon Events", "sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203", "type": "machine_learning", "version": 103 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { + "min_stack_version": "8.3", "rule_name": "SMTP on Port 26/TCP", "sha256": "8bf03857acd5416922cae6018a42266418009a83c60f4fa6388d0ac603af5f0b", "type": "query", "version": 104 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { + "min_stack_version": "8.3", "rule_name": "Untrusted Driver Loaded", "sha256": "9b90c86424390fccfc1959785af10eeade5e654612545617582dca1058cb17b8", "type": "eql", "version": 8 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Deactivation of MFA Device", + "sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "e70bcba5f981ab9bc5d058baf0631ea65c4172e55502ae1f6b6fceeca1035906", "type": "query", "version": 209 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { + "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1", "type": "eql", "version": 111 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { + "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "9ebf3042fc83b25b6a39a0cc87927cefb341ebb08bcce8749b4e07166ba98d0d", "type": "eql", "version": 9 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "sha256": "6ede570261a72bdcdf1e10f2f1fa1f9d331da8df7293f982df1b311120e88083", "type": "query", "version": 3 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { + "min_stack_version": "8.3", "rule_name": "Suspicious Service was Installed in the System", "sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694", "type": "eql", @@ -6327,36 +8432,42 @@ "version": 100 }, "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { + "min_stack_version": "8.4", "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "fb420a72b427d67311f02098a93854b2a6bd5c733b6cbca4275ee920329b9b9e", "type": "new_terms", "version": 3 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { + "min_stack_version": "8.3", "rule_name": "Multi-Factor Authentication Disabled for an Azure User", "sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee", "type": "query", "version": 105 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { + "min_stack_version": "8.3", "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", "type": "eql", "version": 3 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { + "min_stack_version": "8.3", "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "3bcb0230882be5c94ef22fde8ca625bfde5e40e20e1e545cf8a0f68d01c7e8f3", "type": "eql", "version": 6 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { + "min_stack_version": "8.3", "rule_name": "Credential Dumping - Prevented - Elastic Endgame", "sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65", "type": "query", "version": 103 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { + "min_stack_version": "8.3", "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", "type": "eql", @@ -6369,90 +8480,132 @@ "version": 100 }, "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { + "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", "sha256": "abccbf694da0eb306df7f606501df6d3e19475e12fbcd106342e187528d0ecf7", "type": "eql", "version": 8 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { + "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "2d9e1771d9606f5f38126860db0e8757d223c30ae4a1b3b93d60ac17b0127a99", "type": "eql", "version": 110 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual Country For an AWS Command", + "sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Country For an AWS Command", "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", "type": "machine_learning", "version": 208 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { + "min_stack_version": "8.3", "rule_name": "Suspicious Execution from INET Cache", "sha256": "6b58cc9b14a7fac5ea7f584782e3f3c7161f78158b1ce3fe3c33928ebba3d84d", "type": "eql", "version": 2 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { + "min_stack_version": "8.3", "rule_name": "Attempt to Install Kali Linux via WSL", "sha256": "51ebf76d12a58d9db10b3a9d16c79ee0ae0672fa77f9fd0682b3796a7520351a", "type": "eql", "version": 7 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { + "min_stack_version": "8.3", "rule_name": "Reverse Shell Created via Named Pipe", "sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c", "type": "eql", "version": 6 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { + "min_stack_version": "8.3", "rule_name": "NullSessionPipe Registry Modification", "sha256": "6c3d142ca53ffc037b333b4699eb891e35c11d1ca95aa3ae6347fb173bc33735", "type": "eql", "version": 108 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { + "min_stack_version": "8.3", "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a", "type": "eql", "version": 110 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { + "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", "type": "eql", "version": 110 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Query Registry using Built-in Tools", + "sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd", + "type": "eql", + "version": 2 + } + }, "rule_name": "Query Registry using Built-in Tools", "sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd", "type": "new_terms", "version": 105 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { + "min_stack_version": "8.6", "rule_name": "First Time Seen Driver Loaded", "sha256": "7e66246ea00c9698fbfa57311793c02739cbad96d59bd88bbda9dbc752e4ac58", "type": "new_terms", "version": 7 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { + "min_stack_version": "8.3", "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce", "type": "machine_learning", "version": 103 }, "df26fd74-1baa-4479-b42e-48da84642330": { + "min_stack_version": "8.3", "rule_name": "Azure Automation Account Created", "sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669", "type": "query", "version": 102 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { + "min_stack_version": "8.3", "rule_name": "Dynamic Linker Copy", "sha256": "abf419807a9782b1ea278f1682ee0d5be74e340e248aa42cb3303c3a41892725", "type": "eql", "version": 108 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 199, + "rule_name": "Kubernetes Pod Created With HostPID", + "sha256": "8504c3a7241f7cfb70d23f3d06e6f6c5191c15f0ac37578efdc476c6230b04a6", + "type": "query", + "version": 101 + } + }, "rule_name": "Kubernetes Pod Created With HostPID", "sha256": "b912b62e03d307861dc557cdbfc8fe17d54f7b8a394fee4ec9e46e4539393622", "type": "query", @@ -6465,30 +8618,35 @@ "version": 100 }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { + "min_stack_version": "8.3", "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "6c482e61313171b3dc7b0d4085b1103871e12cb403c6fa1d2048781f9e805253", "type": "eql", "version": 1 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { + "min_stack_version": "8.3", "rule_name": "Delayed Execution via Ping", "sha256": "c6fa799b2b134a4e7c34302b0b8f543c54dd38aaba6bfa93b1933a3374e41c71", "type": "eql", "version": 2 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { + "min_stack_version": "8.3", "rule_name": "Azure Firewall Policy Deletion", "sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0", "type": "query", "version": 102 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { + "min_stack_version": "8.3", "rule_name": "KRBTGT Delegation Backdoor", "sha256": "13d64c92f3533756a0657f2f8db2a099ab8cf25d1b5d1722dc5b880ec815bf34", "type": "query", "version": 107 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { + "min_stack_version": "8.3", "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "c1e96e42705eb2de534b4ce6fa40b16c522e2bb6f8f8a0f0ff6ea140ff22680b", "type": "eql", @@ -6497,7 +8655,7 @@ "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0", @@ -6511,54 +8669,81 @@ "version": 208 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { + "min_stack_version": "8.3", "rule_name": "Potentially Suspicious Process Started via tmux or screen", "sha256": "da9fb3e751cf2aca3b76ff6969e48fb1e4f477f4832888b32a57290109f5982a", "type": "eql", "version": 4 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { + "min_stack_version": "7.16", "rule_name": "Whitespace Padding in Process Command Line", "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", "type": "eql", "version": 100 }, "e0f36de1-0342-453d-95a9-a068b257b053": { + "min_stack_version": "8.3", "rule_name": "Azure Event Hub Deletion", "sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7", "type": "query", "version": 102 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route Table Created", + "sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route Table Created", "sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5", "type": "query", "version": 207 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Cluster Creation", + "sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Cluster Creation", "sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6", "type": "query", "version": 206 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { + "min_stack_version": "8.3", "rule_name": "Connection to External Network via Telnet", "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", "type": "eql", "version": 107 }, "e1db8899-97c1-4851-8993-3a3265353601": { + "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "sha256": "2dfa5553eab948bb3ad46437fda2847c3d2d98e63aa80c10f1b8a179eb44b650", "type": "machine_learning", "version": 3 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { + "min_stack_version": "8.3", "rule_name": "Suspicious Mining Process Creation Event", "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", "type": "eql", "version": 6 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { + "min_stack_version": "8.3", "rule_name": "Spike in Successful Logon Events from a Source IP", "sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff", "type": "machine_learning", @@ -6567,7 +8752,7 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", @@ -6588,66 +8773,95 @@ "version": 2 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Management Console Root Login", + "sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Management Console Root Login", "sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd", "type": "query", "version": 209 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { + "min_stack_version": "8.3", "rule_name": "System Network Connections Discovery", "sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1", "type": "eql", "version": 3 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { + "min_stack_version": "8.3", "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "3e63bc85075d9b743e6bf54268defc21c112e95ddb806edfb8a78a3ab78903bc", "type": "eql", "version": 7 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { + "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "bee7840c66166d2669fe2c9007db541d327d9ea4a3fdfda0b9c233e216e4a37d", "type": "eql", "version": 111 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { + "min_stack_version": "8.3", "rule_name": "GCP IAM Role Deletion", "sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe", "type": "query", "version": 104 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { + "min_stack_version": "8.3", "rule_name": "Process Activity via Compiled HTML File", "sha256": "6cef2e899c6b4e9645a167a889392bdc93d93b0cdbefafa881495069c49f284e", "type": "eql", "version": 110 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route53 private hosted zone associated with a VPC", + "sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route53 private hosted zone associated with a VPC", "sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525", "type": "query", "version": 206 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { + "min_stack_version": "8.3", "rule_name": "Ransomware - Prevented - Elastic Endgame", "sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462", "type": "query", "version": 103 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { + "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", "type": "eql", "version": 107 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { + "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", "sha256": "20a809b0c9d105e502a250b3d41b6934687bf4d74fbbedd98cef83bdf6d2658b", "type": "eql", "version": 110 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { + "min_stack_version": "8.4", "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "9a219e929d52b9d5fd2593524c043db217318eb6f540793dae2c595418f5dc02", "type": "new_terms", @@ -6656,7 +8870,7 @@ "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", @@ -6670,18 +8884,30 @@ "version": 206 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { + "min_stack_version": "8.3", "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "c47f1f706cc482c626dc8045250f798362338387db47fe387412408b6be3bae1", "type": "eql", "version": 105 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { + "min_stack_version": "8.3", "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "f31d2b25f3d2f895e14eab6c7ec29719c97852d5f2f99b2fa9357b9637c2f510", "type": "query", "version": 110 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "MFA Disabled for Google Workspace Organization", + "sha256": "2c13a6fc437d2115e97e6e81a6d555601f5f93d05f444b9935bf76d94877c049", + "type": "query", + "version": 104 + } + }, "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "91e053deeef1fbe832a95085ef68f2122ba06d94e64114a2d0e61cf3f1d64d6f", "type": "query", @@ -6694,12 +8920,14 @@ "version": 100 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { + "min_stack_version": "8.3", "rule_name": "Bash Shell Profile Modification", "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", "type": "query", "version": 104 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { + "min_stack_version": "8.3", "rule_name": "Authorization Plugin Modification", "sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e", "type": "query", @@ -6708,7 +8936,7 @@ "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Possible Okta DoS Attack", "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", @@ -6722,84 +8950,125 @@ "version": 205 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { + "min_stack_version": "8.3", "rule_name": "Screensaver Plist File Modified by Unexpected Process", "sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51", "type": "eql", "version": 107 }, "e7075e8d-a966-458e-a183-85cd331af255": { + "min_stack_version": "8.3", "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", "type": "query", "version": 104 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { + "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Memory Dump File Creation", "sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62", "type": "eql", "version": 3 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { + "min_stack_version": "8.3", "rule_name": "Execution of Persistent Suspicious Program", "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", "type": "eql", "version": 107 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Suspicious WMI Event Subscription Created", + "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", + "type": "eql", + "version": 6 + } + }, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", "type": "eql", "version": 106 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { + "min_stack_version": "8.3", "rule_name": "Potential Windows Session Hijacking via CcmExec", "sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a", "type": "eql", "version": 1 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { + "min_stack_version": "8.3", "rule_name": "Unusual Process For MSSQL Service Accounts", "sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8", "type": "eql", "version": 4 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { + "min_stack_version": "8.3", "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", "type": "eql", "version": 1 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", "type": "eql", "version": 8 }, "e7cd5982-17c8-4959-874c-633acde7d426": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route Table Modified or Deleted", + "sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route Table Modified or Deleted", "sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112", "type": "query", "version": 207 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { + "min_stack_version": "8.3", "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "d821998e1160abb47ecede3b1c462e4239e82c189b4c1bb28462bb126a1b7765", "type": "eql", "version": 108 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { + "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", "sha256": "7bacfc5c36b455bd387840ed3881384dccf76c4613c11307d4d5d00b45b71f4c", "type": "eql", "version": 108 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { + "min_stack_version": "8.3", "rule_name": "Host Files System Changes via Windows Subsystem for Linux", "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", "type": "eql", "version": 7 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { + "min_stack_version": "8.6", + "previous": { + "8.4": { + "max_allowable_version": 102, + "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", + "sha256": "3a05a24c654cdb42c8718f7cf97e55b13d9be01f97cfd17a78db8f616168fa80", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", "sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35", "type": "new_terms", @@ -6808,7 +9077,7 @@ "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 206, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d", @@ -6822,30 +9091,44 @@ "version": 208 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 VM Export Failure", + "sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 VM Export Failure", "sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c", "type": "query", "version": 206 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { + "min_stack_version": "8.9", "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", "sha256": "1e89013def66c292205e6328af1471ef4e60e7476f31abb7718f73d3602c3e91", "type": "machine_learning", "version": 3 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { + "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", "type": "eql", "version": 111 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { + "min_stack_version": "8.3", "rule_name": "Potential LSA Authentication Package Abuse", "sha256": "d0a1dc56879cb56dc2747d8b68642dcb238491d808de81350698a3876b010d1e", "type": "eql", "version": 105 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { + "min_stack_version": "8.9", "rule_name": "Spike in Remote File Transfers", "sha256": "c2714b3ba5f14682e3de18a33b34ee32dd30f9b08a177f6d6ff9c79ced3ef5e1", "type": "machine_learning", @@ -6858,6 +9141,7 @@ "version": 100 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { + "min_stack_version": "8.3", "rule_name": "Azure Automation Webhook Created", "sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078", "type": "query", @@ -6870,108 +9154,153 @@ "version": 100 }, "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { + "min_stack_version": "8.9", "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "d8ff4bf9daa5791d5125e828242e6da12e755fe8e6594f543661711e82994cfd", "type": "machine_learning", "version": 4 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Brute Force of Assume Role Policy", + "sha256": "b067b05efba5deb9be05f4eb293d71270aec223640f2d617f1a365f86c41524c", + "type": "threshold", + "version": 109 + } + }, "rule_name": "AWS IAM Brute Force of Assume Role Policy", "sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3", "type": "threshold", "version": 210 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { + "min_stack_version": "8.3", "rule_name": "Spike in Firewall Denies", "sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a", "type": "machine_learning", "version": 103 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { + "min_stack_version": "8.3", "rule_name": "Suspicious APT Package Manager Network Connection", "sha256": "e33ef40e6926a8ebb9819b992a678c5cb30b5ca0ec2564ad888d213893eec80c", "type": "eql", "version": 2 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { + "min_stack_version": "8.3", "rule_name": "External Alerts", "sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6", "type": "query", "version": 103 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", "type": "query", "version": 4 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { + "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", "type": "query", "version": 111 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { + "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection Attempt by Root", "sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e", "type": "eql", "version": 104 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { + "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", "type": "eql", "version": 110 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { + "min_stack_version": "8.3", "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", "type": "eql", "version": 109 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { + "min_stack_version": "8.3", "rule_name": "IIS HTTP Logging Disabled", "sha256": "d83d663dcda70e00a6ab21131eed87f0b8c368ce720e9af6b55cc3ed301826a8", "type": "eql", "version": 110 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { + "min_stack_version": "8.3", "rule_name": "Process Execution from an Unusual Directory", "sha256": "8df3afe86977d9a2b2f2229f4f6d2fb5bb39898849f2d887050d754afba715a2", "type": "eql", "version": 110 }, "ec604672-bed9-43e1-8871-cf591c052550": { + "min_stack_version": "8.8", "rule_name": "File Made Executable via Chmod Inside A Container", "sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54", "type": "eql", "version": 2 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", + "sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", "type": "query", "version": 206 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { + "min_stack_version": "8.3", "rule_name": "Executable File with Unusual Extension", "sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509", "type": "eql", "version": 2 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Instance/Cluster Stoppage", + "sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Instance/Cluster Stoppage", "sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58", "type": "query", "version": 206 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { + "min_stack_version": "8.3", "rule_name": "Azure Global Administrator Role Addition to PIM User", "sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c", "type": "query", "version": 102 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { + "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", "sha256": "35efc8cf7bf58aeb31117f913287b60e74e904cbdce764bcd90b1a649e6318e1", "type": "eql", @@ -6980,7 +9309,7 @@ "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 205, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", @@ -6994,12 +9323,14 @@ "version": 206 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { + "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "6b7b9ccc19477616a522bddc2a00f166753629727474b6494a4460bfc09ec4f6", "type": "eql", "version": 112 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { + "min_stack_version": "8.3", "rule_name": "Linux User Account Creation", "sha256": "95cad73c0f9c90ae0aca50ad6528161624c9d694075e6761ef195da867643c08", "type": "eql", @@ -7008,7 +9339,7 @@ "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 102, "rule_name": "Okta FastPass Phishing Detection", "sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932", @@ -7022,12 +9353,14 @@ "version": 103 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { + "min_stack_version": "8.3", "rule_name": "Unusual Print Spooler Child Process", "sha256": "3b8d96d08eb433256b4fb0fd5206543e932d32caede2f0296b44a83ccf41868c", "type": "eql", "version": 108 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { + "min_stack_version": "8.3", "rule_name": "Shortcut File Written or Modified on Startup Folder", "sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662", "type": "eql", @@ -7040,48 +9373,56 @@ "version": 100 }, "eea82229-b002-470e-a9e1-00be38b14d32": { + "min_stack_version": "8.3", "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", "sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc", "type": "eql", "version": 107 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { + "min_stack_version": "8.3", "rule_name": "BPF filter applied using TC", "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", "type": "eql", "version": 108 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { + "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", "type": "eql", "version": 7 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { + "min_stack_version": "8.8", "rule_name": "Potential Container Escape via Modified notify_on_release File", "sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04", "type": "eql", "version": 1 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { + "min_stack_version": "8.3", "rule_name": "Whoami Process Activity", "sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202", "type": "eql", "version": 111 }, "ef8cc01c-fc49-4954-a175-98569c646740": { + "min_stack_version": "8.9", "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "sha256": "9512995e5dffd053732011c13901b6e07071c98fbf12ad540b632ebf940f2c32", "type": "machine_learning", "version": 3 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { + "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", "type": "eql", "version": 108 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { + "min_stack_version": "8.3", "rule_name": "Suspicious HTML File Creation", "sha256": "a8f8624488bd94c12376e0d7098fdf1714698d2df6e877311fded9ab584a043d", "type": "eql", @@ -7090,7 +9431,7 @@ "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", @@ -7104,120 +9445,149 @@ "version": 205 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { + "min_stack_version": "8.3", "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", "sha256": "5182f386430f01d4b91371a123d7323d6c786af55e661ca361224b7e1abaab5c", "type": "eql", "version": 108 }, "f0bc081a-2346-4744-a6a4-81514817e888": { + "min_stack_version": "8.3", "rule_name": "Azure Alert Suppression Rule Created or Modified", "sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270", "type": "query", "version": 102 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { + "min_stack_version": "8.3", "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb", "type": "query", "version": 106 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { + "min_stack_version": "8.3", "rule_name": "Potential Remote Code Execution via Web Server", "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", "type": "eql", "version": 7 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "Forwarded Google Workspace Security Alert", "sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af", "type": "query", "version": 2 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { + "min_stack_version": "8.3", "rule_name": "Service Path Modification", "sha256": "f6488872c8be23ecc9a4e3339d5de39339210c77856be3d05d90c00968a721c9", "type": "eql", "version": 2 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { + "min_stack_version": "8.3", "rule_name": "Creation of Hidden Login Item via Apple Script", "sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3", "type": "eql", "version": 108 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { + "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", "sha256": "b10534cda59c460de168c3b9fed3d8899465199770dd6c96f2e2d65358d3cb24", "type": "eql", "version": 109 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { + "min_stack_version": "8.3", "rule_name": "SIP Provider Modification", "sha256": "637b95af638d89775bd2f924af80375c6ff258c63b53785edfb3543db910cbbf", "type": "eql", "version": 107 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { + "min_stack_version": "8.3", "rule_name": "LSASS Memory Dump Creation", "sha256": "f75e7dbe109ab94981359e193e38bc31d50c60ac6258c2e42dd797649989a2f4", "type": "eql", "version": 109 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Instance Creation", + "sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Instance Creation", "sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166", "type": "query", "version": 206 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { + "min_stack_version": "8.4", "rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", "sha256": "bf31263ee7b3dd377aad879072d95f3cfa5f487f3db9f91e6d47822700c554c9", "type": "eql", "version": 4 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { + "min_stack_version": "8.9", "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "sha256": "2c43c3f3a3eab3066a67fa00b1ecf370bbb5c1a7cc41898dabf2a4553b1630ea", "type": "query", "version": 3 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { + "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", "type": "eql", "version": 110 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { + "min_stack_version": "8.3", "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c", "type": "threshold", "version": 104 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { + "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection via systemd", "sha256": "52931e3500fd41b92dd905637912dc28861b532e3bf11d6ab79f243237f9573c", "type": "eql", "version": 2 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { + "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match", "sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471", "type": "threat_match", "version": 6 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { + "min_stack_version": "8.6", "rule_name": "Potential curl CVE-2023-38545 Exploitation", "sha256": "422469c042fbbd783e6f8aca78c507ba139de7e0aa3e364406f12f16db6db808", "type": "eql", "version": 5 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { + "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", "type": "eql", "version": 108 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { + "min_stack_version": "8.3", "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "3d559e86203735f531cbbe7a26f5e361236760068e41b0b421f0f5d59a3c5765", "type": "query", @@ -7237,108 +9607,135 @@ "version": 100 }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { + "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", "sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc", "type": "eql", "version": 6 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { + "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", "sha256": "708503003bcee46e11babb11f8aa31370e2b00f8819ad6b533d88ae777974577", "type": "eql", "version": 111 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { + "min_stack_version": "8.8", "rule_name": "SSH Connection Established Inside A Running Container", "sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7", "type": "eql", "version": 2 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { + "min_stack_version": "8.3", "rule_name": "Rare SMB Connection to the Internet", "sha256": "a63046d792830722836c024689a5b5e9e1f3ac006e80e1445c1efa17bfbc98e5", "type": "new_terms", "version": 3 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { + "min_stack_version": "8.3", "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "e1128eff83337cf8df9523f584e2a5859c85e7d579d9655bb532de4714bd4124", "type": "query", "version": 4 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { + "min_stack_version": "8.3", "rule_name": "WMIC Remote Command", "sha256": "49fe04b88dc0dc6ee9776c88113935db33ecbc3c955ddb4b201acb6867022d7f", "type": "eql", "version": 4 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { + "min_stack_version": "8.3", "rule_name": "Setcap setuid/setgid Capability Set", "sha256": "bec5a046d8ac67ff161d518d2ccf53b9138179dfc67759ad5f9078fdc14810a6", "type": "eql", "version": 5 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { + "min_stack_version": "8.9", "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "sha256": "d6db5d4e54233628ba05c96ce487387f74b8d57d423cae36a1cfa4602ef0c312", "type": "machine_learning", "version": 4 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { + "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", "sha256": "0bdfb6f39afe789ae9447ea9f33938a24d746c1017ac0646c9f1776272882e37", "type": "eql", "version": 6 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { + "min_stack_version": "8.3", "rule_name": "Account or Group Discovery via Built-In Tools", "sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135", "type": "eql", "version": 3 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { + "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", "type": "eql", "version": 110 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { + "min_stack_version": "8.3", "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "6b1d419bf9aa6949ee92ded6a11fd322e88da4c01130617ee0d215449c773841", "type": "eql", "version": 109 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { + "min_stack_version": "8.3", "rule_name": "SoftwareUpdate Preferences Modification", "sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b", "type": "query", "version": 106 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { + "min_stack_version": "8.3", "rule_name": "System Hosts File Access", "sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571", "type": "eql", "version": 3 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { + "min_stack_version": "8.3", "rule_name": "Azure Service Principal Credentials Added", "sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103", "type": "query", "version": 102 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Alarm Deletion", + "sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc", "type": "query", "version": 209 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { + "min_stack_version": "8.8", "rule_name": "SSH Authorized Keys File Modified Inside a Container", "sha256": "d08ada3a6198777da68c1ad854b2c989ea3c25a2cd89c68741c538de9a433237", "type": "eql", "version": 2 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { + "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "a1bc8b73c4533f942aac0721b6a1345272ca6770fde9d130e8f62f115eb42177", "type": "eql", @@ -7352,48 +9749,56 @@ "version": 2 }, "f81ee52c-297e-46d9-9205-07e66931df26": { + "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", "type": "eql", "version": 109 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { + "min_stack_version": "8.3", "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87", "type": "query", "version": 106 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { + "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "78279bb6af6824e60ded36c81c6ef322b9ccaeb26c92549abc2921bf4227941b", "type": "eql", "version": 110 }, "f94e898e-94f1-4545-8923-03e4b2866211": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", "type": "new_terms", "version": 1 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { + "min_stack_version": "8.3", "rule_name": "Unusual Linux Network Configuration Discovery", "sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042", "type": "machine_learning", "version": 104 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { + "min_stack_version": "8.3", "rule_name": "Ingress Transfer via Windows BITS", "sha256": "5952fcaf652a5286441fc15039faeb8970ad18ef5832358bbc5385c6e09ed734", "type": "eql", "version": 7 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { + "min_stack_version": "8.3", "rule_name": "Browser Extension Install", "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", "type": "eql", "version": 2 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { + "min_stack_version": "8.3", "rule_name": "Privileged Account Brute Force", "sha256": "6b7871e9961be78c2d06f1cb08a639f6b4d3dcb022d16261b56fa3472f8f7d70", "type": "eql", @@ -7402,7 +9807,7 @@ "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.10", "previous": { - "8.9": { + "8.3": { "max_allowable_version": 204, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", @@ -7416,48 +9821,65 @@ "version": 205 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { + "min_stack_version": "8.3", "rule_name": "Remote File Copy to a Hidden Share", "sha256": "3a766093b0d4f34997e59583bef56fb42b94ebe8b4d5d167f6f5123519f92525", "type": "eql", "version": 109 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { + "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", "sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda", "type": "eql", "version": 7 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { + "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", "sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c", "type": "eql", "version": 7 }, "fa488440-04cc-41d7-9279-539387bf2a17": { + "min_stack_version": "8.3", "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", "type": "eql", "version": 9 }, "fac52c69-2646-4e79-89c0-fd7653461010": { + "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", "sha256": "e1fc21035bd0018c82e188c8ebe6241aa878a214edaf3895b806621f5d82d2e3", "type": "eql", "version": 6 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Potential Masquerading as System32 DLL", + "sha256": "44de9f686412f5ba599fbbf3c20d3d9a0e941c644469a473712133ff1293bf6d", + "type": "eql", + "version": 2 + } + }, "rule_name": "Potential Masquerading as System32 DLL", "sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc", "type": "eql", "version": 104 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { + "min_stack_version": "8.3", "rule_name": "Network Connection via Registration Utility", "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", "type": "eql", "version": 108 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { + "min_stack_version": "8.8", "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", "type": "threshold", @@ -7470,24 +9892,37 @@ "version": 100 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Configuration Recorder Stopped", + "sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Configuration Recorder Stopped", "sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004", "type": "query", "version": 206 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { + "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", "type": "eql", "version": 109 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { + "min_stack_version": "8.8", "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", "type": "new_terms", "version": 1 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { + "min_stack_version": "8.3", "rule_name": "GitHub App Deleted", "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", "type": "eql", @@ -7500,114 +9935,151 @@ "version": 100 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { + "min_stack_version": "8.3", "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "c6e0f3ed2de57cd525aed211c660fafb3d244519f29423756b1e01f95a1f7469", "type": "eql", "version": 110 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { + "min_stack_version": "8.3", "rule_name": "Suspicious CertUtil Commands", "sha256": "1eefd434526b2d048a615ba540bf83da7ee5150eae84ff517f5de3e7668c964b", "type": "eql", "version": 108 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Svchost spawning Cmd", + "sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04", + "type": "eql", + "version": 107 + } + }, "rule_name": "Svchost spawning Cmd", "sha256": "6d152e1d87343af4204868f6661565208bc41bc7fa3b54d2431de77ade274f91", "type": "new_terms", "version": 212 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { + "min_stack_version": "8.3", "rule_name": "Image Loaded with Invalid Signature", "sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d", "type": "eql", "version": 2 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { + "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", "sha256": "64a298cfd46dd919d8d6d349126b6a4a90347cf9eb7a23661803b528c1bd2828", "type": "eql", "version": 7 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { + "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "1ccbc020df7ccd578a04c6a962cba1a9eb01217fe0325d1ebb52cfcae454276e", "type": "query", "version": 4 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { + "min_stack_version": "8.3", "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", "type": "query", "version": 5 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { + "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", "sha256": "1049a012554fe790510c642962136afe7809f3cb6743d41c94d9064cb5cd0275", "type": "eql", "version": 110 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { + "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Business App Installer", "sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5", "type": "eql", "version": 4 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { + "min_stack_version": "8.3", "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", "sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87", "type": "eql", "version": 2 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { + "min_stack_version": "8.3", "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "0cb2724deeff775fe087f8fc28747011973bfa19b4924546d551ae231cf102e2", "type": "eql", "version": 107 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { + "min_stack_version": "8.3", "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055", "type": "query", "version": 103 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { + "min_stack_version": "8.9", "rule_name": "Potential DGA Activity", "sha256": "f1777c34722961e6332a58230876ae5519c4fc7e7a09d1450eb0038aeabe2640", "type": "machine_learning", "version": 3 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { + "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", "sha256": "8d0088142351af95023ec0cbec030e26da4de32891f90802ece09174e3446293", "type": "new_terms", "version": 9 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { + "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", "sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18", "type": "eql", "version": 7 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft 365 Exchange Transport Rule Creation", + "sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7", + "type": "query", + "version": 106 + } + }, "rule_name": "Microsoft 365 Exchange Transport Rule Creation", "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", "type": "query", "version": 206 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { + "min_stack_version": "8.3", "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", "type": "eql", "version": 1 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { + "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Deletion", "sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068", "type": "query", "version": 104 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { + "min_stack_version": "8.3", "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", "type": "eql", diff --git a/docs/versioning.md b/docs/versioning.md deleted file mode 100644 index 120c88b70..000000000 --- a/docs/versioning.md +++ /dev/null @@ -1,26 +0,0 @@ -# Supported Versions and Releases - -This document provides detailed information about the different versions that are supported and released for prebuilt detection rules. - -## Current Version - -The current version of prebuilt detection rules is `v8.14`. - -## Previous Versions Released - -The following version(s) are released along with the current version. - -- `v8.13` -- `v8.12` -- `v8.11` - -### Previous Versions Maintained - -The following version(s) are maintained along with the current version. - -- `v8.10` -- `v8.9` - -## End of Life Policy - -Our policy is to support and provide public releases for `Current`, `Current-1`, `Current-2`, `Current-3` versions. We maintain and do not release `Current-4` and `Current-5` versions. diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index d8010b71a..28bea375c 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index bedc96ade..4f3b957f2 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index c8ba5b286..b147173d8 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["apm"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index d8ccf625b..aa5803afe 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -2,13 +2,15 @@ creation_date = "2023/06/19" integration = ["endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/30" [rule] author = ["Elastic"] description = """ -Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing -payloads via a trusted webservice. +Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt +to deliver phishing payloads via a trusted webservice. """ false_positives = [ "Approved third-party applications that use Google Drive download URLs.", @@ -23,14 +25,7 @@ references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matan risk_score = 47 rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index 26b3ddbf1..b863a6bf6 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -28,14 +30,13 @@ references = ["https://attack.mitre.org/techniques/T1571/"] risk_score = 21 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "OS: macOS", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "OS: macOS", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -50,17 +51,15 @@ sequence by process.entity_id with maxspan=1m ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 9dbe6ea18..b9179554e 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -35,15 +37,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 0db7fbdae..be6661803 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] -description = """ -Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the -expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate -attempts to spoof events in order to masquerade actual activity to evade detection. +description = """Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" +occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could +indicate attempts to spoof events in order to masquerade actual activity to evade detection. """ false_positives = [ """ diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 6019f522c..4003974f4 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] -description = """ -Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and -used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual -activity to evade detection. +description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent +being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to +masquerade actual activity to evade detection. """ false_positives = [ """ @@ -46,11 +47,11 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.threshold] field = ["agent.id"] value = 2 + [[rule.threshold.cardinality]] field = "host.id" value = 2 - - diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index c567ad89f..72dfb5e4c 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -26,16 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 8a55874a9..f1cc64599 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -27,15 +29,15 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic. """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" @@ -54,22 +56,20 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.003" name = "Clear Command History" reference = "https://attack.mitre.org/techniques/T1070/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 50eac1fc7..3436a467e 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/05/23" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -28,15 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index 37fb73fe7..2b5f675a6 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -32,14 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index 36d4a8ca9..baed2ce5d 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -28,13 +30,13 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic. """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index f22fae9c6..6960ab9e5 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -57,15 +59,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -121,22 +122,20 @@ process.name : "grep" and user.id != "0" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 2ef727a4d..e0181030a 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -34,14 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index f97739824..f8a9ba363 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -16,14 +18,7 @@ references = ["https://github.com/neoneggplant/EggShell"] risk_score = 73 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index c872f64da..b605d9064 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -60,15 +62,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -85,17 +86,15 @@ process where event.type in ("start", "process_started") and not process.parent.command_line : "runc init" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 33a0253ee..788197362 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -62,16 +64,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -85,20 +86,19 @@ event.category:process and event.type:("start" or "process_started") and process ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -107,8 +107,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index 877e4ced8..bd2f01694 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -2,7 +2,9 @@ creation_date = "2021/12/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,15 +28,7 @@ references = [ risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index 5bbe240e1..cbcbb2dc7 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/09/22" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+" +min_stack_version = "8.7.0" +updated_date = "2024/03/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 0b5d652fd..56ebdb5c7 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -62,16 +64,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" timestamp_override = "event.ingested" @@ -98,22 +91,20 @@ any where ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index c335de8be..1287e9e55 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -26,7 +28,11 @@ setup = """## Setup The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.""" severity = "medium" -tags = ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"] +tags = [ + "Data Source: Zoom", + "Use Case: Configuration Audit", + "Tactic: Initial Access" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/multiple_alerts_different_tactics_host.toml b/rules/cross-platform/multiple_alerts_different_tactics_host.toml index 676a9a892..67ee0e381 100644 --- a/rules/cross-platform/multiple_alerts_different_tactics_host.toml +++ b/rules/cross-platform/multiple_alerts_different_tactics_host.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -16,8 +18,8 @@ false_positives = [ """, ] from = "now-24h" -index = [".alerts-security.*"] interval = "1h" +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host" @@ -32,13 +34,10 @@ query = ''' signal.rule.name:* and kibana.alert.rule.threat.tactic.id:* ''' - - [rule.threshold] field = ["host.id"] value = 1 + [[rule.threshold.cardinality]] field = "kibana.alert.rule.threat.tactic.id" value = 3 - - diff --git a/rules/cross-platform/multiple_alerts_involving_user.toml b/rules/cross-platform/multiple_alerts_involving_user.toml index 076a1096e..a982df44d 100644 --- a/rules/cross-platform/multiple_alerts_involving_user.toml +++ b/rules/cross-platform/multiple_alerts_involving_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -18,8 +20,8 @@ false_positives = [ """, ] from = "now-24h" -index = [".alerts-security.*"] interval = "1h" +index = [".alerts-security.*"] language = "kuery" license = "Elastic License v2" name = "Multiple Alerts Involving a User" @@ -34,13 +36,10 @@ query = ''' signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20") ''' - - [rule.threshold] field = ["user.name"] value = 1 + [[rule.threshold.cardinality]] field = "signal.rule.rule_id" value = 5 - - diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index 85d4432c0..b81101419 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -27,15 +29,14 @@ references = [ risk_score = 47 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -69,27 +70,27 @@ event.category:file and event.type:change and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -98,8 +99,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index 60a1afc60..da32aff27 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -22,14 +24,13 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware- risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "query" @@ -50,22 +51,20 @@ event.category:file and event.type:change and /Users/*/.zshenv) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 71edbff42..af9946d38 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -18,18 +20,16 @@ name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:file and event.type:(change or creation) and file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and @@ -51,46 +51,46 @@ event.category:file and event.type:(change or creation) and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" [rule.threat.tactic] id = "TA0008" @@ -100,8 +100,7 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 7b5890723..7996a3987 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Potential Privilege Escalation via Sudoers File Modification" risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 0bbd44d85..7a9979f25 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,14 +24,7 @@ name = "Setuid / Setgid Bit Set via chmod" risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 0fa030934..bd3caf403 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -2,7 +2,9 @@ creation_date = "2021/02/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -31,17 +33,9 @@ references = [ risk_score = 73 rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and event.type:start and diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 23c493369..f7b7b826d 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -19,13 +21,13 @@ risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -35,20 +37,19 @@ not process.name:(dpkg or platform-python or puppet or yum or dnf) and not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -57,8 +58,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/cross-platform/threat_intel_indicator_match_address.toml index 07ed6b5d0..55abba3f2 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/cross-platform/threat_intel_indicator_match_address.toml @@ -1,7 +1,12 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/01/17" +min_stack_comments = """ +Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match +general rules. +""" +min_stack_version = "8.5.0" [transform] [[transform.osquery]] @@ -28,7 +33,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -99,7 +103,7 @@ This rule is triggered when an IP address indicator from the Threat Intel Filebe references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip", + "https://www.elastic.co/security/tip" ] risk_score = 99 rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64" @@ -114,74 +118,72 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" -threat_query = """ -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not -labels.is_ioc_transform_source:"true" -""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -query = ''' -source.ip:* or destination.ip:* +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" + +threat_query = ''' +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and + not labels.is_ioc_transform_source:"true" ''' +query = """ +source.ip:* or destination.ip:* +""" + [[rule.threat_filters]] - [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.category" negate = false +disabled = false type = "phrase" +key = "event.category" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.kind" negate = false +disabled = false type = "phrase" +key = "event.kind" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.type" negate = false +disabled = false type = "phrase" +key = "event.type" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" -[[rule.threat_mapping]] +[[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "source.ip" type = "mapping" value = "threat.indicator.ip" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "destination.ip" type = "mapping" value = "threat.indicator.ip" - - diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index 54bc25feb..5b6ea5fe0 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -1,7 +1,12 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/01/17" +min_stack_comments = """ +Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match +general rules. +""" +min_stack_version = "8.5.0" [transform] [[transform.osquery]] @@ -28,12 +33,11 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ -This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against -an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. +This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an +event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. """ from = "now-65m" index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"] @@ -98,7 +102,7 @@ This rule is triggered when a hash indicator from the Threat Intel Filebeat modu references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip", + "https://www.elastic.co/security/tip" ] risk_score = 99 rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca" @@ -113,123 +117,115 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" -threat_query = """ -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or -threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:"true" -""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -query = ''' -file.hash.*:* or process.hash.*:* or dll.hash.*:* +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" + +threat_query = ''' +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and + (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and + not labels.is_ioc_transform_source:"true" ''' +query = """ +file.hash.*:* or process.hash.*:* or dll.hash.*:* +""" + [[rule.threat_filters]] - [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.category" negate = false +disabled = false type = "phrase" +key = "event.category" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.kind" negate = false +disabled = false type = "phrase" +key = "event.kind" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.type" negate = false +disabled = false type = "phrase" +key = "event.type" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" -[[rule.threat_mapping]] +[[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "file.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "file.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "file.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "dll.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "dll.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "dll.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "process.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "process.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "process.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" - - diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/cross-platform/threat_intel_indicator_match_registry.toml index fee4820ef..3cb6742cb 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/cross-platform/threat_intel_indicator_match_registry.toml @@ -1,7 +1,12 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/01/17" +min_stack_comments = """ +Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match +general rules. +""" +min_stack_version = "8.5.0" [transform] [[transform.osquery]] @@ -28,7 +33,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -93,7 +97,7 @@ This rule is triggered when a Windows registry indicator from the Threat Intel F references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip", + "https://www.elastic.co/security/tip" ] risk_score = 99 rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60" @@ -108,67 +112,66 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" -threat_query = """ -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not -labels.is_ioc_transform_source:"true" -""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -query = ''' -registry.path:* +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" + +threat_query = ''' +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and + not labels.is_ioc_transform_source:"true" ''' +query = """ +registry.path:* +""" + [[rule.threat_filters]] - [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.category" negate = false +disabled = false type = "phrase" +key = "event.category" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.kind" negate = false +disabled = false type = "phrase" +key = "event.kind" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.type" negate = false +disabled = false type = "phrase" +key = "event.type" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" -[[rule.threat_mapping]] +[[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "registry.path" type = "mapping" value = "threat.indicator.registry.path" - - diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index cba88abb5..ea456406c 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -1,7 +1,12 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/01/17" +min_stack_comments = """ +Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match +general rules. +""" +min_stack_version = "8.5.0" [transform] [[transform.osquery]] @@ -28,7 +33,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -102,7 +106,7 @@ This rule is triggered when a URL indicator from the Threat Intel Filebeat modul references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", - "https://www.elastic.co/security/tip", + "https://www.elastic.co/security/tip" ] risk_score = 99 rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3" @@ -117,74 +121,72 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu """ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] -threat_index = ["filebeat-*", "logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" -threat_query = """ -@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not -labels.is_ioc_transform_source:"true" -""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" timestamp_override = "event.ingested" type = "threat_match" -query = ''' -url.full:* +threat_index = ["filebeat-*", "logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" + +threat_query = ''' +@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and + threat.indicator.url.full:* and not labels.is_ioc_transform_source:"true" ''' +query = """ +url.full:* +""" + [[rule.threat_filters]] - [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.category" negate = false +disabled = false type = "phrase" +key = "event.category" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.kind" negate = false +disabled = false type = "phrase" +key = "event.kind" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" -[[rule.threat_filters]] +[[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -disabled = false -key = "event.type" negate = false +disabled = false type = "phrase" +key = "event.type" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" -[[rule.threat_mapping]] +[[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "url.full" type = "mapping" value = "threat.indicator.url.full" [[rule.threat_mapping]] - [[rule.threat_mapping.entries]] field = "url.original" type = "mapping" value = "threat.indicator.url.original" - - diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index f4c31b3d2..3ecd07148 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = [ risk_score = 21 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index cbb1e5613..a092d575a 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to 2.0.0" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" [rule] author = ["Elastic"] @@ -17,6 +19,7 @@ language = "kuery" license = "Elastic License v2" name = "AWS EC2 Admin Credential Fetch via Assumed Role" note = """ + ## Triage and Analysis ### Investigating AWS EC2 Admin Credential Fetch via Assumed Role diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index fd03af121..17ca61309 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -74,10 +76,10 @@ tags = [ "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Credential Access", + "Tactic: Credential Access" ] -timestamp_override = "event.ingested" type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:aws.cloudtrail and diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 5e6d6ebea..18248e825 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index e5e939edf..6365cc34c 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,18 +2,16 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Nick Jones", "Elastic"] description = """ -An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may -attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time -a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the -`GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with -IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with -access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the -compromised service's IAM role to access the secrets in Secrets Manager. +An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. + +This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager. """ false_positives = [ """ @@ -80,7 +78,7 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ references = [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", - "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum" ] risk_score = 47 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622" diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index e8cfdda99..889e6d56a 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -29,15 +31,9 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] -timestamp_override = "event.ingested" +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 0bbea8b84..fab6ee327 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -74,14 +76,7 @@ references = [ risk_score = 47 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 72227a18a..6d1ee6ef2 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -78,14 +80,7 @@ references = [ risk_score = 47 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 11861b990..3d5915bd6 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -80,13 +82,7 @@ references = [ risk_score = 47 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 855c53f63..451dda334 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -78,13 +80,7 @@ references = [ risk_score = 21 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index c0cd38ab2..cc02cd56a 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 3c803b5f4..7f1090ef1 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -77,14 +79,7 @@ references = [ risk_score = 73 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index fb2e47ad9..1db8508a9 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -35,13 +37,7 @@ references = [ risk_score = 47 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index d39dcc0b0..5d5500605 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index a496a341a..bb65f1940 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml index 9b150497c..2d034a9e7 100644 --- a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -29,13 +31,7 @@ references = [ risk_score = 21 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index d0f4ad05d..54e33b5a9 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/28" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml index 0df31df63..15682431e 100644 --- a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml +++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/06" [rule] author = ["Elastic"] @@ -19,6 +21,7 @@ language = "kuery" license = "Elastic License v2" name = "Route53 Resolver Query Log Configuration Deleted" note = """ + ## Triage and Analysis ### Investigating Route53 Resolver Query Log Configuration Deleted diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index ceb62849c..0777ffc65 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -33,13 +35,7 @@ references = [ risk_score = 21 rule_id = "227dc608-e558-43d9-b521-150772250bae" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 33ddcf375..749b42b06 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = [ risk_score = 47 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 1206af849..a83cccbfa 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/09" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = [ risk_score = 47 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index bc1ecf1da..04631d878 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/13" [rule] author = ["Elastic"] @@ -24,6 +26,7 @@ language = "kuery" license = "Elastic License v2" name = "EC2 AMI Shared with Another Account" note = """ + ## Triage and Analysis ### Investigating EC2 AMI Shared with Another Account diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index e809fcaf2..a305bc80d 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -34,14 +36,7 @@ references = [ risk_score = 47 rule_id = "c1812764-0788-470f-8e74-eb4a14d47573" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Network Security Monitoring", - "Tactic: Exfiltration", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index cb94ddfe2..24f65ef73 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/24" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index 6b99a4eed..79bb43917 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -2,7 +2,9 @@ creation_date = "2021/04/22" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -30,14 +32,7 @@ references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.h risk_score = 21 rule_id = "e919611d-6b6f-493b-8314-7ed6ac2e413b" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Exfiltration", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 3acc55c15..e76a934dc 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -27,13 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Sta risk_score = 21 rule_id = "119c8877-8613-416d-a98a-96b6664ee73a" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Exfiltration", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index fb21fe2f6..8197da77b 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -32,13 +34,7 @@ references = [ risk_score = 47 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Use Case: Asset Visibility", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 4dced14d7..6059acca4 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 48494c6f3..aa38f0674 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -74,15 +76,7 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Cloudtrail", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index a51d7148e..35f56683f 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -79,15 +81,7 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudWatch", - "Use Case: Log Auditing", - "Resources: Investigation Guide", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index f673d30df..f9f57c997 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 06305eb89..efaedd396 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -34,13 +36,7 @@ references = [ risk_score = 47 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 289a12509..7bfe24021 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/27" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index c9d1fb8a1..c908c752f 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -73,14 +75,7 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Resources: Investigation Guide", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 97463e977..6c8c05f71 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -33,13 +35,7 @@ references = [ risk_score = 21 rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 11c2d1333..6eb74194e 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Xavier Pich"] @@ -35,14 +37,7 @@ references = [ risk_score = 47 rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS KMS", - "Use Case: Log Auditing", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS KMS", "Use Case: Log Auditing", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 989081659..4f13ca6bb 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -28,13 +30,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Del risk_score = 21 rule_id = "863cdf31-7fd3-41cf-a185-681237ea277b" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 8648fe434..571098c77 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -37,14 +39,7 @@ references = [ risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index ecdf99bd4..423869ff9 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -32,14 +34,7 @@ references = [ risk_score = 47 rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index de2126e08..e42fe045a 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -70,7 +72,7 @@ tags = [ "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 76273e283..05f43038b 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -30,14 +32,7 @@ references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"] risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Signin", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index 7f7beade8..378c45ce1 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 8b7f1512a..2e7f5fb50 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 50 @@ -85,13 +87,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 0ebbb531d..f0622af6c 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 50 @@ -87,13 +89,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 947265fdc..ae2cf411b 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 50 @@ -89,13 +91,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 1cb446348..dae363dc1 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 50 @@ -89,13 +91,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 88a65f683..b2e817bfc 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/13" -integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" +integration = ["aws"] [rule] anomaly_threshold = 75 @@ -87,13 +89,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 0ec4ba8c4..2fd07cb29 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -35,14 +37,7 @@ references = [ risk_score = 21 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 356547289..70e77bbf7 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -31,14 +33,7 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi risk_score = 21 rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS EC2", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index 5d678c72d..c638a8967 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -33,14 +35,7 @@ references = [ risk_score = 21 rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 352fd7c48..840f8a3c2 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -35,14 +37,7 @@ references = [ risk_score = 21 rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 1140f4e4e..70265434c 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -27,13 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "378f9024-8a0c-46a5-aa08-ce147ac73a4e" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index ba167a1cb..bab383568 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -27,14 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS RDS", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index ee4a8e87d..5160db70a 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -2,7 +2,9 @@ creation_date = "2022/04/12" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -31,14 +33,7 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea risk_score = 21 rule_id = "015cca13-8832-49ac-a01b-a396114809f6" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Redshift", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Redshift", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 3adaff849..4e065c4fa 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -33,14 +35,7 @@ references = [ risk_score = 21 rule_id = "12051077-0124-4394-9522-8f4f4db1d674" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 758c5f25b..166506aa7 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -28,14 +30,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera risk_score = 21 rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 50c7b0fa2..7b763c72d 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -27,14 +29,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc risk_score = 21 rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Asset Visibility", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index c254309c0..b79c5f296 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -32,14 +34,7 @@ references = [ risk_score = 21 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 8829dc165..6f3cc8f42 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -36,14 +38,7 @@ references = [ risk_score = 21 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Route53", - "Use Case: Network Security Monitoring", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 3e8adc73b..903cb9c1b 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -75,7 +77,7 @@ tags = [ "Data Source: AWS Route53", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Privilege Escalation", + "Tactic: Privilege Escalation" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 1cc2fd23f..c81aedb04 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -22,14 +24,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index 7bde75f67..48ce9ac22 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -28,14 +30,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessio risk_score = 21 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 979d9ef46..53313087b 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -76,7 +78,7 @@ tags = [ "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Privilege Escalation", + "Tactic: Privilege Escalation" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index b3ffe646b..e6087f04f 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -53,6 +55,7 @@ reference = "https://attack.mitre.org/techniques/T1530/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 92c23e47a..301b47cc7 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/28" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index b58c6dfac..60f60148c 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 5f1e83dab..4373e0661 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,12 +34,7 @@ references = [ risk_score = 21 rule_id = "1e0b832e-957e-43ae-b319-db82d228c908" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index e6d6c3ef2..54c17bac9 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,12 +36,7 @@ references = [ risk_score = 47 rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index 50ea493d4..48d4d5cdd 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 7802a541a..45331762b 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/22" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -28,13 +30,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 47 rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 3d1aed023..47626334d 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index cad7d6eec..230a3c55e 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -79,7 +81,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Defense Evasion", + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index b94eb74a5..a12e6f744 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index f0c701c2c..438edb64f 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,12 +31,7 @@ references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-ov risk_score = 21 rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index acea8b019..4569cd69a 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -33,12 +35,7 @@ references = [ risk_score = 21 rule_id = "09d028a5-dcde-409f-8ae0-557cef1b7082" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 12782cf9c..1d762fb49 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 4bf9be6b0..1e460c72f 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,12 +32,7 @@ references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-wa risk_score = 47 rule_id = "323cb487-279d-4218-bcbd-a568efe930c6" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index 5adfd45ab..d3ce5bbd3 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index 61d9adf1f..d0643bd18 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index 6913c697a..c23a07b5e 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index d66662ddb..beb326d83 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 791f2c8c2..6fb47608b 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index 6ccdd075a..e84b27820 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index f1e9e003e..b8dfb12a9 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/12" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index fb43d7cad..7a19dec88 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/04" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Willem D'Haese"] @@ -77,7 +79,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 1657100c3..18bec5776 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -72,7 +74,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index 84c1ea44c..759a39fb3 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -76,7 +78,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 8766f39fc..d5fd491a1 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["azure", "o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/22" [rule] author = ["Elastic"] @@ -78,7 +80,7 @@ tags = [ "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Initial Access", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index ec46d414b..bd4236456 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index 114f1210d..c8018b94f 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index 94aa992de..9b4723dc0 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index 370c2d78c..d0d03fc2d 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index fda5b5dbb..a679e83b9 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index d3509a4a0..aed4975d3 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index c27d826a2..913b40985 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index fa292e7a4..6e2bcb3b6 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -73,7 +75,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Persistence", + "Tactic: Persistence" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index df2043ba4..73504c667 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -67,7 +69,7 @@ tags = [ "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Persistence", + "Tactic: Persistence" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 1da8d4b00..976609b89 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index cdb708184..83a6a7834 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index c57337e5f..09f19c7c6 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -27,12 +29,7 @@ references = [ risk_score = 21 rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Azure", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index af8cc879b..fe0d91851 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -2,13 +2,15 @@ creation_date = "2023/04/05" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Initial version of the Container Workload Protection alerts" +min_stack_version = "8.8.0" +updated_date = "2024/05/13" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you -to immediately begin triaging and investigating these alerts. +Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to +immediately begin triaging and investigating these alerts. """ enabled = true from = "now-10m" @@ -37,4 +39,3 @@ type = "query" query = ''' event.kind:alert and event.module:cloud_defend ''' - diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml index da057f623..4311d3809 100644 --- a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -2,60 +2,52 @@ creation_date = "2023/06/28" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/28" [rule] author = ["Elastic"] -description = """ -This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a -container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or -facilitate a container breakout to the underlying cloud environment. -""" +description = "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment." from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "AWS Credentials Searched For Inside A Container" -references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +references = [ + "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", +] risk_score = 47 rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", -] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where event.module == "cloud_defend" and event.type == "start" and /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*") -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" + [rule.threat.tactic] + id = "TA0006" + reference = "https://attack.mitre.org/tactics/TA0006/" + name = "Credential Access" + [[rule.threat.technique]] + id = "T1552" + reference = "https://attack.mitre.org/techniques/T1552/" + name = "Unsecured Credentials" -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - + [[rule.threat.technique.subtechnique]] + id = "T1552.001" + reference = "https://attack.mitre.org/techniques/T1552/001/" + name = "Credentials In Files" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index ad37dcc18..77b0d8b6a 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -2,7 +2,9 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ name = "Sensitive Files Compression Inside A Container" risk_score = 47 rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" @@ -100,4 +95,3 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index dc8fd0b0b..d1b2210cb 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -2,36 +2,30 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords -inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container -environment or facilitate a container breakout to the underlying host machine. -""" +description = "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine." from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "Sensitive Keys Or Passwords Searched For Inside A Container" -references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +references = [ + "https://sysdig.com/blog/cve-2021-25741-kubelet-falco/", +] risk_score = 47 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", -] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and (( /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ @@ -45,24 +39,22 @@ or (process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate")) and process.args : ("*id_rsa*", "*id_dsa*") )) -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" + [rule.threat.tactic] + id = "TA0006" + reference = "https://attack.mitre.org/tactics/TA0006/" + name = "Credential Access" + [[rule.threat.technique]] + id = "T1552" + reference = "https://attack.mitre.org/techniques/T1552/" + name = "Unsecured Credentials" -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - + [[rule.threat.technique.subtechnique]] + id = "T1552.001" + reference = "https://attack.mitre.org/techniques/T1552/001/" + name = "Credentials In Files" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index 14581165c..76e8dad4c 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -2,16 +2,17 @@ creation_date = "2023/06/06" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/23" [rule] author = ["Elastic"] description = """ -This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a -container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the -dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to -grant unauthorized access to system resources and has been used to evade detection of malicious processes in container -environments. +This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. +The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying +the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and +has been used to evade detection of malicious processes in container environments. """ from = "now-6m" index = ["logs-cloud_defend*"] @@ -21,9 +22,9 @@ license = "Elastic License v2" name = "Modification of Dynamic Linker Preload Shared Object Inside A Container" references = [ "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", - "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", -] +] risk_score = 73 rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee" severity = "high" @@ -53,4 +54,3 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index bb9fab55b..cae35970e 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -2,88 +2,73 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, -tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, -or exploitation, and should be monitored closely within a container. -""" -false_positives = [ - """ - There is a potential for false positives if the container is used for legitimate tasks that require the use of - network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any - alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate - container activity. - """, -] +description = "This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container." +false_positives = [""" + There is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. + """] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Network Tool Launched Inside A Container" +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Command and Control", "Tactic: Reconnaissance"] risk_score = 47 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Command and Control", - "Tactic: Reconnaissance", -] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and ( (process.name: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) or /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.args: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) ) -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1046" -name = "Network Service Discovery" -reference = "https://attack.mitre.org/techniques/T1046/" + [rule.threat.tactic] + id = "TA0007" + reference = "https://attack.mitre.org/tactics/TA0007/" + name = "Discovery" + + [[rule.threat.technique]] + id = "T1046" + reference = "https://attack.mitre.org/techniques/T1046/" + name = "Network Service Discovery" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1105" -name = "Ingress Tool Transfer" -reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] + id = "TA0011" + reference = "https://attack.mitre.org/tactics/TA0011/" + name = "Command and Control" + + [[rule.threat.technique]] + id = "T1105" + reference = "https://attack.mitre.org/techniques/T1105/" + name = "Ingress Tool Transfer" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1595" -name = "Active Scanning" -reference = "https://attack.mitre.org/techniques/T1595/" + [rule.threat.tactic] + id = "TA0043" + reference = "https://attack.mitre.org/tactics/TA0043/" + name = "Reconnaissance" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - + [[rule.threat.technique]] + id = "T1595" + reference = "https://attack.mitre.org/techniques/T1595/" + name = "Active Scanning" diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 24a7ee25a..50f1e3610 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -2,23 +2,16 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects when a container management binary is run from inside a container. These binaries are critical -components of many containerized environments, and their presence and execution in unauthorized containers could -indicate compromise or a misconfiguration. -""" -false_positives = [ - """ - There is a potential for false positives if the container is used for legitimate administrative tasks that require - the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is - important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity - or part of legitimate container activity. - """, -] +description = "This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration." +false_positives = [""" + There is a potential for false positives if the container is used for legitimate administrative tasks that require the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. + """] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -28,32 +21,24 @@ name = "Container Management Utility Run Inside A Container" risk_score = 21 rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50" severity = "low" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl") -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - + [[rule.threat.technique]] + id = "T1609" + reference = "https://attack.mitre.org/techniques/T1609/" + name = "Container Administration Command" diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml index 64fb497ec..6a8e4acd1 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -2,15 +2,13 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file -permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized -or malicious code inside the container. -""" +description = "This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container." from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -20,53 +18,45 @@ name = "File Made Executable via Chmod Inside A Container" risk_score = 47 rule_id = "ec604672-bed9-43e1-8871-cf591c052550" severity = "medium" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ file where container.id: "*" and event.type in ("change", "creation") and /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name : "chmod" or process.args : "chmod") and process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" -[[rule.threat.technique.subtechnique]] -id = "T1222.002" -name = "Linux and Mac File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/002/" + [rule.threat.tactic] + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" + name = "Defense Evasion" + [[rule.threat.technique]] + id = "T1222" + reference = "https://attack.mitre.org/techniques/T1222/" + name = "File and Directory Permissions Modification" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - + [[rule.threat.technique.subtechnique]] + id = "T1222.002" + reference = "https://attack.mitre.org/techniques/T1222/002/" + name = "Linux and Mac File and Directory Permissions Modification" + diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml index 16de26f88..78e59f5f2 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -2,16 +2,17 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' -command in a pod allows a user to establish a temporary shell session and execute any process/command inside the -container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a -container's shell. A malicious actor could use this level of access to further compromise the container environment or -attempt a container breakout. +command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. +This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. +A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout. """ false_positives = [ """ @@ -36,13 +37,7 @@ references = [ risk_score = 73 rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" @@ -62,24 +57,23 @@ process.interactive == true [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + name = "Unix Shell" + + [[rule.threat.technique]] + id = "T1609" + name = "Container Administration Command" + reference = "https://attack.mitre.org/techniques/T1609/" diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index 55c5ccec6..12ba616f3 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -2,19 +2,16 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential -container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host. -""" -false_positives = [ - """ - Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container - resulting in false positives. - """, +description = "This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host." +false_positives = [""" + Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives. + """ ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -22,20 +19,14 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Interactive Shell Spawned From Inside A Container" +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] risk_score = 73 rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and @@ -46,24 +37,22 @@ event.action in ("fork", "exec") and event.action != "end" (process.executable: "*/*sh" and process.args: ("-i", "-it")) or process.args: "*/*sh" ) -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + name = "Unix Shell" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index c739bdcdc..3557818cd 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -2,23 +2,16 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] -description = """ -This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and -writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for -persistence or exfiltrating data. -""" -false_positives = [ - """ - There is a potential for false positives if the container is used for legitimate tasks that require the use of - netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts - generated by this rule to determine if they are indicative of malicious activity or part of legitimate container - activity. - """, -] +description = "This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data." +false_positives = [""" + There is a potential for false positives if the container is used for legitimate tasks that require the use of netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. + """] from = "now-6m" index = ["logs-cloud_defend*"] interval = "5m" @@ -28,17 +21,11 @@ name = "Netcat Listener Established Inside A Container" risk_score = 73 rule_id = "a52a9439-d52c-401c-be37-2785235c6547" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" -query = ''' +query = """ process where container.id: "*" and event.type== "start" and event.action in ("fork", "exec") and ( @@ -51,24 +38,22 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") /* bind shell to specific port */ or process.args:("-*l*", "--listen", "-*p*", "--source-port") ) -''' - +""" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + name = "Unix Shell" diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml index d4cdae3dc..09e02b6b1 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -2,20 +2,21 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a -container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it -to gain initial access or establish persistence within a compromised environment. +This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside +a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use +it to gain initial access or establish persistence within a compromised environment. """ -false_positives = [ - """ - SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed - to distinguish between authorized and potentially malicious behavior. - """, +false_positives = [""" + SSH usage may be legitimate depending on the environment. + Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior. + """ ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -23,20 +24,13 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "SSH Connection Established Inside A Running Container" -references = [ +references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", ] risk_score = 73 rule_id = "f5488ac1-099e-4008-a6cb-fb638a0f0828" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "eql" @@ -61,11 +55,12 @@ id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -77,10 +72,7 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 5ed644ebe..3b63f7787 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -2,21 +2,21 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and -server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With -valid credentials an attacker may move laterally to other containers or to the underlying host through container -breakout. They may also use valid SSH credentials as a persistence mechanism. +This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. +SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to +other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism. """ -false_positives = [ - """ - SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed - to distinguish between authorized and potentially malicious behavior. - """, +false_positives = [""" + SSH usage may be legitimate depending on the environment. + Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior. + """ ] from = "now-6m" index = ["logs-cloud_defend*"] @@ -24,21 +24,14 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "SSH Process Launched From Inside A Container" -references = [ +references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/", ] risk_score = 73 rule_id = "03a514d9-500e-443e-b6a9-72718c548f6c" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" @@ -60,12 +53,11 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -73,7 +65,6 @@ id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index 30220e18f..9e40863fb 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -2,15 +2,17 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure -Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. -Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and -unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. +This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. +The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. +Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). +Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. """ from = "now-6m" index = ["logs-cloud_defend*"] @@ -21,14 +23,7 @@ name = "SSH Authorized Keys File Modified Inside a Container" risk_score = 73 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3" severity = "high" -tags = [ - "Data Source: Elastic Defend for Containers", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Lateral Movement", -] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "eql" @@ -49,24 +44,15 @@ id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" -[[rule.threat.technique.subtechnique]] -id = "T1021.004" -name = "SSH" -reference = "https://attack.mitre.org/techniques/T1021/004/" - - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" @@ -76,10 +62,16 @@ id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" - +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml index e02c4778a..7d3c3b6c2 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 8c44e8b3c..5b9bb8a9d 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 014a64956..59d455b44 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -2,8 +2,10 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,12 +35,7 @@ risk_score = 73 rule_id = "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54" rule_name_override = "event.action" severity = "high" -tags = [ - "Data Source: CyberArk PAS", - "Use Case: Log Auditing", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", -] +tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 4fd99826f..9c63474aa 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -2,8 +2,10 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -33,12 +35,7 @@ risk_score = 73 rule_id = "c5f81243-56e0-47f9-b5bb-55a5ed89ba57" rule_name_override = "event.action" severity = "high" -tags = [ - "Data Source: CyberArk PAS", - "Use Case: Log Auditing", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", -] +tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml index 55bf68afc..0291e6813 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code" name = "Potential Data Exfiltration Activity to an Unusual ISO Code" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "e1db8899-97c1-4851-8993-3a3265353601" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -50,6 +45,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "e1db8899-97c1-4851-8993-3a3265353601" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml index 88a012b6e..71f7de4c7 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_ip" name = "Potential Data Exfiltration Activity to an Unusual IP Address" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -50,6 +45,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index 20d6850ca..7d5b38f04 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -16,13 +18,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_port" name = "Potential Data Exfiltration Activity to an Unusual Destination Port" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "ef8cc01c-fc49-4954-a175-98569c646740" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -49,6 +44,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "ef8cc01c-fc49-4954-a175-98569c646740" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml index 1a3e7ef85..697084409 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_region_name" name = "Potential Data Exfiltration Activity to an Unusual Region" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "bfba5158-1fd6-4937-a205-77d96213b341" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -50,6 +45,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "bfba5158-1fd6-4937-a205-77d96213b341" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index b62f5b169..a560d7cd2 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device" name = "Spike in Bytes Sent to an External Device" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -49,6 +44,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index d484668f8..7a30d8d9b 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -18,13 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop" name = "Spike in Bytes Sent to an External Device via Airdrop" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -50,6 +45,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index fc98cc66a..cdc7a88d3 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 75 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_rare_process_writing_to_external_device" name = "Unusual Process Writing Data to an External Device" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/ded", - "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", -] -risk_score = 21 -rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99" setup = """## Setup The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). @@ -49,6 +44,13 @@ Before you can enable rules for Data Exfiltration Detection, you'll need to enab - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration", +] +risk_score = 21 +rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99" severity = "low" tags = [ "Use Case: Data Exfiltration Detection", diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index 47b2a9d99..d6550b0d4 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -15,13 +17,6 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected DGA activity using a known SUNBURST DNS domain" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 99 -rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -68,6 +63,13 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 99 +rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766" severity = "critical" tags = [ "Domain: Network", diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index 0830449ff..76e884d76 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,13 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "dga_high_sum_probability" name = "Potential DGA Activity" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -77,6 +72,13 @@ Before you can enable this rule, you'll need to enable the corresponding Anomaly - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1" severity = "low" tags = [ "Use Case: Domain Generation Algorithm Detection", diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index dca1fb0b3..88007164d 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -15,13 +17,6 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request With a High DGA Probability Score" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -68,6 +63,13 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69" severity = "low" tags = [ "Domain: Network", diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index ef50f1011..79e0bc018 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -15,13 +17,6 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request Predicted to be a DGA Domain" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/dga", - "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", -] -risk_score = 21 -rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4" setup = """## Setup The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. @@ -68,6 +63,13 @@ Before you can enable this rule, you'll need to enrich DNS events with predictio } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration", +] +risk_score = 21 +rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4" severity = "low" tags = [ "Domain: Network", diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index 7353bf7fc..ddc45fe68 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -2,8 +2,10 @@ creation_date = "2020/07/08" integration = ["endpoint"] maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 3d33d2ee9..afc316a77 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 701fd52c7..de979e300 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/admin"] risk_score = 21 rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Collection", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index bf65a769b..f19f55da1 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,13 +34,7 @@ references = [ risk_score = 21 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 2bd5d9305..68d787f49 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,13 +33,7 @@ references = [ risk_score = 47 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index ae5126fc5..3f219874a 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,13 +34,7 @@ references = [ risk_score = 47 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index a9e9ba235..5e66bedff 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,13 +33,7 @@ references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.go risk_score = 47 rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 3b91941b1..cb5235891 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/logging/docs/export"] risk_score = 47 rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index d81d4f1c7..03c2b9b4a 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index b0c2ba3b6..df8980906 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "3202e172-01b1-4738-a932-d024c514ba72" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 58c3e1614..b1f8119e7 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,13 +29,7 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 5aa2543b2..93d434aa0 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,13 +30,7 @@ references = ["https://cloud.google.com/storage/docs/access-control/iam-permissi risk_score = 47 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index ae837651b..9d7467ce9 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/vpc/docs/vpc"] risk_score = 47 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 14e579912..d8ab78834 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 21 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index b0b775a5f..9084f33dc 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 47 rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index c1b0254c4..28408b639 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] risk_score = 21 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Log Auditing", - "Tactic: Exfiltration", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Exfiltration"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index c999c7eeb..4bd608d68 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-roles"] risk_score = 21 rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 7f30b45a1..15b278eef 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 034f249af..5f4640b98 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,13 +32,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Impact", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index cfc19dbb1..b4c74cf81 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index fbf520545..a412746fc 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +31,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] risk_score = 47 rule_id = "aa8007f0-d1df-49ef-8520-407857594827" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 18048b305..894d12936 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,13 +35,7 @@ references = [ risk_score = 21 rule_id = "9890ee61-d061-403d-9bf6-64934c51f638" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 07b969e6a..8ee735064 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,13 +36,7 @@ references = [ risk_score = 21 rule_id = "0e5acaae-6a64-4bbc-adb8-27649c03f7e1" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index b929f9b69..4207b15ff 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,13 +33,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 21 rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index d85163a5c..d38ee9496 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,15 +2,18 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/30" [rule] author = ["Elastic"] description = """ -This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be -used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. -Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized -changes could be used to lower your organization's security posture and leave you exposed for future attacks. +This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules +can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in +your repository. Changes to these protected branch settings should be investigated and verified as legitimate +activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed +for future attacks. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -23,13 +26,11 @@ severity = "medium" tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" - query = ''' configuration where event.dataset == "github.audit" - and github.category == "protected_branch" and event.type == "change" + and github.category == "protected_branch" and event.type == "change" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index b49bc9b33..891c18175 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,11 +2,15 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/11" [rule] author = ["Elastic"] -description = "Detects the deletion of a GitHub app either from a repo or an organization.\n" +description = """ +Detects the deletion of a GitHub app either from a repo or an organization. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -15,7 +19,11 @@ name = "GitHub App Deleted" risk_score = 21 rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" severity = "low" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -23,7 +31,6 @@ query = ''' configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -36,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1648/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 85da5ced6..dfa81e027 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,13 +2,14 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] description = """ -Detects a high number of unique private repo clone events originating from a single personal access token within a short -time period. +Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. """ from = "now-6m" index = ["logs-github.audit-*"] @@ -18,13 +19,12 @@ name = "High Number of Cloned GitHub Repos From PAT" risk_score = 21 rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "threshold" @@ -34,7 +34,6 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal github.repository_public:false ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -51,8 +50,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.threshold] field = ["github.hashed_token"] value = 1 + [[rule.threshold.cardinality]] field = "github.repo" value = 10 - - diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml index b055bbe42..2908f7b3e 100644 --- a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -1,14 +1,17 @@ [metadata] creation_date = "2023/12/14" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/18" [rule] author = ["Elastic"] description = """ -This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when -multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and -response, as these alerts are a higher indicator of compromised user accounts or PATs. +This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to +determine when multiple alerts are executed by the same user in a timespan of one hour. +Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user +accounts or PATs. """ from = "now-60m" index = [".alerts-security.*"] @@ -18,14 +21,13 @@ name = "GitHub UEBA - Multiple Alerts from a GitHub Account" risk_score = 47 rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: Higher-Order Rule", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "threshold" @@ -33,7 +35,6 @@ query = ''' signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -45,8 +46,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.threshold] field = ["user.name"] value = 1 + [[rule.threshold.cardinality]] field = "signal.rule.name" value = 5 - - diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index 8d63b58be..2d07e6bb6 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,16 +2,18 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/03" [rule] author = ["Elastic"] description = """ -This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's -functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify -your repository and organization data. Only trusted apps should be installed and any newly installed apps should be -investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture -and leave you exposed for future attacks. +This rule detects when a new GitHub App has been installed in your organization account. +GitHub Apps extend GitHub's functionality both within and outside of GitHub. +When an app is installed it is granted permissions to read or modify your repository and organization data. +Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. +Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -24,12 +26,10 @@ severity = "medium" tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"] timestamp_override = "event.ingested" type = "eql" - query = ''' configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -38,6 +38,7 @@ name = "Software Deployment Tools" reference = "https://attack.mitre.org/techniques/T1072/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index c75c9c689..9eebd68ae 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -2,15 +2,19 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] description = """ -This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component -used within an organization to manage work, collaborate with others and release products to the public. Any delete -action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization -repositories could cause irreversible loss of intellectual property and indicate compromise within your organization. +This rule detects when a GitHub repository is deleted within your organization. +Repositories are a critical component used within an organization to manage work, +collaborate with others and release products to the public. Any delete action against +a repository should be investigated to determine it's validity. Unauthorized deletion +of organization repositories could cause irreversible loss of intellectual property and +indicate compromise within your organization. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -20,21 +24,18 @@ name = "GitHub Repository Deleted" risk_score = 47 rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' configuration where event.module == "github" and event.action == "repo.destroy" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,8 +44,8 @@ name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index df89d4bd0..7fd963c9f 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,14 +2,16 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] description = """ -Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any -new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise -within your organization and provide unlimited access to data and settings. +Detects when a new member is added to a GitHub organization as an owner. +This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. +Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -19,21 +21,18 @@ name = "New GitHub Owner Added" risk_score = 47 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,6 @@ name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index 7c31e5261..08adb6849 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,14 +2,16 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] description = """ -This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides -admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles -could indicate compromise within your organization and provide unlimited access to data and settings. +This rule detects when a member is granted the organization owner role of a GitHub organization. +This role provides admin level privileges. Any new owner role should be investigated to determine its validity. +Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. """ from = "now-9m" index = ["logs-github.audit-*"] @@ -19,21 +21,18 @@ name = "GitHub Owner Role Granted To User" risk_score = 47 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" severity = "medium" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,7 +45,6 @@ name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 3b0bb139b..87875196e 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -80,12 +82,7 @@ references = ["https://support.google.com/a/answer/1247799?hl=en"] risk_score = 47 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 2f9485b97..0cfba8bdd 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/13" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -80,12 +82,7 @@ references = ["https://support.google.com/a/answer/2685650?hl=en"] risk_score = 47 rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Collection", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 32ca30997..32f0a1a92 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 422ba0189..98380cea7 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -88,7 +90,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide", - "Tactic: Defense Evasion", + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 1b92225d2..f97647f94 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index e16f5f512..073d40ed6 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index 600ad3278..703af0aef 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,19 +2,18 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant -permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could -allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges. +Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges. """ false_positives = [ """ - Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for - administrative tasks. + Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks. """, ] from = "now-130m" @@ -68,6 +67,7 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -89,8 +89,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["google_workspace.token.client.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-15d" - - +value = "now-15d" \ No newline at end of file diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml index 771d2750a..5e34dce62 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -92,7 +94,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml index 65f289b26..d369794ed 100644 --- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml +++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml @@ -2,8 +2,10 @@ creation_date = "2023/01/15" integration = ["google_workspace"] maturity = "production" +min_stack_comments = "Google Workspace feature only present in 8.4+ stack versions" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -36,12 +38,7 @@ risk_score = 73 rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc" rule_name_override = "google_workspace.alert.type" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Log Auditing", - "Use Case: Threat Detection", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Log Auditing", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" @@ -49,23 +46,21 @@ query = ''' event.dataset: google_workspace.alert ''' - [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" +value = "LOW" operator = "equals" severity = "low" -value = "LOW" [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" +value = "MEDIUM" operator = "equals" severity = "medium" -value = "MEDIUM" [[rule.severity_mapping]] field = "google_workspace.alert.metadata.severity" +value = "HIGH" operator = "equals" severity = "high" -value = "HIGH" - diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 747f1ff2f..14aedf960 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Impact", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 9999e04f1..482baaafd 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index c023a887b..74015523b 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml index 73a01ef94..3d9429701 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -89,12 +91,7 @@ references = [ risk_score = 47 rule_id = "f33e68a4-bd19-11ed-b02f-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 379476c08..76b673f2d 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -40,12 +42,7 @@ references = ["https://support.google.com/a/answer/1110339"] risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index d7eb4ce55..d59bb7ceb 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -87,7 +89,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 0d47da77d..9a5cac6ae 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -87,7 +89,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 78b80ba64..a99d25729 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -90,7 +92,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index eb8bc2a62..570539eeb 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -81,13 +83,7 @@ references = ["https://developers.google.com/admin-sdk/directory/v1/guides/deleg risk_score = 47 rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 1a5b51af5..770238e7a 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,13 +85,7 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 6181ee74c..21f071d54 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.4.0" +updated_date = "2023/04/12" [rule] author = ["Elastic"] @@ -85,7 +87,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index fae520fa6..672b61c78 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -85,13 +87,7 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Google Workspace", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index bec056960..fc0fc2576 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -89,7 +91,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 098cfa615..5a0fc0bd2 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking changes for Google Workspace integration." +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 50e54311e..b04db4c49 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index d0589a903..2c1f88b33 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,9 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 1c134a8e0..083439142 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index 2fd9df0a9..6da38310c 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,10 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/23" + [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 84e57ae7e..2d6496307 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index ab1756c91..6389cbb8e 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index 6b67122e5..6b261fa4c 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index e1e7005a6..770e16e07 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index 49a1dec62..d40d9a87a 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index 20c8c1865..b91cc2315 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/11" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index f1f93659d..39639d75a 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 051c4b214..97e333ac0 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index fdac1aa8b..57b927c85 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_process_args" name = "High Mean of Process Arguments in an RDP Session" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index 619c08ec2..c88ed4a04 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_session_duration" name = "High Mean of RDP Session Duration" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index f2930aca5..cec48ce96 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -18,14 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_file_size_remote_file_transfer" name = "Unusual Remote File Size" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index f2072d40f..83e027be2 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_var_rdp_session_duration" name = "High Variance in RDP Session Duration" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 283fd1785..8528ef1ce 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_path_remote_transfer" name = "Unusual Remote File Directory" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -50,6 +44,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index fad3bd17f..1e67d54e0 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -16,14 +18,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_extension_remote_transfer" name = "Unusual Remote File Extension" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -49,6 +43,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 0c1dccd6c..6717d596f 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source" name = "Spike in Number of Connections Made from a Source IP" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index d3193f054..e9812f200 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination" name = "Spike in Number of Connections Made to a Destination IP" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index cdb15b8e9..f9f27d852 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -16,14 +18,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes" name = "Spike in Number of Processes in an RDP Session" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -50,6 +44,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index 7abc56dfe..23f283148 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -18,14 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_count_remote_file_transfer" name = "Spike in Remote File Transfers" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index d16f9cba3..8819bf40e 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/12/12" [rule] anomaly_threshold = 70 @@ -17,14 +19,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start" name = "Unusual Time or Day for an RDP Session" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/lmd", - "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", - "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", -] -risk_score = 21 -rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" setup = """## Setup The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. @@ -51,6 +45,14 @@ Before you can enable rules for Lateral Movement Detection, you'll need to enabl - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security", +] +risk_score = 21 +rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" severity = "low" tags = [ "Use Case: Lateral Movement Detection", diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 9cd9d0b44..332e71150 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/29" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index eefc98fb4..862240ebb 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -28,14 +30,9 @@ references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-u risk_score = 73 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] -timestamp_override = "event.ingested" +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 697a0f771..b709ca3de 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/01" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -28,14 +30,9 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] -timestamp_override = "event.ingested" +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index f74a123e3..58d24cb04 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic", "Austin Songer"] @@ -27,14 +29,9 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] -timestamp_override = "event.ingested" +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 77bc6a6df..8f99baefd 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index ec5a1d9bb..c160e5ed5 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 3a8e0b506..b7384af5a 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 9d9933ff3..df89e34c0 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 21 rule_id = "03024bd9-d23f-4ec1-8674-3cf1a21e130b" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Defense Evasion", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index c702bee9a..147b3d4a3 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index b000de68c..4cb6fe52e 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index 1d3f8d659..b765b5575 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index d249e245d..d562df516 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 91ff9f588..288995e6a 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml index 517c52cf4..90fe94c86 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/05/15" [rule] author = ["Elastic"] @@ -32,20 +34,15 @@ note = """## Triage and analysis - User changing of ClientAppId or new connection post an extended period of leave. - If the total number of accessed Mailboxes by ClientAppId is too high there is a high chance it's a false positive. """ -references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] -risk_score = 47 -rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" setup = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ +references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] +risk_score = 47 +rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "new_terms" @@ -110,11 +107,10 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.ClientAppId"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-25d" - - diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 197226743..c08ab9f66 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -32,12 +34,7 @@ references = [ risk_score = 47 rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 71db20bf4..61782f361 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -32,12 +34,7 @@ references = [ risk_score = 47 rule_id = "97314185-2568-4561-ae81-f3e480e5e695" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index c0734782b..a9b2dd6b3 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 9eb423152..0453d71ad 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Austin Songer"] @@ -27,12 +29,7 @@ references = [ risk_score = 47 rule_id = "0136b315-b566-482f-866c-1d8e2477ba16" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Configuration Audit", - "Tactic: Initial Access", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 0b96dcaff..90c76c255 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 1e1792287..52de44169 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 4ba15633d..480d23d76 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 348964efd..e62ba72b5 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index 90ef11635..daf801209 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index d445e6723..d3c597049 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -31,12 +33,7 @@ references = [ risk_score = 47 rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 821b0bf2f..94cfa6187 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -27,12 +29,7 @@ references = [ risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index a8da34138..e4a143449 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -29,7 +31,12 @@ references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index a47f63526..a5288bc40 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index cad302f36..03d0fdbd6 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 5e7873a45..7cc85cff0 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration." +min_stack_version = "8.8.0" +updated_date = "2024/04/02" [rule] author = ["Austin Songer"] @@ -28,12 +30,7 @@ references = [ risk_score = 21 rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 7a71526db..5f546571c 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/19" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -18,13 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_host" name = "Unusual Process Spawned by a Host" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -80,6 +75,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index eda57d043..08116f76b 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -18,13 +20,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_parent" name = "Unusual Process Spawned by a Parent Process" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -80,6 +75,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index c9039de7f..1f3913154 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -19,13 +21,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_user" name = "Unusual Process Spawned by a User" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -81,6 +76,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml index 7b8a91cef..ae2a2dd34 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] author = ["Elastic"] @@ -16,13 +18,6 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -71,6 +66,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" severity = "low" tags = [ "OS: Windows", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index c134556b6..0357b533e 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] author = ["Elastic"] @@ -16,13 +18,6 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -71,6 +66,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi } ``` """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" severity = "low" tags = [ "OS: Windows", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index bfb17d0f2..77346bbbf 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -20,13 +22,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_host" name = "Suspicious Windows Process Cluster Spawned by a Host" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -82,6 +77,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" severity = "low" tags = [ "Use Case: Living off the Land Attack Detection", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index f8a89d0a9..693b3cadd 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -20,13 +22,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_parent" name = "Suspicious Windows Process Cluster Spawned by a Parent Process" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -82,6 +77,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index 98ff98440..d9533c157 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2024/04/01" [rule] anomaly_threshold = 75 @@ -20,13 +22,6 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_user" name = "Suspicious Windows Process Cluster Spawned by a User" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/problemchild", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] -risk_score = 21 -rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" setup = """## Setup The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. @@ -82,6 +77,13 @@ The LotL Attack Detection integration detects living-off-the-land activity in Wi - If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for "Living off the Land Attack Detection" under "Use preconfigured jobs". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet. - Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. """ +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", +] +risk_score = 21 +rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 5d422e199..42f466d83 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,14 +31,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is -capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This -activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or -files to another host in the network or exfiltrate data while attempting to evade detection in the process. +This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat +is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. +This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools +or files to another host in the network or exfiltrate data while attempting to evade detection in the process. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -130,14 +131,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -153,7 +153,6 @@ sequence by host.id, process.entity_id with maxspan=1s )] ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -161,6 +160,7 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -168,6 +168,7 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -175,4 +176,3 @@ framework = "MITRE ATT&CK" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 45b888b70..5a6cb5f3e 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,15 +31,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection -attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding -and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication -channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized -access to internal systems. +This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. +Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure +communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass +network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal +systems. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -107,8 +108,8 @@ This rule looks for a sequence of command line arguments that are consistent wit """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", -] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ] risk_score = 47 rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd" setup = """## Setup @@ -138,14 +139,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -158,17 +158,15 @@ sequence by host.id, process.entity_id with maxspan=1s "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index 1ddfe0bd6..0f511f1f3 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,15 +31,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received -connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP -tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to -establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating -tunnels that allow unauthorized access to internal systems. +This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection +within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, +enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish +covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that +allow unauthorized access to internal systems. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -107,8 +108,8 @@ This rule looks for a sequence of command line arguments that are consistent wit """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", -] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ] risk_score = 47 rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f" setup = """## Setup @@ -138,14 +139,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -158,17 +158,15 @@ sequence by host.id, process.entity_id with maxspan=1m "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index 6fa97bf2c..1c34f9560 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,14 +2,16 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/30" [rule] author = ["Elastic"] description = """ This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the -kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel -space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. +kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel +space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. """ from = "now-9m" @@ -47,15 +49,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and process.name:kworker* and not destination.ip:( @@ -71,49 +72,50 @@ process.name:kworker* and not destination.ip:( ) and not destination.port:2049 ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0011" + name = "Command and Control" + reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" + [rule.threat.tactic] + id = "TA0005" + name = "Defense Evasion" + reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat.technique]] + name = "Masquerading" + id = "T1036" + reference = "https://attack.mitre.org/techniques/T1036/" + + [[rule.threat.technique]] + name = "Rootkit" + id = "T1014" + reference = "https://attack.mitre.org/techniques/T1014/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" + [rule.threat.tactic] + id = "TA0010" + name = "Exfiltration" + reference = "https://attack.mitre.org/tactics/TA0010/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" - - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat.technique]] + name = "Exfiltration Over C2 Channel" + id = "T1041" + reference = "https://attack.mitre.org/techniques/T1041/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "destination.ip", "destination.port"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index 6af677c74..4fe527e74 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,13 +31,12 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the -routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted -resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and +This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the +routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted +resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ from = "now-9m" @@ -111,33 +112,30 @@ risk_score = 21 rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "proxychains" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index d0e52b96b..063f31889 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,15 +31,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to -restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade -detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and -intentions. +restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, +and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -137,17 +137,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "proxychains" and process.args : ( @@ -157,17 +156,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index b1ca0af32..e063595ee 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/30" [transform] [[transform.osquery]] @@ -29,14 +31,12 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ -This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can -leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, -and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote -control. +This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can +leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, +and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -108,8 +108,8 @@ This rule looks for several utilities that are capable of setting up tunnel netw """ references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding", -] + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ] risk_score = 47 rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e" setup = """## Setup @@ -139,16 +139,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( ( @@ -169,17 +168,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 8e52abef1..75e542d09 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/12" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -168,13 +169,13 @@ Packetbeat is a real-time network packet analyzer that you can use for applicati """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -199,15 +200,14 @@ not destination.ip:( not destination.port:(22 or 80 or 443) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -216,8 +216,7 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "destination.ip", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index edf2c027b..e9cf24526 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,7 +2,9 @@ creation_date = "2021/04/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -149,13 +150,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index b4def3d77..2e1bf781c 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -61,14 +63,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -107,37 +109,37 @@ event.category:process and host.os.type:linux and event.type:start and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -146,8 +148,7 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "process.parent.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 1b57dacdf..0c136e26c 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,23 +2,28 @@ creation_date = "2023/02/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host -machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' -files. Using the combined file generated from the utility, the malicious threat actors can use them as input for -password-cracking utilities or prepare themselves for future operations by gathering credential information of the -victim. +Identifies the execution of the unshadow utility which is part of John the Ripper, +a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve +the combined contents of the '/etc/shadow' and '/etc/password' files. +Using the combined file generated from the utility, the malicious threat actors can use them as input +for password-cracking utilities or prepare themselves for future operations by gathering +credential information of the victim. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Unshadow" -references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] +references = [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/", +] risk_score = 47 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" setup = """## Setup @@ -48,37 +53,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "unshadow" and process.args_count >= 3 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 23bf71fef..e5b8dfc17 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,12 +2,14 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory +This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ @@ -16,7 +18,10 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Linux init (PID 1) Secret Dump via GDB" -references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] +references = [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" +] risk_score = 47 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" setup = """## Setup @@ -46,37 +51,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index 622a54dba..1a72efb58 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt -secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and +secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" @@ -16,22 +18,24 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "Linux Process Hooking via GDB" -references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] +references = [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" +] risk_score = 21 rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "gdb" and process.args in ("--pid", "-p") and @@ -39,22 +43,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.args != "1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index 7e883b444..8f187c78d 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -2,13 +2,15 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a -short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a +Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a +short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. """ from = "now-9m" @@ -45,14 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.executable, user.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and @@ -63,22 +64,20 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s ] with runs=10 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index 264cbb61e..ca1511851 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,13 +2,15 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -Identifies multiple external consecutive login failures targeting a user account from the same source address within a -short time interval. Adversaries will often brute force login attempts across multiple users with a common or known +Identifies multiple external consecutive login failures targeting a user account from the same source address within +a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. """ from = "now-9m" @@ -77,9 +79,12 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index dc4b7b8ec..6640ba404 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,13 +2,15 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -Identifies multiple internal consecutive login failures targeting a user account from the same source address within a -short time interval. Adversaries will often brute force login attempts across multiple users with a common or known +Identifies multiple internal consecutive login failures targeting a user account from the same source address within +a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. """ from = "now-9m" @@ -73,9 +75,12 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index 936f72da6..d554c3a09 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -2,16 +2,18 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different -combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can -include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and -potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting -a specific user account from the same source address and within a short time interval, followed by a successful +An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different +combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can +include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and +potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting +a specific user account from the same source address and within a short time interval, followed by a successful authentication. """ from = "now-9m" @@ -58,14 +60,13 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, auditd.data.addr, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -76,13 +77,14 @@ sequence by host.id, auditd.data.addr, related.user with maxspan=5s auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -93,10 +95,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index f4c9c3538..cd5da35ff 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -2,16 +2,18 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and +An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact -can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks -within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising -the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a +can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks +within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising +the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. """ from = "now-9m" @@ -58,14 +60,13 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -74,13 +75,14 @@ sequence by host.id, related.user with maxspan=5s auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -91,10 +93,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 735059d55..ed7a05b56 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,16 +2,18 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can -attempt to login into multiple users with a common or known password to gain access to accounts. +Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt +to login into multiple users with a common or known password to gain access to accounts. """ from = "now-9m" -index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"] +index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Potential Successful SSH Brute Force Attack" @@ -79,9 +81,13 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" - query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and @@ -91,13 +97,14 @@ sequence by host.id, source.ip, user.name with maxspan=15s event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -108,10 +115,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index 9da10c339..ff941228c 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,15 +2,17 @@ creation_date = "2023/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. -Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a -known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the -process and extracting lines that have a high probability of containing cleartext passwords. +Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits +a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by +dumping the process and extracting lines that have a high probability of containing cleartext passwords. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -19,7 +21,7 @@ license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" references = [ "https://github.com/huntergregal/mimipenguin", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" ] risk_score = 47 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" @@ -50,15 +52,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.name with maxspan=1m [process where host.os.type == "linux" and process.name == "ps" and event.action == "exec" @@ -67,27 +68,25 @@ sequence by host.id, process.parent.name with maxspan=1m and process.args : "/tmp/*"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - [[rule.threat.technique]] id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index a537b35e5..ecc4b5932 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -64,15 +66,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 2b7ee154f..1c84372ed 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -44,16 +46,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -73,22 +75,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1562" name = "Impair Defenses" +id = "T1562" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] -id = "T1562.001" name = "Disable or Modify Tools" +id = "T1562.001" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] -id = "TA0005" name = "Defense Evasion" +id = "TA0005" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 78771aa6d..9c21dacf1 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -55,14 +57,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 544c7ce58..31c0b7f2d 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/17" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -59,26 +61,25 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -89,9 +90,7 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 362dc53aa..ba14cbaf6 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and -rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if -it does, the activity should be investigated. +This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move +and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, +so if it does, the activity should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -45,14 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -83,27 +84,25 @@ sequence by host.id, process.entity_id with maxspan=1s ) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.003" -name = "Rename System Utilities" -reference = "https://attack.mitre.org/techniques/T1036/003/" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename System Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index dacc91b8d..6708e4784 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/11" [rule] author = ["Elastic"] @@ -62,13 +64,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -79,20 +81,19 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " not process.parent.name in ("systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 989283a36..6f37f146f 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -44,48 +46,45 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "dmesg" and process.args == "-c" ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" -[[rule.threat.technique.subtechnique]] -id = "T1070.002" -name = "Clear Linux or Mac System Logs" -reference = "https://attack.mitre.org/techniques/T1070/002/" - [[rule.threat.technique]] -id = "T1562" name = "Impair Defenses" +id = "T1562" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] -id = "T1562.001" name = "Disable or Modify Tools" +id = "T1562.001" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +name = "Indicator Removal" +id = "T1070" +reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +name = "Clear Linux or Mac System Logs" +id = "T1070.002" +reference = "https://attack.mitre.org/techniques/T1070/002/" [rule.threat.tactic] -id = "TA0005" name = "Defense Evasion" +id = "TA0005" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index f5010f7c8..b871a387c 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -2,12 +2,14 @@ creation_date = "2023/08/28" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces +This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ @@ -45,17 +47,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -64,22 +65,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 3de937008..ef0ade341 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -57,38 +59,35 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "setenforce" and process.args == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index e51936b4a..7751d734d 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -2,16 +2,18 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify -the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as -"/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and -their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps -of VM-related files and configurations on the system. +Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, +which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related +paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization +software, and their presence in the touch command arguments may indicate that a threat actor is attempting to +tamper with timestamps of VM-related files and configurations on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -50,39 +52,36 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "touch" and process.args == "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.006" name = "Timestomp" reference = "https://attack.mitre.org/techniques/T1070/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index c14918a6b..9b41a3d3d 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -45,13 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" @@ -61,22 +63,20 @@ process where host.os.type == "linux" and event.type == "start" and process.name ) and not process.parent.name == "logrotate" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index e18c9cd1e..308ff063e 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -62,30 +64,28 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:process and event.type:start and process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and not process.parent.name:(apt-key or update-motd-updates-available) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -94,8 +94,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index f15704084..c5ccfbfbe 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -67,12 +69,12 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -83,24 +85,24 @@ process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and not process.name in ("ls", "find", "grep", "git", "jq", "basename") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index f320147a6..c841c28f3 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -61,37 +63,34 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and not process.name == "dockerd" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index c483820f0..b1efaa15b 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -52,13 +54,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -68,39 +70,38 @@ process.name == "rmmod" or (process.name == "modprobe" and process.args in ("--r process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 01b696e0d..110b6c20f 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,21 +2,25 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such +Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to -hide their malicious programs by masquerading as legitimate kernel processes. +hide their malicious programs by masquerading as legitimate kernel processes. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Executable Masquerading as Kernel Process" -references = ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"] +references = [ + "https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/", +] risk_score = 21 rule_id = "202829f6-0271-4e88-b882-11a655c590d4" setup = """## Setup @@ -47,42 +51,39 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name : ("kworker*", "kthread*") and process.executable != null ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.004" -name = "Masquerade Task or Service" -reference = "https://attack.mitre.org/techniques/T1036/004/" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 446e8c07c..ca5cf9311 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -62,13 +64,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -91,22 +93,20 @@ file where host.os.type == "linux" and event.type == "deletion" and not process.name in ("gzip", "executor", "dockerd") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index ad3e587dc..7d28a1ca3 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -2,25 +2,29 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from -the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other -users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the -logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide -their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening -hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and -detected. +Identifies the execution of mount process with hidepid parameter, which can make processes invisible to +other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide +the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user +can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for +the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. +With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, +which can now be monitored and detected. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Hidden Process via Mount Hidepid" -references = ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"] +references = [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", +] risk_score = 47 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" setup = """## Setup @@ -50,34 +54,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index d02281ab7..8acf5345e 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -2,27 +2,32 @@ creation_date = "2023/03/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount ---bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to -multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack -is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a -consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also -provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The -post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute -malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. -Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. +Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of +chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot +to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. +In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. +With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, +such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other +architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), +can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or +orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent +it can be easily tuned to work for one. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via PRoot" -references = ["https://proot-me.github.io/"] +references = [ + "https://proot-me.github.io/", +] risk_score = 47 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" setup = """## Setup @@ -52,32 +57,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.name == "proot" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1211" name = "Exploitation for Defense Evasion" reference = "https://attack.mitre.org/techniques/T1211/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 114e04920..b1b0bd4e7 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,9 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -47,16 +49,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action == "rename" and file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") @@ -80,5 +75,4 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index c9061d947..7160ee85a 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -2,14 +2,16 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. -The rule monitors for the "rename" event action associated with this specific file and path, which could indicate -malicious activity. +The rule monitors for the "rename" event action associated with this specific file and path, +which could indicate malicious activity. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,16 +49,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and file.Ext.original.path : "/usr/lib/vmware/*" @@ -79,5 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index bda9821f5..1a4cdb2de 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching -directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux +This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching +directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection. """ from = "now-9m" @@ -20,16 +22,15 @@ risk_score = 21 rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.name in ("screen", "tmux") and process.name : ( @@ -38,17 +39,15 @@ process.parent.name in ("screen", "tmux") and process.name : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 16c7da4de..59488c955 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,7 +2,9 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -48,17 +50,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "od" and process.args in ( @@ -67,17 +68,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index b629270c6..a19fca3f1 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,7 +2,9 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -17,9 +19,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Find" -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] +references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] risk_score = 47 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" setup = """## Setup @@ -49,33 +49,30 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 1affdffe0..961a5e07c 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,12 +2,14 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments +Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. @@ -17,9 +19,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Grep" -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] +references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] risk_score = 47 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" setup = """## Setup @@ -49,17 +49,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("grep", "egrep", "pgrep") and process.args in ( @@ -67,17 +66,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 271cfcaaa..d182bf299 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -51,16 +53,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and ( (process.name:(lsmod or modinfo)) or @@ -71,15 +72,14 @@ or readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or weak-modules or zfs) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -88,8 +88,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line", "process.command_line", "host.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index ac1d28f7a..f59a8f2bd 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -63,33 +65,30 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("hping", "hping2", "hping3") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 9e48fc76e..f2c110c3e 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -63,33 +65,30 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "nping" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index 0fa247325..c7a655bd5 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -2,14 +2,16 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. -Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while -attempting to evade detection or due to the lack of network mapping tools available on the compromised host. +This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. +Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while +attempting to evade detection or due to the lack of network mapping tools available on the compromised host. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -46,31 +48,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "threshold" - query = ''' event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and event.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -79,8 +79,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.parent.entity_id", "process.executable"] value = 1 + [[rule.threshold.cardinality]] field = "process.args" value = 100 - - diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index fa5cc29d2..56c21b5fd 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -2,7 +2,9 @@ creation_date = "2024/01/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -47,15 +49,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.entry_leader.name in ( @@ -63,17 +64,15 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index 95a14458a..3c02f0ea0 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the -openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process -monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege +This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the +openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process +monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. """ from = "now-9m" @@ -46,23 +48,22 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] type = "eql" - query = ''' sequence by process.pid, host.id with maxspan=5s [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") ] with runs=10 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -73,9 +74,7 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 5e29c5d85..f9719cca5 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for -the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo -permissions, potentially allowing to escalate privileges to root. +This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for +the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, +potentially allowing to escalate privileges to root. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -45,15 +47,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sudo" and process.args == "-l" and process.args_count == 2 and @@ -61,17 +62,15 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args == "dpkg" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 73fd48e34..4b6179ebf 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,15 +2,17 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID -(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the -privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case -an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this +This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID +(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the +privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In +case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. """ from = "now-9m" @@ -46,17 +48,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "find" and process.args : "-perm" and process.args : ( @@ -67,36 +61,37 @@ process.name == "find" and process.args : "-perm" and process.args : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -104,4 +99,3 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 76595d441..99dfe0b87 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may -leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a -system to escalate privileges or move latteraly across the network. +This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage +the which command to enumerate the system for useful installed utilities that may be used after compromising a system to +escalate privileges or move latteraly across the network. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -20,16 +22,15 @@ risk_score = 21 rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and @@ -38,20 +39,18 @@ not process.args == "--tty-only" /* potential tuning if rule would turn out to be noisy and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") -*/ +*/ ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index 860c3e226..d36e05269 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This -behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These +behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system. """ from = "now-9m" @@ -44,15 +46,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -60,17 +55,15 @@ sequence by host.id, process.parent.entity_id with maxspan=1s not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 62990271a..58b5f0049 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -62,14 +64,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index ebd86e57f..8ce081939 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -98,15 +100,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -124,15 +126,14 @@ vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or met not file.name : (jem.*.pid) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -141,8 +142,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index 668a851f9..ae5eff02e 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -2,18 +2,20 @@ creation_date = "2023/10/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." +min_stack_version = "8.6.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction +Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow -during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be -executed with and without the use of environment variables. For increased visibility, enable the collection of -http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of -this rule. +during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed +with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, +HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. """ + from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" @@ -22,7 +24,7 @@ name = "Potential curl CVE-2023-38545 Exploitation" references = [ "https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", - "https://twitter.com/_JohnHammond/status/1711986412554531015", + "https://twitter.com/_JohnHammond/status/1711986412554531015" ] risk_score = 47 rule_id = "f41296b4-9975-44d6-9486-514c6f635b2d" @@ -66,16 +68,15 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Use Case: Vulnerability", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and ( @@ -86,17 +87,15 @@ not process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "a not process.args == "/opt/rudder/bin/curl" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index c6b2f93a4..a65032f83 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a -directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute +directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks. """ from = "now-9m" @@ -44,15 +46,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, user.id with maxspan=1m [file where host.os.type == "linux" and event.action == "creation" and @@ -66,22 +61,20 @@ sequence by host.id, user.id with maxspan=1m "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 4e0c64c9b..56c2f7469 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -109,14 +111,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index 791a62e39..d607c959f 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a -simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more +Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade +a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection. """ from = "now-9m" @@ -44,17 +46,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or @@ -63,22 +63,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index d629fd28e..bda20e748 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses -the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction +the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell. """ false_positives = [ @@ -52,39 +54,35 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and process.args : "*l*" and process.args_count >= 4 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 205b2b1e1..24d545add 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,24 +2,28 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" +min_stack_version = "8.6.0" +updated_date = "2024/03/13" [rule] author = ["Elastic"] description = """ -Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a +Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many -cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed -thoroughly. +cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed +thoroughly. """ from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Network Connection from Binary with RWX Memory Region" -references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] +references = [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html" +] risk_score = 47 rule_id = "32300431-c2d5-432d-8ec8-0e03f9924756" setup = """## Setup @@ -41,16 +45,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' sample by host.id, process.pid, process.name /* auditd.data.a2 == "7" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */ @@ -59,34 +62,33 @@ sample by host.id, process.pid, process.name not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index f35e2868e..e1f236cfb 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network -connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network +connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -45,14 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -63,34 +64,33 @@ sequence by host.id with maxspan=1m not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index e8399decc..35a7229b1 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -55,14 +57,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index 345349b91..7f496983a 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,12 +2,14 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from +Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well. """ @@ -45,18 +47,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] timestamp_override = "event.ingested" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ( @@ -77,7 +78,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -85,4 +85,3 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 2cc5578a9..cbe81a44d 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -66,15 +68,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" @@ -83,17 +85,15 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)""" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index f3f896a29..fa6d47407 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/13" [rule] author = ["Elastic"] @@ -57,14 +59,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: BPFDoor", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -75,15 +77,14 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/ "/var/run/argo/argoexec") and not process.parent.command_line : "/usr/bin/runc init" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 04af725fa..e419b51a4 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -43,15 +45,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] timestamp_override = "event.ingested" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -64,22 +66,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" reference = "https://attack.mitre.org/techniques/T1059/006/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 37031b2bf..f5db5c613 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,16 +2,18 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a -PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public -facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, -which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for -unauthorized access and malicious actions. +This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within +a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a +public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection +attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities +for unauthorized access and malicious actions. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -46,14 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -65,22 +66,20 @@ user.name == "postgres" and ( ) and not process.parent.name : "puppet" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 648294234..b3bef3b27 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,13 +2,15 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive -system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, +Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive +system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. """ from = "now-9m" @@ -125,17 +127,9 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and ( @@ -190,22 +184,20 @@ process where host.os.type == "linux" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 2c768bc41..430753720 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp -channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. +Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp +channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -43,51 +45,49 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] timestamp_override = "event.ingested" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index dcbcb5da9..0369a74e6 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] @@ -17,7 +19,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Child" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "2138bb70-5a5e-42fd-be5e-b38edf6a6777" @@ -50,14 +52,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=5s [network where event.type == "start" and host.os.type == "linux" and @@ -70,34 +71,33 @@ sequence by host.id, process.entity_id with maxspan=5s )] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index 8294a0bd4..ef459002a 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/13" [rule] author = ["Elastic"] @@ -16,7 +18,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Java" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" @@ -47,14 +49,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and @@ -76,34 +77,33 @@ sequence by host.id with maxspan=5s )] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 4d5cb2085..a01e43904 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,13 +2,15 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/13" [rule] author = ["Elastic"] description = """ -This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by -the specified utilities that are initialized from a single process followed by a network connection attempt will be +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by +the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -17,7 +19,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Child Process" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" @@ -48,14 +50,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( @@ -85,34 +86,33 @@ sequence by host.id, process.entity_id with maxspan=1s destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 789d77cf1..d8400c11b 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" +min_stack_version = "8.6.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] description = """ -This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged +This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting -this pattern is indicative of a successful meterpreter shell connection. +this pattern is indicative of a successful meterpreter shell connection. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -58,15 +60,14 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' sample by host.id, process.pid, user.id [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] @@ -76,34 +77,33 @@ sample by host.id, process.pid, user.id [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 3e79f5cfa..47e3831d9 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being -spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish +spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" @@ -18,7 +20,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Binary" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" @@ -49,14 +51,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -78,34 +79,33 @@ sequence by host.id, process.entity_id with maxspan=1s process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" \ No newline at end of file diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 56c51e0f5..5d69e7198 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] @@ -17,7 +19,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" @@ -48,14 +50,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [network where event.type == "start" and host.os.type == "linux" and @@ -68,34 +69,33 @@ sequence by host.id with maxspan=5s )] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 0a453512b..0f609ef43 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" +min_stack_version = "8.6.0" +updated_date = "2024/03/13" [rule] author = ["Elastic"] description = """ -This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This +This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the -auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux +auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. """ from = "now-9m" @@ -18,7 +20,7 @@ language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via UDP" references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" @@ -63,11 +65,10 @@ tags = [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", - "Tactic: Execution", -] + "Tactic: Execution" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' sample by host.id, process.pid, process.parent.pid [process where host.os.type == "linux" and event.type == "start" and event.action == "executed" and process.name : ( @@ -86,34 +87,33 @@ sample by host.id, process.pid, process.parent.pid not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] -id = "TA0011" name = "Command and Control" +id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 95c59d602..0f19dd505 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -17,7 +19,9 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Content Extracted or Decompressed via Funzip" -references = ["https://attack.mitre.org/software/S0482/"] +references = [ + "https://attack.mitre.org/software/S0482/" +] risk_score = 47 rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" setup = """## Setup @@ -46,17 +50,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and @@ -65,39 +61,38 @@ not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xa not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] -id = "T1059.004" name = "Unix Shell" +id = "T1059.004" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] -id = "T1027" name = "Obfuscated Files or Information" +id = "T1027" reference = "https://attack.mitre.org/techniques/T1027/" [[rule.threat.technique]] -id = "T1140" name = "Deobfuscate/Decode Files or Information" +id = "T1140" reference = "https://attack.mitre.org/techniques/T1140/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 39074a87a..f0bf64224 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,15 +2,17 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ This rule monitors for the execution of several commonly used system commands executed by a previously unknown -executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially -malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. -Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the +executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially +malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. +Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. """ from = "now-9m" @@ -46,14 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" @@ -69,30 +64,28 @@ process.executable:( not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*) ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - - - + [rule.threat.tactic] -id = "TA0002" name = "Execution" +id = "TA0002" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +name = "Command and Scripting Interpreter" +id = "T1059" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +name = "Unix Shell" +id = "T1059.004" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 6578d9e15..35ee9d990 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/08" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -44,37 +46,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service") ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - - - + [rule.threat.tactic] -id = "TA0002" name = "Execution" +id = "TA0002" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +name = "Command and Scripting Interpreter" +id = "T1059" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +name = "Unix Shell" +id = "T1059.004" +reference = "https://attack.mitre.org/techniques/T1059/004/" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 1422ba8d4..80dbb34e5 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/07/11" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/20" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -50,14 +52,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Threat: TripleCross", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: TripleCross", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -67,22 +69,20 @@ process.args == "filter" and process.args == "add" and process.args == "bpf" and not process.parent.executable == "/usr/sbin/libvirtd" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 27ee5bebe..28e6322f5 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/13" [rule] author = ["Elastic"] @@ -11,14 +13,16 @@ Monitors for the execution of a previously unknown unix binary with read, write The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases -overly permissive, and should be analyzed thoroughly. +overly permissive, and should be analyzed thoroughly. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Unknown Execution of Binary with RWX Memory Region" -references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] +references = [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html" +] risk_score = 47 rule_id = "23bcd283-2bc0-4db2-81d4-273fc051e5c0" setup = """## Setup @@ -40,43 +44,40 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index 2e7a762d6..f2d6c9090 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -17,8 +19,8 @@ language = "eql" license = "Elastic License v2" name = "Suspicious Data Encryption via OpenSSL Utility" references = [ - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", ] risk_score = 47 rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" @@ -48,15 +50,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, user.name, process.parent.entity_id with maxspan=5s [ process where host.os.type == "linux" and event.action == "exec" and @@ -67,17 +62,15 @@ sequence by host.id, user.name, process.parent.entity_id with maxspan=5s not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10 ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1486" -name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] -id = "TA0040" name = "Impact" +id = "TA0040" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat.technique]] +name = "Data Encrypted for Impact" +id = "T1486" +reference = "https://attack.mitre.org/techniques/T1486/" diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index bc58c8a9c..8b9003468 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -2,15 +2,17 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.5.0" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" -command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a -"kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to -interfere with the virtualized environment on the targeted system. +Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system +by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. +The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a +threat actor is attempting to interfere with the virtualized environment on the targeted system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -49,32 +51,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx") and process.parent.name == "kill" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index ad559bb91..f88c579f2 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -2,15 +2,17 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] description = """ -This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same -process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands -payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack -is the mass encryption of the file system, after which a new file extension is added to the file. +This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same +process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and +demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware +attack is the mass encryption of the file system, after which a new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -46,14 +48,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" @@ -70,17 +71,15 @@ sequence by process.entity_id, host.id with maxspan=1s ] with runs=25 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index c7ffba1b3..347b2c6a5 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -2,16 +2,18 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] description = """ -This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a -file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of +This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with +a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a -new file extension is added to the file. +new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,14 +49,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" @@ -74,17 +75,15 @@ sequence by process.entity_id, host.id with maxspan=1s ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 3115bb569..dcbc680f3 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -2,11 +2,15 @@ creation_date = "2022/07/27" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] -description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n" +description = """ +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. +""" from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" @@ -74,31 +78,30 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" @@ -107,4 +110,3 @@ reference = "https://attack.mitre.org/tactics/TA0040/" [rule.threshold] field = ["host.id", "process.executable", "user.name"] value = 10 - diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index a09d873eb..c84fb4989 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's -autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. +Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's +autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -46,17 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("curl", "wget") and process.args : ( @@ -65,32 +66,30 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index b994203c6..f2186f995 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -65,14 +67,13 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] @@ -86,17 +87,15 @@ sequence by process.entity_id ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 9775b5535..b50c4c107 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -65,14 +67,13 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] @@ -86,17 +87,15 @@ sequence by process.entity_id ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 30d1a3012..97a17fe29 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/02/01" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -72,9 +73,9 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -85,28 +86,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -114,4 +116,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index f61fea402..696c037e1 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2024/02/01" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +integration = ["endpoint"] [rule] author = ["Elastic"] description = """ -Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT -backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based +Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an +APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. @@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -69,9 +70,9 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -82,11 +83,11 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -94,6 +95,7 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -101,4 +103,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 040bc52f6..a5905a233 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/07/22" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/13" +integration = ["endpoint"] [transform] [[transform.osquery]] @@ -12,11 +14,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE -'/etc/rc%.d/%') +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%') """ [[transform.osquery]] @@ -43,13 +54,12 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has -either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run +either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. """ from = "now-9m" @@ -132,7 +142,9 @@ This rule monitors the usage of the `chkconfig` binary to manually add a service - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"] +references = [ + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" +] risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" setup = """## Setup @@ -162,14 +174,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -183,22 +195,20 @@ not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "up not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 7a8e8107c..d50db9ab0 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -146,18 +147,17 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "query" - query = ''' event.category:file and host.os.type:linux and event.type:change and process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and @@ -169,56 +169,56 @@ event.category:file and host.os.type:linux and event.type:change and not process.executable:/usr/share/elasticsearch/* ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 875666ccf..8f52ebce8 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,33 +2,59 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE -'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE -'/etc/cron.monthly/%' ) +SELECT * FROM file WHERE ( + path LIKE '/etc/cron.allow.d/%' OR + path LIKE '/etc/cron.d/%' OR + path LIKE '/etc/cron.hourly/%' OR + path LIKE '/etc/cron.daily/%' OR + path LIKE '/etc/cron.weekly/%' OR + path LIKE '/etc/cron.monthly/%' +) """ - [[transform.osquery]] label = "Osquery - Retrieve rc-local.service File Information" query = """ -SELECT * FROM file WHERE ( path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab' OR path = -'/usr/sbin/cron' OR path = '/usr/sbin/anacron' ) +SELECT * FROM file WHERE ( + path = '/etc/cron.allow' OR + path = '/etc/cron.deny' OR + path = '/etc/crontab' OR + path = '/usr/sbin/cron' OR + path = '/usr/sbin/anacron' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE -'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR -path LIKE '/etc/cron.monthly/%' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( + path LIKE '/etc/cron.allow.d/%' OR + path LIKE '/etc/cron.d/%' OR + path LIKE '/etc/cron.hourly/%' OR + path LIKE '/etc/cron.daily/%' OR + path LIKE '/etc/cron.weekly/%' OR + path LIKE '/etc/cron.monthly/%' +) """ [[transform.osquery]] @@ -51,7 +77,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -135,7 +160,7 @@ This rule monitors the creation of previously unknown cron jobs by monitoring fo - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ] risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" @@ -166,18 +191,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or @@ -192,54 +216,55 @@ and not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -248,8 +273,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index bc8cf7caf..ff7bf2fbd 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -1,27 +1,48 @@ [metadata] creation_date = "2022/07/12" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/19" +integration = ["endpoint"] + [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path = '/etc/ld.so.preload' OR path = '/lib64/ld-linux-x86-64.so.2' OR path = -'/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = '/usr/lib64/ld-linux-x86-64.so.2' OR path = -'/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' ) +SELECT * FROM file WHERE ( + path = '/etc/ld.so.preload' OR + path = '/lib64/ld-linux-x86-64.so.2' OR + path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR + path = '/usr/lib64/ld-linux-x86-64.so.2' OR + path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path = '/etc/ld.so.preload' OR path = -'/lib64/ld-linux-x86-64.so.2' OR path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = -'/usr/lib64/ld-linux-x86-64.so.2' OR path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( + path = '/etc/ld.so.preload' OR + path = '/lib64/ld-linux-x86-64.so.2' OR + path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR + path = '/usr/lib64/ld-linux-x86-64.so.2' OR + path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' +) """ [[transform.osquery]] @@ -44,14 +65,13 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ -Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup -copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to -inject and preload a malicious shared object file. This activity should never occur and if it does then it should be -considered highly suspicious or malicious. +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a +backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in +order to inject and preload a malicious shared object file. This activity should never occur and if it does then it +should be considered highly suspicious or malicious. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -125,7 +145,9 @@ The detection rule 'Dynamic Linker Copy' is designed to identify such abuse by m - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"] +references = [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" +] risk_score = 73 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" setup = """## Setup @@ -155,13 +177,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -174,20 +196,19 @@ sequence by process.entity_id with maxspan=1m [file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 36ed51d36..a8f67c739 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -2,26 +2,49 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' -OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE -'/usr/lib/systemd/system/%' ) +SELECT * FROM file WHERE ( + path LIKE '/etc/ld.so.conf.d/%' OR + path LIKE '/etc/cron.d/%' OR + path LIKE '/etc/sudoers.d/%' OR + path LIKE '/etc/rc%.d/%' OR + path LIKE '/etc/init.d/%' OR + path LIKE '/etc/systemd/system/%' OR + path LIKE '/usr/lib/systemd/system/%' +) """ - [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE -'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE -'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( + path LIKE '/etc/ld.so.conf.d/%' OR + path LIKE '/etc/cron.d/%' OR + path LIKE '/etc/sudoers.d/%' OR + path LIKE '/etc/rc%.d/%' OR + path LIKE '/etc/init.d/%' OR + path LIKE '/etc/systemd/system/%' OR + path LIKE '/usr/lib/systemd/system/%' +) """ [[transform.osquery]] @@ -48,7 +71,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -135,7 +157,7 @@ This rule monitors for the creation of the most common system-wide configuration """ references = [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" ] risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" @@ -166,18 +188,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Orbit", - "Threat: Lightning Framework", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", @@ -192,76 +213,76 @@ file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/r ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" -[[rule.threat.technique.subtechnique]] -id = "T1037.004" -name = "RC Scripts" -reference = "https://attack.mitre.org/techniques/T1037/004/" - - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" - - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.003" -name = "Cron" -reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 6bded3ec8..1af1b1778 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -16,11 +18,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE -'/run/systemd/generator.late/%') +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%') """ [[transform.osquery]] @@ -31,14 +42,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts -or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" -can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the -/etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. +or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the +"systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or +alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence +on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -110,7 +121,8 @@ This rule looks for the creation of new files within the `/etc/init.d/` director references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ] risk_score = 47 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" @@ -141,17 +153,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and file.path : /etc/init.d/* and not ( @@ -164,15 +175,14 @@ file.path : /etc/init.d/* and not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -181,8 +191,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.name", "host.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 60f5ef56b..866b0d000 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -116,7 +117,7 @@ The detection rule 'Kernel module load via insmod' is designed to identify insta - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/", + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" ] risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" @@ -147,38 +148,35 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Threat: Rootkit", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Rootkit", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index bebb8f3e4..34f92ac31 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,51 +2,68 @@ creation_date = "2021/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/19" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' -OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE -'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' -OR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE -'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE -'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE -'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE -'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE -'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE -'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE -'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE -'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE -'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE -'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE -'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' ) +SELECT * FROM file WHERE ( + path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR + path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR + path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR + path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR + path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR + path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR + path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR + path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR + path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR + path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR + path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR + path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR + path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR + path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR + path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR + path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR -path LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE -'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE -'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE -'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE -'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE -'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE -'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE -'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE -'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE -'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE -'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE -'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE -'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE -'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE -'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( + path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR + path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR + path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR + path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR + path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR + path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR + path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR + path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR + path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR + path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR + path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR + path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR + path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR + path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR + path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR + path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' +) """ [[transform.osquery]] @@ -73,7 +90,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -196,13 +212,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -224,15 +240,14 @@ file where host.os.type == "linux" and event.type != "deletion" and "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml index 97ba74fa4..e727ca8e0 100644 --- a/rules/linux/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -2,15 +2,17 @@ creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] description = """ -Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to +Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other -rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap -that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. +rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap +that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -42,49 +44,47 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 216b6be53..24f6c7291 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,7 +2,9 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Detects the loading of a Linux kernel module by a non-root user through system c kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through -auditd_manager. +auditd_manager. """ from = "now-9m" index = ["logs-auditd_manager.auditd-*"] @@ -48,49 +50,48 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" + diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index d9e80c23b..bc4c38f8a 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,20 +2,33 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" -query = "SELECT * FROM file WHERE path = {{file.path}}\n" - +query = """ +SELECT * FROM file WHERE path = {{file.path}} +""" [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}} +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE path = {{file.path}} """ [[transform.osquery]] @@ -42,11 +55,10 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ -This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, +This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. @@ -153,16 +165,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and process.name : "kworker*" and not ( @@ -171,29 +182,29 @@ file where host.os.type == "linux" and event.action in ("creation", "file_create ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" + diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index cf4f8a430..bb0e1ebe6 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,15 +2,14 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] label = "Osquery - Retrieve User Accounts with a UID of 0" -query = """ -SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE -'0' -""" +query = "SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'" [[transform.osquery]] label = "Osquery - Retrieve Running Processes by User" @@ -28,11 +27,10 @@ query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" label = "Osquery - Retrieve Information for a Specific Group" query = "SELECT * FROM groups WHERE groupname = {{group.name}}" - [rule] author = ["Elastic"] description = """ -Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to +Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. """ from = "now-9m" @@ -116,39 +114,36 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index be5b7c048..8bdadc05c 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -21,10 +23,11 @@ query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" - [rule] author = ["Elastic"] -description = "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.\n" +description = """ +Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system. +""" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -100,37 +103,28 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" - query = ''' iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and process.name in ("groupadd", "addgroup") and group.name != null ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 42ea56ee0..eeb4603ab 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -25,12 +27,11 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{pr label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ -Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. -Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. +Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. """ false_positives = [ @@ -130,19 +131,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.executable : ( @@ -165,34 +165,33 @@ process.name : ( ) and not process.name == "phpquery" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 0806394a0..18b550025 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -21,10 +23,11 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" - [rule] author = ["Elastic"] -description = "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.\n" +description = """ +Identifies attempts to create new users. Attackers may add new users to establish persistence on a system. +""" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -99,37 +102,28 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" - query = ''' iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and process.name in ("useradd", "adduser") and user.name != null ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index d08a4139b..2528e50c2 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -21,11 +23,10 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" - [rule] author = ["Elastic"] description = """ -Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to +Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system. """ from = "now-9m" @@ -108,18 +109,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.args in ( @@ -132,22 +132,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 85e05d4e8..7afb4ae59 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -16,11 +18,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE -'/usr/lib/update-notifier/%') +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') """ [[transform.osquery]] @@ -31,7 +42,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ @@ -106,7 +116,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" @@ -137,17 +147,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] type = "new_terms" - +timestamp_override = "event.ingested" query = ''' host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( @@ -158,15 +167,14 @@ file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -175,8 +183,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index ca3cb5b9b..219b88f9f 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [transform] [[transform.osquery]] @@ -16,11 +18,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE -'/usr/lib/update-notifier/%') +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') """ [[transform.osquery]] @@ -30,17 +41,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u [[transform.osquery]] label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - - [rule] author = ["Elastic"] description = """ -Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or -a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and -"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a -serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a -user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially -malicious processes through the MOTD utility. +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH +or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and +"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a +serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a +user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially +malicious processes through the MOTD utility. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -106,7 +115,7 @@ This rule identifies the execution of potentially malicious processes from a MOT - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 73 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" @@ -137,17 +146,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( @@ -178,17 +186,15 @@ not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index e9177e41c..ce7a4a9ae 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/01/05" [transform] [[transform.osquery]] @@ -15,24 +17,21 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u [[transform.osquery]] label = "Osquery - Retrieve rc-local.service File Information" -query = """ -SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = -'/run/systemd/generator/multi-user.target.wants/rc-local.service') -""" +query = "SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')" [[transform.osquery]] label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ -This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the -use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or -commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the -"systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter -rc.local to execute malicious code at start-up, and gain persistence onto the system. +This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable +through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, +services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. +However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at +boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the +system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -101,7 +100,8 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ] risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" @@ -132,17 +132,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] type = "new_terms" - +timestamp_override = "event.ingested" query = ''' host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and @@ -151,20 +150,19 @@ file.path : "/etc/rc.local" and not process.name : ( ) and not file.extension : ("swp" or "swpx") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -173,8 +171,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 0aa61d6bc..c99e8b13e 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -132,22 +133,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name in ("jem", "vzctl") ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -155,21 +154,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 72faf4eb4..b9da05228 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,20 +2,33 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" -query = "SELECT * FROM file WHERE path = {{file.path}}\n" - +query = """ +SELECT * FROM file WHERE path = {{file.path}} +""" [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}} +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE path = {{file.path}} """ [[transform.osquery]] @@ -42,7 +55,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -155,11 +167,10 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not ( @@ -169,20 +180,19 @@ file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* an ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -191,8 +201,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index bbdb5484c..9f5571f1f 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/30" [rule] author = ["Elastic"] @@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "new_terms" - +timestamp_override = "event.ingested" query = ''' event.category:file and host.os.type:linux and event.action:(creation or file_create_event or rename or file_rename_event) and file.path:( @@ -79,20 +80,19 @@ event.action:(creation or file_create_event or rename or file_rename_event) and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -100,9 +100,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.id", "process.executable"] +value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index 21922814d..88458c64b 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -1,17 +1,19 @@ [metadata] creation_date = "2023/07/25" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" +integration = ["endpoint"] [rule] author = ["Elastic"] description = """ -This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a +This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of -suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file +suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish -persistence, escalate privileges or perform reconnaisance on the system. +persistence, escalate privileges or perform reconnaisance on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -23,17 +25,16 @@ risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and file.path : ( @@ -56,59 +57,58 @@ file.path : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" -[[rule.threat.technique.subtechnique]] -id = "T1037.004" -name = "RC Scripts" -reference = "https://attack.mitre.org/techniques/T1037/004/" - - -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" - - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.003" -name = "Sudo and Sudo Caching" -reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 77654c11f..61823f66e 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,10 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/01" + [rule] author = ["Elastic"] @@ -15,22 +18,21 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Execution via XZBackdoor" -references = ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] +references =["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] risk_score = 73 rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248" severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' sequence by host.id, user.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and @@ -41,56 +43,56 @@ sequence by host.id, user.id with maxspan=1s [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index fba0565d1..45d827261 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/02/01" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Command and Control", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -69,29 +70,29 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -99,6 +100,7 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -106,4 +108,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index b021569a8..02f869196 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/13" [transform] [[transform.osquery]] @@ -12,19 +14,38 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE -'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) +SELECT * FROM file WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/user/.config/systemd/user/%' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE -'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path -LIKE '/home/{{user.name}}/.config/systemd/user/%' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/{{user.name}}/.config/systemd/user/%' +) """ [[transform.osquery]] @@ -35,14 +56,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ -Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used -by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd -timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in -case the connection to the infected asset was lost. +Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used +by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd +timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in +case the connection to the infected asset was lost. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -110,7 +130,7 @@ This rule monitors the creation of new systemd timer files, potentially indicati """ references = [ "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ] risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" @@ -141,17 +161,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or @@ -164,20 +183,19 @@ file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/sy ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.006" name = "Systemd Timers" reference = "https://attack.mitre.org/techniques/T1053/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -186,8 +204,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index aeacc5b90..a876bda25 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +updated_date = "2023/12/13" [transform] [[transform.osquery]] @@ -12,19 +14,38 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE -'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) +SELECT * FROM file WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/user/.config/systemd/user/%' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE -'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path -LIKE '/home/{{user.name}}/.config/systemd/user/%' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/{{user.name}}/.config/systemd/user/%' +) """ [[transform.osquery]] @@ -51,13 +72,12 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ -Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious -actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute -malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute +Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious +actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute +malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. """ from = "now-9m" @@ -139,7 +159,7 @@ This rule monitors the creation of new systemd service files, potentially indica """ references = [ "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ] risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" @@ -170,14 +190,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -199,37 +219,37 @@ not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -238,8 +258,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index 6cabc894a..b9bc99d66 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -42,48 +44,46 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ] timestamp_override = "event.ingested" type = "query" - query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"module verification failed: signature and/or required key missing - tainting kernel" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index 57ff1986c..784a655fa 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,12 +2,14 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] description = """ -This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating +This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access. @@ -42,48 +44,46 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ] timestamp_override = "event.ingested" type = "query" - query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"loading out-of-tree module taints kernel." ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index bcd0e28ad..219dc0dc5 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -47,16 +49,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "new_terms" - +timestamp_override = "event.ingested" query = ''' host.os.type:"linux" and event.category:"file" and event.type:("change" or "file_modify_event" or "creation" or "file_create_event") and @@ -66,15 +67,14 @@ file.path:/lib/udev/* and process.executable:* and not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -83,8 +83,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "file.path"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 6582e4663..c631a2d3b 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,13 +2,15 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a -wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate +wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. """ @@ -47,51 +49,49 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index b5167a53e..0084ab81f 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -2,16 +2,18 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of processes that interact with Linux containers through an interactive shell -without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with -containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be -able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container -escape attack, which might allow them to escalate privileges and gain further access onto the host file system. +This rule monitors for the execution of processes that interact with Linux containers through an interactive shell +without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact +with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might +be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a +container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -20,8 +22,8 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via Container Misconfiguration" references = [ "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation", -] + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" + ] risk_score = 47 rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" setup = """## Setup @@ -59,17 +61,9 @@ Session View uses process data collected by the Elastic Defend integration, but For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "runc" and process.args == "run") or @@ -78,17 +72,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.interactive == true and process.parent.interactive == true ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index f3fc23dbe..dadfea901 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -2,14 +2,16 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its -containarized environment. This behavior pattern is very uncommon and should be investigated. +containarized environment. This behavior pattern is very uncommon and should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -17,8 +19,8 @@ language = "eql" license = "Elastic License v2" name = "Potential Chroot Container Escape via Mount" references = [ - "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash", -] + "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash" + ] risk_score = 47 rule_id = "5ae02ebc-a5de-4eac-afe6-c88de696477d" setup = """## Setup @@ -58,15 +60,14 @@ For more information about the additional fields collected when this setting is """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.entity_id with maxspan=5m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -76,17 +77,15 @@ sequence by host.id, process.parent.entity_id with maxspan=5m process.name == "chroot"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index f17fb467f..60863460f 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -49,50 +51,48 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and user.id == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index c1188e26d..52c674200 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -59,35 +61,33 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:file and event.action:(updated or renamed or rename or file_rename_event) and not event.type:deletion and file.path:/etc/ld.so.preload and not process.name:(wine or oneagentinstallaction) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -96,8 +96,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 17842881d..a7983629c 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -47,17 +49,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "ln" and process.args in ("-s", "-sf") and @@ -80,34 +81,33 @@ process.name == "ln" and process.args in ("-s", "-sf") and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 3cef1b9da..26f8283c9 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum -allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID -greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. +This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum +allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID +greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -17,10 +19,9 @@ language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via UID INT_MAX Bug Detected" references = [ - "https://twitter.com/paragonsec/status/1071152249529884674", + "https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", - "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74", -] + "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"] risk_score = 47 rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" setup = """## Setup @@ -50,32 +51,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 9a7f5068b..c45f02676 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -1,17 +1,19 @@ [metadata] creation_date = "2023/06/09" -integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +integration = ["endpoint", "auditd_manager"] [rule] author = ["Elastic"] description = """ -This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential -compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different -kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, -escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to -tamper with the system's trusted state, allowing e.g. a VM Escape. +This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential +compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different +kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, +escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to +tamper with the system's trusted state, allowing e.g. a VM Escape. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -21,7 +23,7 @@ name = "Kernel Load or Unload via Kexec Detected" references = [ "https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", - "https://madaidans-insecurities.github.io/guides/linux-hardening.html", + "https://madaidans-insecurities.github.io/guides/linux-hardening.html" ] risk_score = 47 rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" @@ -52,69 +54,68 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1601" name = "Modify System Image" reference = "https://attack.mitre.org/techniques/T1601/" + [[rule.threat.technique.subtechnique]] id = "T1601.001" name = "Patch System Image" reference = "https://attack.mitre.org/techniques/T1601/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index 75d12aa5a..30b4f2fcd 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." +min_stack_version = "8.6.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -15,9 +17,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via CVE-2023-4911" -references = [ - "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so", -] +references = ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"] risk_score = 73 rule_id = "6d8685a1-94fa-4ef7-83de-59302e7c4ca8" setup = """## Setup @@ -60,32 +60,29 @@ For more information on capturing environment variables refer to the [helper gui """ severity = "high" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index eeade4b3a..b9d7cdcdf 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -2,14 +2,16 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ Detects network connections initiated by the "sudo" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via "sudo". Attackers may attempt to -inject shellcode into processes running as root, to escalate privileges. +inject shellcode into processes running as root, to escalate privileges. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -45,48 +47,45 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "ipv4_connection_attempt_event") and process.name == "sudo" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index a62129ec6..8c5e04a75 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the -ability to escalate privileges to root on the affected machine. +ability to escalate privileges to root on the affected machine. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -18,8 +20,7 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via OverlayFS" references = [ "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", - "https://twitter.com/liadeliyahu/status/1684841527959273472", -] + "https://twitter.com/liadeliyahu/status/1684841527959273472"] risk_score = 73 rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" setup = """## Setup @@ -48,16 +49,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -66,17 +59,15 @@ sequence by process.parent.entity_id, host.id with maxspan=5s user.id == "0"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index ca808d172..e8467a595 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -44,15 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml index d0bdbf799..3bd208412 100644 --- a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml +++ b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2023/12/11" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] @@ -28,42 +30,41 @@ As a higher-order rule (based on other detections), this rule also requires the """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Initial Access", - "Use Case: Vulnerability", - "Rule Type: Higher-Order Rule", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Initial Access", + "Use Case: Vulnerability", + "Rule Type: Higher-Order Rule" + ] timestamp_override = "event.ingested" type = "threshold" - query = ''' kibana.alert.rule.rule_id:"5c81fc9d-1eae-437f-ba07-268472967013" and host.os.type:linux and event.kind:signal ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index 3e3d1dbd1..8353f4f69 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -46,16 +48,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -67,29 +61,28 @@ sequence by host.id with maxspan=1s process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index ab68d5dbf..7a36055d1 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,15 +2,17 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. -Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine -through DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by -root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate +This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. +Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through +DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root, +such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges. """ from = "now-9m" @@ -18,9 +20,7 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Suspicious DebugFS Root Device Access" -references = [ - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group", -] +references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"] risk_score = 21 rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91" setup = """## Setup @@ -49,39 +49,29 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "debugfs" and process.args : "/dev/sd*" and not process.args == "-R" and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index 52293c9bd..ff3852135 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -46,14 +48,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -64,32 +66,32 @@ host.os.type : "linux" and event.category : "process" and event.action : ("exec" (process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -98,8 +100,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["process.command_line", "host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index 757994326..a5a59552e 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate +This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID -that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, +that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28. """ from = "now-9m" @@ -47,34 +49,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", - "Use Case: Vulnerability", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Use Case: Vulnerability", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "sudo" and process.args == "-u#-1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index cc224a4ba..d87321780 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,13 +2,15 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] description = """ -Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and -replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or +Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and +replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. """ from = "now-9m" @@ -52,42 +54,41 @@ tags = [ "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd or pacman) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -96,8 +97,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 83436532a..e748504ac 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -2,16 +2,18 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a -debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token +This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a +debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by -attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence -of a living process that has a valid sudo token with the same uid as the current user. +attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence +of a living process that has a valid sudo token with the same uid as the current user. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,15 +49,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, process.session_leader.entity_id with maxspan=15s [ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -64,32 +59,30 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 099c3d746..5e32f77ff 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,16 +2,18 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, +This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. -Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated -privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the -privileges that are set on the binary that is being executed. +Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated +privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the +privileges that are set on the binary that is being executed. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -47,15 +49,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -64,9 +59,9 @@ sequence by host.id, process.entity_id with maxspan=1s (user.id == "0" or group.id == "0")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -76,13 +71,12 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index 0b8d920fc..ab23c2c48 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,7 +2,9 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -69,15 +71,14 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by host.id, process.parent.pid with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -86,17 +87,15 @@ sequence by host.id, process.parent.pid with maxspan=1m not auditd.data.a2 == "80000" and event.outcome == "success" and user.id != "0"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index 64e954706..9f8d47e5a 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -2,13 +2,15 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent -alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent +alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit. """ from = "now-9m" @@ -44,16 +46,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" - query = ''' sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -66,17 +60,15 @@ sequence by host.id with maxspan=1m user.id == "0"] by process.name ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index f7b153258..91c4d09bf 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -46,16 +48,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:"linux" and event.category:"process" and event.action:"uid_change" and event.type:"change" and user.id:"0" and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or "ksh" or "fish") and not ( @@ -71,42 +72,42 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" + [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index bf460f045..c27fcc55b 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -61,16 +63,15 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and process.executable: "/usr/bin/unshare" and @@ -78,17 +79,15 @@ not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox-boot", "java") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index be6a9360a..66a4907ba 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -2,14 +2,16 @@ creation_date = "2023/07/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by -default are only be writable by the root user and docker group. Attackers that have permissions to write to these -sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto +This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by +default are only be writable by the root user and docker group. Attackers that have permissions to write to these +sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" @@ -17,9 +19,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation through Writable Docker Socket" -references = [ - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape", -] +references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"] risk_score = 47 rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" setup = """## Setup @@ -48,14 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Domain: Container", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -68,17 +61,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 10a162065..ba6e92684 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/03/19" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 4eea3dcd5..36af1b87a 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index e9e879c94..c437c128e 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -16,9 +18,6 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" -references = ["https://ss64.com/osx/security.html"] -risk_score = 73 -rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,14 +43,11 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ +references = ["https://ss64.com/osx/security.html"] +risk_score = 73 +rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index ef37c8198..91fb75396 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index fc4b71083..f0e7ef6fc 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/06" [rule] author = ["Elastic"] @@ -51,13 +53,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 6e915a16c..1378d970a 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/03/19" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 40b3b2d18..31068ac42 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -44,15 +46,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index ac83ec10a..2ed4b55b6 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 01434aa4c..f61a002dc 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/02/06" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 44a471921..d4ff69231 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 651cb2eae..5d8a845c8 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,14 +2,16 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/17" [rule] author = ["Elastic"] description = """ -Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are -downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper -defense program at execution time. An adversary may disable this attribute to evade defenses. +Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from +the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. +An adversary may disable this attribute to evade defenses. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 9cf185bb7..9371e7606 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index c4d2d6880..d20639297 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 044d6b27a..5323edd7f 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -49,13 +51,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 0e9e1000b..73685fd4d 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,14 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 599eef17f..d17b16d0b 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 0c821e217..5fe54a81d 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -49,13 +51,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 8accc83b5..7b51eb138 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,14 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 332860d1f..dfe03dda7 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -40,13 +42,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index bc38d1d38..5d903cf4d 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent" +min_stack_version = "8.7.0" +updated_date = "2024/02/06" [rule] author = ["Elastic"] @@ -43,13 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -88,7 +84,6 @@ id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -98,8 +93,6 @@ id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 37396801e..01c2ed6cf 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,14 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index a0c384dc8..698e23e30 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -48,14 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 2e53cc222..1638639bb 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,7 +2,9 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -57,14 +59,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 55faccc41..136bfe590 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index d643bd904..b1f11d979 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,14 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index c0c517e9e..a7a99bdb5 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 9013d41a7..5d97ac011 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,14 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 567c47b24..226042e14 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,13 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index c312d9699..3e6f70a97 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 6388074a4..f54ba8e70 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 88551bdc5..841b7e479 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,13 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 043c9618c..1b0f3cb86 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 1b48ca3d7..776e53467 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -43,14 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 0c3009d0c..a6aeb4b28 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 86b2ab22a..7b3faa66c 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index b8396765b..d0f9b622d 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -2,7 +2,9 @@ creation_date = "2022/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 669416509..dde96a35b 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,14 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 6212dfc74..182980687 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 25ac05e33..06cb5f257 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -46,13 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index e6bbcdc0b..98d49da56 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index c597f0d3f..54d9a2796 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -45,13 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 47a4bdcfe..071bdeec6 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,13 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 0b84f1c37..91ca171a5 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -46,14 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 18b114cfa..2ab486933 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/07" [rule] author = ["Elastic"] @@ -45,14 +47,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index b0ef9cdda..27b66280d 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index f75f8d191..7abf4edf7 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/19" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index b83bfe38a..2a42dcc35 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -44,13 +46,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index fda11158c..b27ce05a7 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,13 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index c2c9d4d7c..7509ec421 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -56,13 +58,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index f7280bcfa..09eaadca5 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -54,13 +56,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index d9e648f11..11859698a 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -49,13 +51,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index f28167881..47d8aa87a 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index b05b7f042..5cd2ed8d6 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -48,14 +50,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 2fbd033a2..62f86ac76 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -54,7 +56,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 3e51714cd..619fe2872 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/15" [rule] author = ["Elastic"] @@ -47,13 +49,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 11ced2586..757b1664c 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -28,13 +30,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -47,4 +45,3 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 7a9331936..43d92a099 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -31,28 +33,23 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.004" -name = "DNS" -reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique.subtechnique]] + id = "T1071.004" + name = "DNS" + reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - +reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index f5f645da5..c68d24c04 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -34,25 +36,22 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique.subtechnique]] + id = "T1071.001" + name = "Web Protocols" + reference = "https://attack.mitre.org/techniques/T1071/001/" + [rule.threat.tactic] id = "TA0011" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 80d1ea8c1..449a6ff3e 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -32,25 +34,22 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" -tags = [ - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Command and Control", -] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique.subtechnique]] + id = "T1071.001" + name = "Web Protocols" + reference = "https://attack.mitre.org/techniques/T1071/001/" + [rule.threat.tactic] id = "TA0011" diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index b1686ca28..7d5f0f82d 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -58,15 +60,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "99dcf974-6587-4f65-9252-d866a3fdfd9c" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -78,5 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1110/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 7bef2ab7d..108d1f6a6 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -26,14 +28,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,5 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1110/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index a7db16692..5a7340a19 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,14 +2,16 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job found an unusually large spike in successful authentication events from a particular source IP -address. This can be due to password spraying, user enumeration or brute force activity. +A machine learning job found an unusually large spike in successful authentication events from a particular +source IP address. This can be due to password spraying, user enumeration or brute force activity. """ false_positives = [ """ @@ -51,16 +53,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "e26aed74-c816-40d3-a810-48d6fbd8b2fd" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -83,14 +78,11 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 99b868e36..208bb5ed2 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -25,26 +27,20 @@ name = "Unusual Linux Process Calling the Metadata Service" risk_score = 21 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" + [[rule.threat.technique.subtechnique]] + id = "T1552.005" + name = "Cloud Instance Metadata API" + reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index c9b15fd47..70948500d 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -25,30 +27,23 @@ name = "Unusual Linux User Calling the Metadata Service" risk_score = 21 rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" + [[rule.threat.technique.subtechnique]] + id = "T1552.005" + name = "Cloud Instance Metadata API" + reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index ce9acc370..3520d541d 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -23,14 +25,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 708f48dd6..2885596e7 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -25,30 +27,24 @@ name = "Unusual Windows Process Calling the Metadata Service" risk_score = 21 rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" + [[rule.threat.technique.subtechnique]] + id = "T1552.005" + name = "Cloud Instance Metadata API" + reference = "https://attack.mitre.org/techniques/T1552/005/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 783424170..4ef68ed70 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -25,30 +27,24 @@ name = "Unusual Windows User Calling the Metadata Service" risk_score = 21 rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Credential Access", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.005" -name = "Cloud Instance Metadata API" -reference = "https://attack.mitre.org/techniques/T1552/005/" + [[rule.threat.technique.subtechnique]] + id = "T1552.005" + name = "Cloud Instance Metadata API" + reference = "https://attack.mitre.org/techniques/T1552/005/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - +reference = "https://attack.mitre.org/tactics/TA0006/" \ No newline at end of file diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index c79652052..ed009b873 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -27,14 +29,7 @@ name = "Unusual Linux System Information Discovery Activity" risk_score = 21 rule_id = "d4af3a06-1e0a-48ec-b96a-faf2309fae46" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index 016916bf3..8dde1a9c8 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 25 @@ -27,14 +29,7 @@ name = "Unusual Linux Network Configuration Discovery" risk_score = 21 rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index 240ea84f8..d92e316c9 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 25 @@ -27,14 +29,7 @@ name = "Unusual Linux Network Connection Discovery" risk_score = 21 rule_id = "c28c4d8c-f014-40ef-88b6-79a1d67cd499" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 236077e31..13dc66315 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -27,14 +29,7 @@ name = "Unusual Linux Process Discovery Activity" risk_score = 21 rule_id = "5c983105-4681-46c3-9890-0c66d05e776b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index fedcc0308..8ef069586 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -27,14 +29,7 @@ name = "Unusual Linux User Discovery Activity" risk_score = 21 rule_id = "59756272-1998-4b8c-be14-e287035c4d10" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Discovery", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 6818f720d..9d4ac076c 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -24,35 +26,28 @@ machine_learning_job_id = ["v3_windows_anomalous_script"] name = "Suspicious Powershell Script" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", -] + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] + id = "T1059.001" + name = "PowerShell" + reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - +reference = "https://attack.mitre.org/tactics/TA0002/" \ No newline at end of file diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 5c318758f..62b9e5aa4 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -45,15 +47,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "745b0119-0560-43ba-860a-7235dd8cee8d" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -66,4 +62,3 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 5a1520d9f..8246bb110 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -23,14 +25,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 18af4302f..d8d0e3fb3 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,15 +2,17 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of -detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has -left the organization) that becomes active may be due to credentialed access using a compromised account password. +detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user +has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application. """ false_positives = [ @@ -52,15 +54,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "138c5dd5-838b-446e-b1ac-c995c7f8108a" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -71,16 +67,12 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index bc5582d14..686ef15bb 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -39,15 +41,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index 7bae0eb98..ffd6ad723 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -40,15 +42,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -59,14 +55,11 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index 66e6ed0a0..b5289e0ad 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -33,15 +35,9 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Initial Access", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -53,5 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index e953addcf..22fb46f58 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,23 +2,25 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic that was denied by network access control -lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured -application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to -connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This -could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or -traffic floods may also produce such a surge in traffic. +A machine learning job detected an unusually large spike in network traffic that was +denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by +either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. +Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), +or engage in data exfiltration, may produce a burst of failed connections. This could also +be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service +attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ """ - A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger - this alert. + A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert. """, ] from = "now-30m" @@ -30,6 +32,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" - diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 1218c64e5..6679f4147 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -2,22 +2,25 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a -surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a -burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. -Denial-of-service attacks or traffic floods may also produce such a surge in traffic. +A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, +if not caused by a surge in business activity, can be due to suspicious or malicious activity. +Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually +large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may +also produce such a surge in traffic. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this - alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network - application or firewall may trigger this alert. + Business workflows that occur very occasionally, and involve an unusual surge in network traffic, + can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. + A misconfigured network application or firewall may trigger this alert. """, ] from = "now-30m" @@ -29,6 +32,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" - diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 97ddd9a53..b1e96b676 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -32,12 +34,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 8b0838f66..c27a15a5c 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -22,12 +24,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index f8623cc1f..4dcc51b2f 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 @@ -31,6 +33,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index b496dfbd4..875c9fe09 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,26 +2,30 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, -persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing -email or opens a malicious document, a request may be sent to download and run a payload from a server in a country -which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms -may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual -destination country for the source network. +A machine learning job detected a rare destination country name in the network logs. +This can be due to initial access, persistence, command-and-control, or exfiltration activity. +For example, when a user clicks on a link in a phishing email or opens a malicious document, +a request may be sent to download and run a payload from a server in a country which does not +normally appear in network traffic or business work-flows. Malware instances and persistence +mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, +which may be an unusual destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve a business relationship with an organization in a - country that does not routinely appear in network events, can trigger this alert. A new business workflow with an - organization in a country with which no workflows previously existed may trigger this alert - although the model - will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business - travelers who roam to many countries for brief periods may trigger this alert. + Business workflows that occur very occasionally, and involve a business relationship with an + organization in a country that does not routinely appear in network events, can trigger this alert. + A new business workflow with an organization in a country with which no workflows previously + existed may trigger this alert - although the model will learn that the new destination country + is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many + countries for brief periods may trigger this alert. """, ] from = "now-30m" @@ -33,6 +37,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" - diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 9066dda24..7e7d8b459 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,9 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 @@ -16,10 +18,10 @@ infrastructure in their country of origin, which may be an unusual destination c """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination - country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may - trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they - engage in volumetric network activity. + Business workflows that occur very occasionally, and involve an unusual surge in network traffic + to one destination country, can trigger this alert. A new business workflow or a surge in business + activity in a particular country may trigger this alert. Business travelers who roam to many + countries for brief periods may trigger this alert if they engage in volumetric network activity. """, ] from = "now-30m" @@ -68,6 +70,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "c7db5533-ca2a-41f6-a8b0-ee98abe0f573" severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" - diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 56b7637a3..338892739 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -35,12 +37,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 8de5f2864..75f0ca416 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -64,31 +66,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "647fc812-7996-4795-8869-9c4ea595fe88" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 224077d6f..a5e44c9f7 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -64,30 +66,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.002" -name = "Systemd Service" -reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat.technique.subtechnique]] + id = "T1543.002" + name = "Systemd Service" + reference = "https://attack.mitre.org/techniques/T1543/002/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +reference = "https://attack.mitre.org/tactics/TA0003/" \ No newline at end of file diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 280215b6f..93bfc627f 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,33 +2,26 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] -[[transform.osquery]] -label = "Osquery - Retrieve DNS Cache" -query = "SELECT * FROM dns_cache" + [[transform.osquery]] + label = "Osquery - Retrieve DNS Cache" + query = "SELECT * FROM dns_cache" -[[transform.osquery]] -label = "Osquery - Retrieve All Services" -query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + [[transform.osquery]] + label = "Osquery - Retrieve All Services" + query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" -[[transform.osquery]] -label = "Osquery - Retrieve Services Running on User Accounts" -query = """ -SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE -NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR -user_account == null) -""" - -[[transform.osquery]] -label = "Retrieve Service Unisgned Executables with Virustotal Link" -query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, -services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = -authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' -""" + [[transform.osquery]] + label = "Osquery - Retrieve Services Running on User Accounts" + query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)" + [[transform.osquery]] + label = "Retrieve Service Unisgned Executables with Virustotal Link" + query = "SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'" [rule] anomaly_threshold = 50 @@ -114,28 +107,22 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index dbcb5d48c..b326a14ac 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -29,28 +31,22 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" @@ -62,12 +58,13 @@ framework = "MITRE ATT&CK" id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index b3a28a2b7..dd5bcb424 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -114,15 +116,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index e7d43de5e..f6c915343 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -117,15 +119,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index ebd2420f3..301458aae 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -27,30 +29,24 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index adc9dacab..93d94089a 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 @@ -25,14 +27,7 @@ name = "Unusual Sudo Activity" risk_score = 21 rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 621759437..9aa047528 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -27,20 +29,12 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index ca7bed0a2..03c4d43ef 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2023/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 50 @@ -26,30 +28,22 @@ name = "Anomalous Linux Compiler Activity" risk_score = 21 rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Resource Development", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Resource Development"] type = "machine_learning" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1588" name = "Obtain Capabilities" reference = "https://attack.mitre.org/techniques/T1588/" -[[rule.threat.technique.subtechnique]] -id = "T1588.001" -name = "Malware" -reference = "https://attack.mitre.org/techniques/T1588/001/" - + [[rule.threat.technique.subtechnique]] + id = "T1588.001" + name = "Malware" + reference = "https://attack.mitre.org/techniques/T1588/001/" [rule.threat.tactic] id = "TA0042" name = "Resource Development" -reference = "https://attack.mitre.org/tactics/TA0042/" - +reference = "https://attack.mitre.org/tactics/TA0042/" \ No newline at end of file diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 832e6fb03..276db49d0 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/01" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index be1409663..de5520737 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 6086b36e1..facaf30f0 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/01" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 22f2f919a..fbade0aa6 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/02" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/01" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 5766270a1..f4e43921e 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/21" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index db956efc0..3cbbd7070 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/16" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 94a0c4750..8c76d249a 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index d25a8aeb1..8f2fdafa6 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/18" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 6cfbbf069..1b1cc835d 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index d410f7aaa..5c07d1604 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 09da32e8e..450ea79d3 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 2fc61ba32..856e8943d 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,19 +2,21 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] -description = """ -This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, -identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. -This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data -theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one -source host to 10 or more destination hosts on commonly used network services. -""" +description = ''' +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target +network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and +weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized +access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts +from one source host to 10 or more destination hosts on commonly used network services. +''' from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -22,46 +24,44 @@ name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" severity = "low" -tags = [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", -] -timestamp_override = "event.ingested" +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" +timestamp_override = "event.ingested" query = ''' destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" + [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" - - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -71,7 +71,6 @@ reference = "https://attack.mitre.org/tactics/TA0043/" field = ["source.ip"] value = 1 [[rule.threshold.cardinality]] + field = "destination.ip" value = 100 - - diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 1593f34d2..fb8c8d856 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -2,18 +2,20 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] -description = """ +description = ''' This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a -target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By -mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining +target system or network for open ports, allowing them to identify available services and potential vulnerabilities. +By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further -exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from -one source host to 20 or more destination ports. -""" +exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts +from one source host to 20 or more destination ports. +''' from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"] language = "kuery" @@ -23,45 +25,44 @@ name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" severity = "low" -tags = [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", -] -timestamp_override = "event.ingested" +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" +timestamp_override = "event.ingested" query = ''' destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" + [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" - - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -70,8 +71,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 + [[rule.threshold.cardinality]] field = "destination.port" value = 250 - - diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index f5a5dca52..2ad59638e 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -2,18 +2,20 @@ creation_date = "2023/05/17" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] -description = """ +description = ''' This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a -target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this -method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch -targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading -to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts -from one source host to 10 or more destination ports using 2 or less packets per port. -""" +target network for open ports by sending SYN packets to multiple ports and observing the response. +Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, +allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its +security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic +to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. +''' from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"] language = "kuery" @@ -23,45 +25,44 @@ name = "Potential SYN-Based Network Scan Detected" risk_score = 21 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" severity = "low" -tags = [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", -] -timestamp_override = "event.ingested" +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" +timestamp_override = "event.ingested" query = ''' destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" + [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" - - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -70,8 +71,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 + [[rule.threshold.cardinality]] field = "destination.port" value = 250 - - diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 1d7743ba0..3dcd1d643 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 0f11c9084..ce2e6f9b0 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,10 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" + [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index cdb0744ec..782073582 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,7 +2,10 @@ creation_date = "2020/02/18" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/17" + [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 8f51cb76b..fa1a06c6a 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/16" [rule] author = ["Elastic"] diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index 38b0ec200..ad311c66b 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/01" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index a438cc585..d643f37fb 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,26 +32,24 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.001" -name = "LSASS Memory" -reference = "https://attack.mitre.org/techniques/T1003/001/" - + [[rule.threat.technique.subtechnique]] + id = "T1003.001" + name = "LSASS Memory" + reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 546220331..08734f9dd 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,29 +32,26 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.001" -name = "LSASS Memory" -reference = "https://attack.mitre.org/techniques/T1003/001/" - + [[rule.threat.technique.subtechnique]] + id = "T1003.001" + name = "LSASS Memory" + reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 37dae90c4..8866e3f78 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index cbf07ce6b..c8865ab25 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index d00be8545..22c4fdbc5 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 917f0ab08..58870383f 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index d6e5e4b76..f8509c3a8 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -30,8 +32,8 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 891c48a3e..fff5c7797 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,20 +31,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" -tags = [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation", -] -timestamp_override = "event.ingested" +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -50,6 +46,7 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,9 +54,7 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 8d924b7e7..b9e85a7bd 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -29,20 +31,14 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" -tags = [ - "Data Source: Elastic Endgame", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Privilege Escalation", -] -timestamp_override = "event.ingested" +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -50,6 +46,7 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,9 +54,7 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 1eb2d1a0d..8f657c450 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/07/08" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] @@ -10,15 +12,7 @@ description = """ Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. """ -index = [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", -] +index = ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] language = "kuery" license = "Elastic License v2" max_signals = 10000 @@ -53,25 +47,25 @@ value = "" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -severity = "low" value = "21" +severity = "low" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -severity = "medium" value = "47" +severity = "medium" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -severity = "high" value = "73" +severity = "high" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -severity = "critical" value = "99" +severity = "critical" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index 8155bb2f9..caef5f6ab 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,9 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 3d28513a5..b9ddee16d 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link -in the rule.reference column for additional information. +Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 2e8870a4b..0a81cdd2f 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the -rule.reference column for additional information. +Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 24e914d78..5c4cd362f 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the -rule.reference column for additional information. +Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 1eea20d6f..430a3a2c8 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the -rule.reference column for additional information. +Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" - +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 8b9651451..3451dafac 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2020/02/18" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/13" promotion = true -updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in -the rule.reference column for additional information. +Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -30,14 +32,13 @@ To make sure this rule can generate as many alerts as it's configured in its own **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] -timestamp_override = "event.ingested" type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,9 +46,7 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index 6999edfe0..b035f8891 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -2,13 +2,15 @@ creation_date = "2023/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may -target user email to collect sensitive information or send email on their behalf via API. +Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect +sensitive information or send email on their behalf via API. """ from = "now-9m" index = ["logs-endpoint.events.process*"] @@ -21,13 +23,7 @@ references = [ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -55,32 +51,34 @@ framework = "MITRE ATT&CK" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 28a89c21a..b31607b49 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,14 +14,7 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Exporting Exchange Mailbox via PowerShell" @@ -79,17 +74,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -122,6 +107,7 @@ reference = "https://attack.mitre.org/techniques/T1114/002/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 83b9dd436..cf05245b6 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -73,14 +75,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 31e807680..b6f3ca45e 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -78,14 +80,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index b0ce9e211..55925895e 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -79,14 +81,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index bf6cba3bc..ac8582774 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -74,14 +76,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index 1def216d6..f695abe94 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/18" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -15,9 +17,7 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Webcam Video Capture Capabilities" -references = [ - "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py", -] +references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"] risk_score = 47 rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43" setup = """## Setup @@ -39,13 +39,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 9c69091a8..723a176a9 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -59,15 +61,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -97,11 +91,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1005" -name = "Data from Local System" -reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -111,6 +100,11 @@ id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [rule.threat.tactic] diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index ceaf3e4b8..81677f328 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,21 +31,13 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ -Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a -remote URL. +Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential File Transfer via Certreq" @@ -104,16 +98,7 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"] risk_score = 47 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -135,6 +120,8 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -147,6 +134,7 @@ reference = "https://attack.mitre.org/techniques/T1218/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -154,7 +142,6 @@ id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index f294ae465..d7592550d 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/10" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 0c1b178a3..d16761b8f 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" @@ -66,7 +62,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] type = "eql" @@ -88,13 +84,11 @@ id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 798d6db68..de1adf85a 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,14 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_headless_browser.toml b/rules/windows/command_and_control_headless_browser.toml index f435dd9dd..8c844b616 100644 --- a/rules/windows/command_and_control_headless_browser.toml +++ b/rules/windows/command_and_control_headless_browser.toml @@ -2,7 +2,10 @@ creation_date = "2024/05/10" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/10" + [rule] author = ["Elastic"] @@ -11,13 +14,7 @@ Identifies the use of a browser to download a file from a remote URL and from a may use browsers to avoid ingress tool transfer restrictions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential File Download via a Headless Browser" @@ -49,16 +46,7 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Msedge/"] risk_score = 73 rule_id = "5f2f463e-6997-478c-8405-fb41cc283281" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Windows", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Windows", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -85,4 +73,3 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 794242441..7c6e09480 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -20,13 +22,7 @@ name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index d0be4efa7..372f5589d 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,11 +31,10 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ -Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). +Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. """ from = "now-9m" @@ -114,14 +115,7 @@ references = ["https://attack.mitre.org/techniques/T1197/"] risk_score = 21 rule_id = "f95972d3-c23b-463b-89a8-796b3f369b49" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -157,6 +151,8 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -169,4 +165,3 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index c4ba50200..a317700b8 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -13,17 +15,12 @@ when a process is started whose name or code signature resembles commonly abused indicating the host has not seen this RAT process started before within the last 30 days. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "endgame-*", - "winlogbeat-*", - "logs-windows.*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "endgame-*", "winlogbeat-*", "logs-windows.*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen Commonly Abused Remote Access Tool Execution" -note = """## Triage and analysis +note = """ +## Triage and analysis ### Investigating First Time Seen Commonly Abused Remote Access Tool Execution @@ -59,20 +56,12 @@ This rule detects when a remote access tool is seen in the environment for the f references = [ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/", - "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json", + "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json" ] risk_score = 47 rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 2437a7ded..0db2f71ea 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th segmentation restrictions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.registry-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Port Forwarding Rule Addition" @@ -86,7 +82,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" @@ -112,6 +108,7 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -119,7 +116,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index c89ed31c6..1499e8c0d 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,14 +13,7 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T enable routing of network packets that would otherwise not reach their intended destination. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" @@ -77,7 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" @@ -102,6 +97,7 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -119,4 +115,3 @@ reference = "https://attack.mitre.org/techniques/T1021/004/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 80a061822..1ebdb84c2 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 96ac992cd..42c16fe3f 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 27a223a2d..092dbd69d 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 40905e424..26e228aa9 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,12 +39,7 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei from a remote destination. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.network-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via Script Interpreter" @@ -99,16 +96,7 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -132,6 +120,7 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 0deeef487..6fb210442 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,29 +2,23 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" + [rule] author = ["Elastic"] description = """ -Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate -execution abusing unauthorized access to the ScreenConnect remote access software. +Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution +abusing unauthorized access to the ScreenConnect remote access software. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "logs-system.security*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious ScreenConnect Client Child Process" -references = [ - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", -] +references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"] risk_score = 47 rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546" severity = "medium" @@ -37,7 +31,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index fd34ad33b..d1c62d1fc 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -97,14 +99,7 @@ references = [ risk_score = 73 rule_id = "22599847-5d13-48cb-8872-5796fee8692b" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index d7526688a..b5c92ad1e 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -88,9 +90,7 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html", -] +references = ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" setup = """## Setup @@ -109,7 +109,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml index c917c234f..2efd54755 100644 --- a/rules/windows/credential_access_adidns_wildcard.toml +++ b/rules/windows/credential_access_adidns_wildcard.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/26" [rule] author = ["Elastic"] @@ -11,8 +13,7 @@ Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match -records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS -spoofing. +records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -21,7 +22,7 @@ license = "Elastic License v2" name = "Potential ADIDNS Poisoning via Wildcard Record Creation" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing" ] risk_score = 73 rule_id = "8f242ffb-b191-4803-90ec-0f19942e17fd" @@ -54,7 +55,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" @@ -73,6 +74,7 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 3fbdbc218..1862372c9 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -103,13 +105,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 401b9edca..721525683 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -107,13 +109,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index 008bf363e..ec73c3905 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -97,10 +98,10 @@ This rule identifies potential password guessing/brute force activity from a sin - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", - "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", - "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", + "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", + "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638", ] risk_score = 47 rule_id = "48b6edfc-079d-4907-b43c-baffa243270d" @@ -109,13 +110,7 @@ setup = """## Setup - In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert. """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index bf5073618..ae6317cf1 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m (NTDS.dit) in preparation for credential access. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Windows Utilities" @@ -75,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -138,6 +134,7 @@ reference = "https://attack.mitre.org/techniques/T1003/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index adeb495cf..c456ca719 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic", "Austin Songer"] description = """ @@ -37,13 +38,7 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o Those files contain sensitive information including hashed domain and/or local credentials. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -120,14 +115,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 55c55eb6b..31b2b5283 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -38,12 +40,7 @@ credential management. This technique is sometimes used for credential dumping. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.library-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Trusted Developer Utility" @@ -103,16 +100,7 @@ This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -129,6 +117,7 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -144,12 +133,11 @@ id = "T1555.004" name = "Windows Credential Manager" reference = "https://attack.mitre.org/techniques/T1555/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 02e0d783a..920ae2202 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -2,14 +2,16 @@ creation_date = "2022/12/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/01/29" [rule] author = ["Elastic"] description = """ -This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers -can use the DCSync technique to get credential information of individual accounts or the entire domain, thus -compromising the entire domain. +This rule identifies when a User Account starts the Active Directory Replication Process for the first time. +Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, +thus compromising the entire domain. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -80,16 +82,7 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -104,23 +97,26 @@ event.action:("Directory Service Access" or "object-operation-performed") and ev [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" -name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.006" -name = "DCSync" -reference = "https://attack.mitre.org/techniques/T1003/006/" +name = "OS Credential Dumping" + [[rule.threat.technique.subtechnique]] + id = "T1003.006" + reference = "https://attack.mitre.org/techniques/T1003/006/" + name = "DCSync" [rule.threat.tactic] id = "TA0006" -name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +name = "Credential Access" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -140,8 +136,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-15d" - - diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 8fbe4cfa0..d5123d71f 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/29" [rule] author = ["Elastic"] @@ -88,7 +90,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" @@ -138,8 +140,11 @@ reference = "https://attack.mitre.org/techniques/T1003/006/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index c181c9b24..0d845d464 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -68,17 +70,7 @@ Audit User Account Management (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" @@ -104,8 +96,11 @@ reference = "https://attack.mitre.org/techniques/T1558/004/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -116,8 +111,11 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 38220bc91..2f42ee0b8 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/26" [rule] author = ["Elastic"] @@ -21,7 +23,7 @@ license = "Elastic License v2" name = "Creation of a DNS-Named Record" references = [ "https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", - "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing" ] risk_score = 21 rule_id = "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc" @@ -54,7 +56,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" @@ -74,6 +76,7 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index b1ad6d1b7..6b619d797 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" @@ -40,16 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 4af9d346d..93eeb99a1 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -2,19 +2,15 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Credential Acquisition via Registry Hive Dumping" @@ -79,7 +75,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 870592447..016c83147 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,15 +28,7 @@ references = [ risk_score = 47 rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index cfc613548..8bb38df6f 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the Internet Information Services (IIS) command-line tool, AppCmd, be with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -34,14 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index cf3046479..6dfa8a0d3 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ access via a webshell or alike can decrypt and dump any hardcoded connection str password using aspnet_regiis command. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -38,14 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 9b74a0938..bf21ea751 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -110,14 +112,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index a1d09edb7..60bbd7857 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,26 +14,14 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P attacker to impersonate users using Kerberos tickets. """ from = "now-9m" -index = [ - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" risk_score = 47 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -53,6 +43,7 @@ name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 7e9ca44a1..748600024 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -39,15 +41,7 @@ Audit Directory Service Access (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "eql" @@ -95,12 +89,11 @@ id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 414ba8656..823684db5 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,7 +2,9 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -28,13 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index dcb0c455c..3a59f2ce8 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/12/28" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +integration = ["endpoint"] +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -16,7 +18,10 @@ index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Module Loaded by LSASS" -references = ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"] +references = [ + "https://blog.xpnsec.com/exploring-mimikatz-part-2/", + "https://github.com/jas502n/mimikat_ssp" +] risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" setup = """## Setup @@ -28,13 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -127,4 +126,3 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index a982b362c..8fe7c70f1 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -113,7 +115,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index ce971d469..955bd4997 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -130,14 +132,9 @@ Hence for this rule to work effectively, users will need to add a custom ingest `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ + severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 7a3135c6e..97c80885a 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: Lsass access events added in Elastic Endpoint 8.7." +min_stack_version = "8.7.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,16 +31,18 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] -description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n" +description = """ +Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. +""" from = "now-9m" index = ["logs-endpoint.events.api-*"] language = "eql" license = "Elastic License v2" name = "LSASS Process Access via Windows API" -note = """## Triage and analysis +note = """ +## Triage and analysis ### Investigating LSASS Process Access via Windows API @@ -105,14 +109,7 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -180,8 +177,10 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" @@ -192,4 +191,3 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 51290153a..be347be50 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,19 +2,15 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] description = "Identifies the password log file from the default Mimikatz memssp module." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Mimikatz Memssp Log File Detected" @@ -80,7 +76,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 03a0f56c4..512134c1e 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -89,14 +91,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 4ae9a8e20..0e64e8c5f 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -85,7 +87,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 7c1240d4b..0ab094362 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -61,7 +63,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 2a95513aa..94bacc832 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -105,16 +106,7 @@ references = [ risk_score = 47 rule_id = "54c3d186-0461-4dc3-9b33-2dc5c7473936" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 244493da5..1b9c45665 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -48,19 +50,12 @@ Invoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that wer - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1", + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1" ] risk_score = 47 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -88,15 +83,16 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" -[[rule.threat.technique.subtechnique]] -id = "T1003.002" -name = "Security Account Manager" -reference = "https://attack.mitre.org/techniques/T1003/002/" -[[rule.threat.technique.subtechnique]] -id = "T1003.003" -name = "NTDS" -reference = "https://attack.mitre.org/techniques/T1003/003/" + [[rule.threat.technique.subtechnique]] + id = "T1003.002" + name = "Security Account Manager" + reference = "https://attack.mitre.org/techniques/T1003/002/" + + [[rule.threat.technique.subtechnique]] + id = "T1003.003" + name = "NTDS" + reference = "https://attack.mitre.org/techniques/T1003/003/" @@ -104,23 +100,26 @@ reference = "https://attack.mitre.org/techniques/T1003/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] + id = "T1059.001" + name = "PowerShell" + reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,9 +127,7 @@ id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index 25c3693ad..f2b68cfab 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -60,7 +62,9 @@ This rule indicates the use of scripts that contain code capable of dumping Kerb - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"] +references = [ + "https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1", +] risk_score = 47 rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56" setup = """## Setup @@ -82,13 +86,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -121,6 +119,7 @@ name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 801b74645..f25b14570 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/05" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -78,14 +80,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index 6b8c1c203..f3bf6ee05 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/27" [rule] author = ["Elastic"] @@ -20,7 +22,7 @@ references = [ "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", - "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1", + "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1" ] risk_score = 47 rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449" @@ -43,14 +45,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -75,10 +70,12 @@ name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -96,6 +93,7 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 1e24dacaf..02d8a9a58 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/24" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -74,14 +76,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index e7be3dd4e..742e90e81 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/14" [rule] author = ["Elastic"] @@ -16,8 +18,8 @@ language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Veeam Credential Access Capabilities" references = [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", - "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/" ] risk_score = 47 rule_id = "5c602cba-ae00-4488-845d-24de2b6d8055" @@ -40,13 +42,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -68,13 +64,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index f62f2f7b3..86ab80c45 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -27,13 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 7198111d2..88573df52 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,9 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies attempt to coerce a local NTLM authentication via HTTP using the Wind An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Local NTLM Relay via HTTP" @@ -29,15 +25,7 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion","Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -65,6 +53,7 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -76,8 +65,6 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index f3fde2b08..7219cc88b 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -2,7 +2,9 @@ creation_date = "2022/03/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -74,7 +76,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 0516afe26..73620d2f3 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 51f4b0da8..ac77a824e 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ applications, and networks. An adversary may abuse this to list or dump credenti saved usernames and passwords. This may also be performed in preparation of lateral movement. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" @@ -38,14 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 14298cfb5..85a166a85 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -83,7 +85,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" @@ -96,24 +98,24 @@ event.action:"Authorization Policy Change" and event.code:4704 and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 80289225b..ae9a46865 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -85,15 +87,7 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType W ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Active Directory", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 08e8f50ed..0825930bd 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -91,7 +93,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 405ac2ab0..5329acd6e 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -113,14 +114,7 @@ You will need to enable logging of ImageLoads in your Sysmon configuration to in File Name. """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon"] type = "eql" query = ''' @@ -151,6 +145,7 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index c01731dfb..97598b094 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,11 +2,15 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] -description = "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.\n" +description = """ +Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory. +""" from = "now-9m" index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" @@ -24,13 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -79,4 +77,3 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index ad39fc43c..9aeda8961 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -30,14 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic:Execution", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -74,8 +69,10 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 7b152155c..6d82c6c07 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -28,13 +30,7 @@ This is meant to run only on datasources using Elastic Agent 7.14+ since version rule cardinality feature. """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 0e25e99f8..6e9b8c90f 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -82,16 +84,7 @@ Special Logon (Success) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] type = "eql" query = ''' @@ -122,7 +115,6 @@ name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 3178c34a6..f53f4c36a 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,7 +2,9 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Austin Songer"] @@ -12,13 +14,7 @@ copy, including sensitive files such as ntds.dit, System Boot Key and browser of """ false_positives = ["Legitimate administrative activity related to shadow copies."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Symbolic Link to Shadow Copy Created" @@ -102,7 +98,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -136,7 +132,6 @@ name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_veeam_backup_dll_imageload.toml b/rules/windows/credential_access_veeam_backup_dll_imageload.toml index c22dbdbcc..e34bf9c6e 100644 --- a/rules/windows/credential_access_veeam_backup_dll_imageload.toml +++ b/rules/windows/credential_access_veeam_backup_dll_imageload.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,13 +21,7 @@ name = "Veeam Backup Library Loaded by Unusual Process" risk_score = 47 rule_id = "aaab30ec-b004-4191-95e1-4a14387ef6a6" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -46,13 +42,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index e1f9cda03..5ca51f713 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/14" [rule] author = ["Elastic"] @@ -11,29 +13,17 @@ Identifies commands that can access and decrypt Veeam credentials stored in MSSQ Credentials to target backups as part of destructive operations such as Ransomware attacks. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Veeam Credential Access Command" -references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"] +references = [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/" +] risk_score = 47 rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -53,13 +43,13 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index a91ceeef2..52f0314e2 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/27" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -32,13 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index a119ff108..f8e76dc7d 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -34,13 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Wireless Credential Dumping using Netsh Command" @@ -100,7 +96,7 @@ tags = [ "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index d11eb4a92..131316e93 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,18 +31,11 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Adding Hidden File Attribute via Attrib" @@ -100,16 +95,7 @@ This rule looks for the execution of the `attrib.exe` utility with a command lin risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -124,16 +110,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1222" -name = "File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/" -[[rule.threat.technique.subtechnique]] -id = "T1222.001" -name = "Windows File and Directory Permissions Modification" -reference = "https://attack.mitre.org/techniques/T1222/001/" - - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -143,6 +119,15 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.001" +name = "Windows File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/001/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 3ffb21410..8d05f7533 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusu attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Antimalware Scan Interface DLL" @@ -108,7 +104,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 09965632f..426c4af72 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -97,14 +99,7 @@ references = ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"] risk_score = 73 rule_id = "1f0a69c0-3392-4adf-b7d5-6012fd292da8" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index c4c9d6463..179b65d04 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -2,7 +2,9 @@ creation_date = "2021/06/01" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -88,7 +90,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -106,11 +108,6 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -120,6 +117,10 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 02cf01896..655e82fbc 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/22" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Austin Songer"] @@ -11,13 +13,7 @@ Identifies when a user attempts to clear console history. An adversary may clear account to conceal the actions undertaken during an intrusion. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Clearing Windows Console History" @@ -76,7 +72,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -107,6 +103,8 @@ reference = "https://attack.mitre.org/techniques/T1070/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 4f102d07c..57e7f0489 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies attempts to clear or disable Windows event log stores using Windows w attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Clearing Windows Event Logs" @@ -71,7 +67,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -108,7 +104,6 @@ name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 00c645b62..d3107aaac 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -49,13 +51,7 @@ This rule looks for the occurrence of clear actions on the `security` event log. risk_score = 21 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 6ab65745a..6115b3c49 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -2,41 +2,32 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ -Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides -authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By -allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides +authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. +By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Code Signing Policy Modification Through Built-in tools" @@ -98,7 +89,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -109,7 +100,6 @@ process where host.os.type == "windows" and event.type == "start" and process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -127,4 +117,3 @@ reference = "https://attack.mitre.org/techniques/T1553/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index e78e90576..83818ee7c 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -2,32 +2,29 @@ creation_date = "2023/01/31" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the -execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +execution of unsigned or self-signed code, threat actors can craft and execute malicious code. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -93,7 +90,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -111,14 +108,8 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" @@ -128,10 +119,12 @@ id = "T1553.006" name = "Code Signing Policy Modification" reference = "https://attack.mitre.org/techniques/T1553/006/" - +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index dab7b4aa1..e04efcaf0 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,7 +2,9 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -85,7 +87,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index c4c34892c..1a8d0b4c3 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/19" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" risk_score = 21 rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Use Case: Vulnerability", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 7e37b32b7..692f95c45 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -72,7 +74,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -109,11 +111,6 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -128,6 +125,10 @@ id = "T1562.006" name = "Indicator Blocking" reference = "https://attack.mitre.org/techniques/T1562/006/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index b85e2970d..5153f7fac 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies modifications to the Windows Defender configuration settings using Po directory or process level. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Windows Defender Exclusions Added via PowerShell" @@ -89,7 +85,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index d124e4493..d5f5f8371 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is of files created during post-exploitation activities. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Delete Volume USN Journal with Fsutil" @@ -56,15 +52,7 @@ Consider using the Elastic Defend integration instead of USN Journal, as the Ela risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index 0ce5ab808..3097f5234 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,16 +2,17 @@ creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] description = """ -Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level -Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) -connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to -enable persistence methods that require access to the Windows sign-in screen without authenticating, such as -Accessibility Features persistence methods, like Sticky Keys. +Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows +that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate +before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the +Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys. """ from = "now-9m" index = ["logs-endpoint.events.registry-*", "endgame-*"] @@ -24,14 +25,7 @@ references = [ risk_score = 21 rule_id = "db65f5ba-d1ef-4944-b9e8-7e51060c2b42" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 1a44c9d57..1cd8b9166 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/31" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -69,7 +71,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -85,11 +87,6 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -99,6 +96,10 @@ id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index c99887329..9cf70208d 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the netsh.exe to disable or weaken the local firewall. Attacke disable the firewall during troubleshooting or to enable network mobility. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Disable Windows Firewall Rules via Netsh" @@ -69,7 +65,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 9474e98a6..aaf6ed107 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,20 +2,16 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings." false_positives = ["Planned Windows Defender configuration changes."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Disabling Windows Defender Security Settings via PowerShell" @@ -78,7 +74,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -110,6 +106,7 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index a94a693fc..88f47c921 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -11,13 +13,7 @@ Identifies attempts to disable EventLog via the logman Windows utility, PowerShe attackers in an attempt to evade detection on a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Disable Windows Event and Security Logs Using Built-in Tools" @@ -74,7 +70,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -110,6 +106,7 @@ reference = "https://attack.mitre.org/techniques/T1070/001/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index b86746d1b..a209f05fa 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Austin Songer"] @@ -31,15 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -56,16 +50,16 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index f1c529bde..d27ad7f98 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,22 +2,18 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to -compile code after delivery in order to bypass security mechanisms. +Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt +to compile code after delivery in order to bypass security mechanisms. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" @@ -32,15 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -68,6 +56,8 @@ reference = "https://attack.mitre.org/techniques/T1027/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index ef508310c..31981e2ba 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the network shell utility (netsh.exe) to enable inbound Remote the Windows Firewall. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Remote Desktop Enabled in Windows Firewall by Netsh" @@ -75,7 +71,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 55e86511a..a55b407c5 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ tool to weaken the host firewall settings. """ false_positives = ["Host Windows Firewall planned system administration changes."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enable Host Network Discovery via Netsh" @@ -71,7 +67,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 4a9253a1d..e0a6b81cd 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -2,7 +2,9 @@ creation_date = "2021/09/08" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies unusual instances of Control Panel with suspicious keywords or paths Adversaries may abuse control.exe to proxy execution of malicious code. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" @@ -33,15 +29,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 08bbbf5ab..ffffa6b44 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -37,13 +38,7 @@ Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load as a defense evasion technique to blend-in malicious activity with legitimate Windows software. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "ImageLoad via Windows Update Auto Update Client" @@ -110,15 +105,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 0eae0465c..3db2d9399 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -17,13 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by an Office Application" @@ -97,7 +93,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 254454f01..865691b85 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,14 +29,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -45,26 +46,26 @@ host.os.type:windows and event.category:process and event.type:start and ( "wscript.exe" or "mshta.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -73,12 +74,10 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -94,8 +93,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.name", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 5ff9a093d..23ac00853 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ Instrumentation) subsystem. This behavior is unusual and is sometimes used by ma """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" @@ -33,15 +29,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 4be383084..ce9964174 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -112,7 +114,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -135,7 +137,6 @@ id = "T1036.003" name = "Rename System Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 2ad746055..2a3f2bad3 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -33,14 +35,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] + timestamp_override = "event.ingested" type = "new_terms" @@ -49,19 +51,19 @@ host.os.type:windows and event.category:process and event.type:start and process process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -81,8 +83,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.name"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 098ce0487..0cf09edbc 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,16 +29,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 0b2228e76..974b024e3 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Dennis Perto"] @@ -31,16 +33,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index e93afa811..570460585 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,15 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 2c1f7f329..4abc04cab 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -37,13 +38,7 @@ Identifies process execution from suspicious default Windows directories. This i malware in trusted paths. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Process Execution from an Unusual Directory" @@ -113,14 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 205ab2734..59977ac9d 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,28 +13,14 @@ Identifies registry write modifications to hide an encoded portable executable. defense evasion by avoiding the storing of malicious content directly on disk. """ from = "now-9m" -index = [ - "logs-endpoint.events.registry-*", - "endgame-*", - "logs-windows.sysmon_operational-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Encoded Executable Stored in the Registry" risk_score = 47 rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 5f00f7e7f..b22fb7fb3 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies when Internet Information Services (IIS) HTTP Logging is disabled on access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -67,15 +63,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 802025652..aa9e5675f 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/25" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "query" @@ -51,7 +46,6 @@ name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index eca5aea19..87b368d79 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,26 +13,14 @@ Identifies InstallUtil.exe making outbound network connections. This may indicat often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" risk_score = 47 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 16de53c64..81a5bced8 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ A suspicious Endpoint Security parent process was detected. This may indicate a injection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" @@ -32,14 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -69,6 +58,7 @@ process where host.os.type == "windows" and event.type == "start" and "/enable" ) ) + ''' @@ -78,13 +68,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index 69125b3d1..fcd53d91b 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -22,15 +24,7 @@ references = [ risk_score = 21 rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Initial Access", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" @@ -171,6 +165,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -182,11 +177,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -199,6 +194,7 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index cfb5fd3b6..160315743 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,7 +2,9 @@ creation_date = "2023/05/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Potential Masquerading as Communication Apps" risk_score = 47 rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -98,6 +94,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -109,11 +106,12 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -121,7 +119,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 5aab79fc4..d8cb62d5f 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -110,7 +112,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 3cd557a08..bcfb84a7b 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ registry key manipulation. Verify process details such as command line, network """ false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious WerFault Child Process" @@ -39,17 +35,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -77,6 +63,8 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -94,6 +82,9 @@ reference = "https://attack.mitre.org/techniques/T1546/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 53359cc1b..51d4f068c 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ usually host trusted third party programs. An adversary may leverage masqueradin detections allowlisting those folders. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Program Files Directory Masquerading" @@ -33,14 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index c4832f2ec..10825bd5f 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -39,12 +41,7 @@ masquerading attempt to evade suspicious child process behavior detections. """ false_positives = ["Legit Application Crash with rare Werfault commandline value"] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Windows Error Manager Masquerading" @@ -106,15 +103,7 @@ references = [ risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -132,13 +121,13 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 013245ca2..7a7fb3cde 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Austin Songer"] @@ -74,15 +76,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -121,16 +115,15 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index a7c4a5a81..23325449d 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -38,12 +39,7 @@ validation. Adversaries may use these binaries to 'live off the land' and execut application allowlists and signature validation. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Signed Binary" @@ -104,15 +100,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 7575aea34..cd33fc5a3 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/12" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -81,7 +83,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index ac7a2d074..526bde67f 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -37,12 +38,7 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "MsBuild Making Network Connections" @@ -104,15 +100,7 @@ This rule looks for the `Msbuild.exe` utility execution, followed by a network c risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 16ce875c6..114d561f4 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,26 +13,14 @@ Identifies Mshta.exe making outbound network connections. This may indicate adve leveraged by adversaries to execute malicious scripts and evade detection. """ from = "now-20m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" risk_score = 47 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 714b28417..0835894f9 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,12 +13,7 @@ Identifies msxsl.exe making a network connection. This may indicate adversarial by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via MsXsl" @@ -24,14 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index d04c84fd6..b7a6daca8 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -37,12 +39,7 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Activity from a Windows System Binary" @@ -103,15 +100,7 @@ This rule identifies network connections established by trusted developer utilit risk_score = 47 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -177,16 +166,6 @@ sequence by process.entity_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" - - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -201,7 +180,15 @@ id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 84aecaea7..2314ec54c 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ references = ["https://blog.didierstevens.com/2017/03/20/"] risk_score = 73 rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -89,6 +84,8 @@ reference = "https://attack.mitre.org/techniques/T1134/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 181950d35..7212b3125 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ default) and is set to 1, then remote connections from all local members of Admi high-integrity tokens during negotiation. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.registry-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Local Account TokenFilter Policy Disabled" @@ -39,7 +35,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" @@ -70,6 +66,8 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 985ce93b1..6dde3fa66 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -49,14 +51,7 @@ PowerShell offers encryption and decryption functionalities that attackers can a risk_score = 47 rule_id = "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index bac16ac48..9ab8e5502 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -81,15 +83,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -128,6 +122,7 @@ reference = "https://attack.mitre.org/techniques/T1055/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index abd9a87b4..edafb0b5a 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Austin Songer"] @@ -80,7 +82,7 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" @@ -111,6 +113,7 @@ reference = "https://attack.mitre.org/techniques/T1562/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 5ed21ba1c..105d94c93 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -94,15 +95,7 @@ This rule identifies an unsigned process termination event quickly followed by t risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -136,12 +129,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index debc6c67d..e7df54ffa 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,14 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_root_dir_ads_creation.toml b/rules/windows/defense_evasion_root_dir_ads_creation.toml index f3e782745..f412479a2 100644 --- a/rules/windows/defense_evasion_root_dir_ads_creation.toml +++ b/rules/windows/defense_evasion_root_dir_ads_creation.toml @@ -2,21 +2,18 @@ creation_date = "2024/03/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/08" [rule] author = ["Elastic"] description = """ -Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to -hide tools and malware, as ADSs created in this directory are not displayed by system utilities. +Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the +attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Alternate Data Stream Creation/Execution at Volume Root Directory" @@ -24,14 +21,7 @@ references = ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomwa risk_score = 47 rule_id = "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 05f502734..3905a429f 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -101,14 +102,7 @@ RunDLL32 is a legitimate Windows utility used to load and execute functions with risk_score = 73 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_sccm_scnotification_dll.toml b/rules/windows/defense_evasion_sccm_scnotification_dll.toml index 8abfbc372..faa114dbc 100644 --- a/rules/windows/defense_evasion_sccm_scnotification_dll.toml +++ b/rules/windows/defense_evasion_sccm_scnotification_dll.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/17" [rule] author = ["Elastic"] @@ -17,18 +19,12 @@ license = "Elastic License v2" name = "Potential Windows Session Hijacking via CcmExec" references = [ "https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec", - "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users", + "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users" ] risk_score = 47 rule_id = "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 505aec53d..0c7d058f1 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -28,16 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -67,19 +60,21 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index de7148408..256dea76f 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -50,17 +52,7 @@ This rule identifies file name patterns generated by the use of SDelete utility risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Impact", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -86,6 +78,8 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 95c8ab246..bb329324f 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -20,15 +22,7 @@ references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] risk_score = 47 rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index cf10b147d..bc4bbd38f 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -29,16 +31,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -61,11 +54,6 @@ registry where host.os.type == "windows" and registry.path : ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -76,6 +64,10 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 6b2f2843b..fc5d2252d 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic", "Austin Songer"] description = """ @@ -38,13 +39,7 @@ Certificate Services. CertUtil is often abused by attackers to live off the land data exfiltration. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious CertUtil Commands" @@ -107,15 +102,7 @@ references = [ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 835c75dc5..2408f6bf6 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,15 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -84,6 +78,7 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 3ed7d721f..20706f7bb 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -15,20 +17,11 @@ index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_ope language = "eql" license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" -references = [ - "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", -] +references = ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"] risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index d38e017d6..c10a9e070 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -111,15 +113,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -159,8 +153,10 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index d4c4fb10d..b2a164535 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -46,14 +48,7 @@ Attackers may inject code into child processes' memory to hide their actual acti risk_score = 47 rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 1011838ee..d852a4742 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Suspicious Script Object Execution" risk_score = 47 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -62,13 +57,13 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 75210439c..ecb739594 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,13 +31,10 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ -Identifies the execution of a process with a single character process name, differing from the original file name. This -is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based -on the process name. +Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -93,16 +92,7 @@ Identifies the execution of a process with a single character process name, diff risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index b10b97989..789fd5132 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,27 +13,14 @@ Identifies WMIC allowlist bypass techniques by alerting on suspicious execution libraries it may be indicative of an allowlist bypass. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.library-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -57,14 +46,15 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index b8baa796c..f49c65712 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [transform] [[transform.osquery]] @@ -37,14 +39,7 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r such as command line, network connections, file writes and associated file signature details as well. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Zoom Child Process" @@ -102,17 +97,7 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -139,6 +124,7 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -151,4 +137,3 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index a3a278e09..21c674aa7 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -111,7 +113,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -143,6 +145,7 @@ reference = "https://attack.mitre.org/techniques/T1211/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 827fb4c7a..002dc8452 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -2,14 +2,16 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content -with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in -trusted directories. +Identifies modification of a file creation time. Adversaries may modify file time attributes to blend +malicious content with existing files. Timestomping is a technique that modifies the timestamps of +a file often to mimic files that are in trusted directories. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"] @@ -24,7 +26,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -66,9 +68,7 @@ name = "Timestomp" reference = "https://attack.mitre.org/techniques/T1070/006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 052d4bb6f..f1a0df195 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -1,15 +1,17 @@ [metadata] creation_date = "2022/11/22" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +integration = ["endpoint"] +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted -program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a -malicious DLL within the memory space of a signed processes. +program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading +a malicious DLL within the memory space of a signed processes. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -27,13 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -130,12 +126,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index dcf13aab5..3e5574298 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,31 +2,27 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/15" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ -Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of -unsigned or self-signed code. +Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -93,20 +89,13 @@ This rule identifies an attempt to load an untrusted driver, which effectively m - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ - "https://github.com/hfiref0x/TDL", - "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN", + "https://github.com/hfiref0x/TDL", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" ] risk_score = 73 rule_id = "d8ab1ec1-feeb-48b9-89e7-c12e189448aa" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -123,13 +112,12 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 8379392ab..5a30ad134 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -108,15 +110,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 5e0ec96e2..2919e8d50 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,15 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 18f0e76af..c5d82124d 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,12 +13,7 @@ Identifies unusual instances of dllhost.exe making outbound network connections. and Control activity. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via DllHost" @@ -28,14 +25,7 @@ references = [ risk_score = 47 rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 90e8da270..17ce9288d 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,12 +13,7 @@ Identifies unusual instances of rundll32.exe making outbound network connections and Control activity. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via RunDLL32" @@ -59,16 +56,7 @@ references = [ risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -117,4 +105,3 @@ reference = "https://attack.mitre.org/techniques/T1071/001/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 42fa32b52..dfa44ae72 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,12 +13,7 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Network Connection" @@ -50,15 +47,7 @@ This rule identifies network activity from unexpected system utilities and appli risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 3a55105d4..f1d993e1d 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,19 +2,15 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" @@ -29,14 +25,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 4369e04cd..48df9e961 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -37,13 +38,7 @@ The Filter Manager Control Program (fltMC.exe) binary may be abused by adversari defenses. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Filter Manager" @@ -102,15 +97,7 @@ This rule identifies the attempt to unload a minifilter using the `fltmc.exe` co risk_score = 47 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 4c31c6f20..b342d8df3 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,13 +2,16 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint -security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry. +Identifies multiple Windows Filtering Platform block events and where the process name is related to +an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security +from sending telemetry. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.network-*", "logs-system.security-*"] @@ -16,11 +19,11 @@ language = "eql" license = "Elastic License v2" name = "Potential Evasion via Windows Filtering Platform" references = [ - "https://github.com/dsnezhkov/shutter/tree/main", - "https://github.com/netero1010/EDRSilencer/tree/main", - "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152", + "https://github.com/dsnezhkov/shutter/tree/main", + "https://github.com/netero1010/EDRSilencer/tree/main", + "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152" ] risk_score = 47 rule_id = "92d3a04e-6487-4b62-892d-70e640a590dc" @@ -46,7 +49,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] type = "eql" @@ -113,4 +116,3 @@ reference = "https://attack.mitre.org/techniques/T1562/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index a301336e8..d7151581b 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,7 +2,9 @@ creation_date = "2022/03/02" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/16" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 65ad3cc71..56e4efaee 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,42 +2,30 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to -avoid detection. +Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable +and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Windows Subsystem for Linux" references = [ "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1" ] risk_score = 21 rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -69,26 +57,24 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.004" -name = "Unix Shell" -reference = "https://attack.mitre.org/techniques/T1059/004/" - + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + name = "Unix Shell" + reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 05204c9c8..add8d5f51 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,22 +2,18 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use -WSL for Linux to avoid detection. +Detects attempts to execute a program on the host from the Windows Subsystem for Linux. +Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution via Windows Subsystem for Linux" @@ -25,14 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -63,4 +52,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 420fb3249..a1b8f65de 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,22 +2,18 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use -WSL for Linux to avoid detection. +Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable +and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Windows Subsystem for Linux Enabled via Dism Utility" @@ -61,14 +57,7 @@ references = ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux risk_score = 47 rule_id = "e2e0537d-7d8f-4910-a11d-559bcf61295a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -86,9 +75,7 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index afcf4dfd1..013c926ff 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,21 +2,18 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may -enable and use WSL for Linux to avoid detection. +Detects files creation and modification on the host system from the the Windows Subsystem for Linux. +Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Host Files System Changes via Windows Subsystem for Linux" @@ -24,15 +21,7 @@ references = ["https://github.com/microsoft/WSL"] risk_score = 47 rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -58,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 7a9d1eb04..cc0e4849b 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,22 +2,18 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for -Linux to avoid detection. +Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may +enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Attempt to Install Kali Linux via WSL" @@ -25,14 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -60,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 0908de4d3..fe267a4a6 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,13 +2,15 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. -Adversaries may enable and use WSL for Linux to avoid detection. +Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux +distribution by name. Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -56,15 +58,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "a1699af0-8e1e-4ed0-8ec1-89783538a061" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" @@ -95,4 +89,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index e43e63aa6..18fbaab7b 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,13 +2,15 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] description = """ -Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP -port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. +Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. +Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. """ from = "now-9m" index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"] @@ -19,13 +21,7 @@ references = ["https://github.com/FalconForceTeam/SOAPHound"] risk_score = 47 rule_id = "9c951837-7d13-4b0c-be7a-f346623c8795" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -45,17 +41,15 @@ sequence by process.entity_id with maxspan=3m network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 0d0a328cd..ed54cb9a0 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ leveraged by threat actors to perform post-exploitation Active Directory reconna observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "AdFind Command Activity" @@ -76,15 +72,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -103,11 +91,6 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -138,6 +121,10 @@ id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 601a38f93..f43b5d0ca 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies instances of lower privilege accounts enumerating Administrator accou tools. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Administrator Accounts" @@ -64,15 +60,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -95,13 +90,14 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -112,11 +108,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -127,10 +123,7 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 24ebab839..373ff4fb1 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -55,16 +57,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -93,6 +86,7 @@ reference = "https://attack.mitre.org/techniques/T1033/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 27c8db811..65c9545d4 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/27" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -15,13 +17,7 @@ false_positives = [ "Domain administrators may use this command-line utility for legitimate information gathering purposes.", ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via DSQUERY.EXE" @@ -63,15 +59,7 @@ references = [ risk_score = 21 rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -84,16 +72,14 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" - [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 2417a773e..34783cece 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via NLTEST.EXE" @@ -66,15 +62,14 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -89,22 +84,20 @@ not process.parent.name : "PDQInventoryScanner.exe" and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1018" -name = "Remote System Discovery" -reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index e67adb376..7baf49bd1 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -2,23 +2,20 @@ creation_date = "2023/01/18" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" + [rule] author = ["Elastic"] description = """ -Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the -reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and -possible methods to escalate privileges or move laterally. +Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy +objects during the reconnaissance phase after compromising a system to gain a better understanding +of the active directory environment and possible methods to escalate privileges or move laterally. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Group Policy Discovery via Microsoft GPResult Utility" @@ -58,14 +55,7 @@ The detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is de risk_score = 21 rule_id = "94a401ba-4fa2-455c-b7ae-b6e037afc0b7" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -74,7 +64,6 @@ process where host.os.type == "windows" and event.type == "start" and (process.name: "gpresult.exe" or ?process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -82,9 +71,7 @@ id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index e8bd71550..85a3f5255 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/02" [rule] author = ["Elastic"] @@ -17,7 +19,8 @@ license = "Elastic License v2" name = "Suspicious Access to LDAP Attributes" risk_score = 73 rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e" -setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +setup = """ +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: Computer Configuration > diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 03a18f7de..4bd545398 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the Windows file system utility (fsutil.exe) to gather informa and components connected to a computer system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Peripheral Device Discovery" @@ -61,15 +57,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 717838974..3c2b0f7cf 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -75,16 +77,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -139,14 +132,15 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml index 6c49a4331..f6108af2a 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -17,16 +19,14 @@ name = "Unusual Discovery Signal Alert with Unusual Process Command Line" risk_score = 21 rule_id = "29ef5686-9b93-433e-91b5-683911094698" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or @@ -36,7 +36,6 @@ host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -48,8 +47,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml index b39b57e19..6da4d484d 100644 --- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2023/09/22" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/13" [rule] author = ["Elastic"] @@ -17,21 +19,18 @@ name = "Unusual Discovery Signal Alert with Unusual Process Executable" risk_score = 21 rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -43,8 +42,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0df4a75f2..5d6fe0c1f 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -64,15 +66,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 0d47ba3a7..8dd36feec 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ false_positives = [ "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.", ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" @@ -36,15 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -67,6 +55,7 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -78,7 +67,6 @@ name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index aa5459694..ac3ce9329 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,14 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 44443946e..83546affc 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ programming interface (API) that enables interaction between software objects or run a COM object created in registry to evade defensive counter measures. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution of COM object via Xwizard" @@ -37,14 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 29d7056f1..0d8848c10 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -43,12 +44,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Command Prompt Network Connection" @@ -110,15 +106,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 61d4d0576..ae32c9edd 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/05" [transform] [[transform.osquery]] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index ba9c7d475..07b82ed12 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,19 +2,15 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" @@ -29,16 +25,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 283ae13e8..37d892108 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,17 +26,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -58,7 +50,6 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" @@ -82,6 +73,8 @@ reference = "https://attack.mitre.org/techniques/T1552/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index 1fe398d77..704e5d260 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Delayed Execution via Ping" risk_score = 21 rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -67,86 +62,88 @@ sequence by process.parent.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1059" name = "Command and Scripting Interpreter" +id = "T1059" reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" + [[rule.threat.technique.subtechnique]] + name = "Visual Basic" + id = "T1059.005" + reference = "https://attack.mitre.org/techniques/T1059/005/" + [[rule.threat.technique.subtechnique]] + name = "PowerShell" + id = "T1059.001" + reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1216" -name = "System Script Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1216/" - -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.003" -name = "CMSTP" -reference = "https://attack.mitre.org/techniques/T1218/003/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.004" -name = "InstallUtil" -reference = "https://attack.mitre.org/techniques/T1218/004/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.005" -name = "Mshta" -reference = "https://attack.mitre.org/techniques/T1218/005/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.009" -name = "Regsvcs/Regasm" -reference = "https://attack.mitre.org/techniques/T1218/009/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.010" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1218/010/" - -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - - -[[rule.threat.technique]] -id = "T1220" -name = "XSL Script Processing" -reference = "https://attack.mitre.org/techniques/T1220/" [[rule.threat.technique]] id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" -[[rule.threat.technique.subtechnique]] -id = "T1497.003" -name = "Time Based Evasion" -reference = "https://attack.mitre.org/techniques/T1497/003/" + [[rule.threat.technique.subtechnique]] + name = "Time Based Evasion" + id = "T1497.003" + reference = "https://attack.mitre.org/techniques/T1497/003/" + +[[rule.threat.technique]] +name = "System Binary Proxy Execution" +id = "T1218" +reference = "https://attack.mitre.org/techniques/T1218/" + + [[rule.threat.technique.subtechnique]] + name = "CMSTP" + id = "T1218.003" + reference = "https://attack.mitre.org/techniques/T1218/003/" + + [[rule.threat.technique.subtechnique]] + name = "InstallUtil" + id = "T1218.004" + reference = "https://attack.mitre.org/techniques/T1218/004/" + + [[rule.threat.technique.subtechnique]] + name = "Mshta" + id = "T1218.005" + reference = "https://attack.mitre.org/techniques/T1218/005/" + + [[rule.threat.technique.subtechnique]] + name = "Regsvcs/Regasm" + id = "T1218.009" + reference = "https://attack.mitre.org/techniques/T1218/009/" + + [[rule.threat.technique.subtechnique]] + name = "Regsvr32" + id = "T1218.010" + reference = "https://attack.mitre.org/techniques/T1218/010/" + + [[rule.threat.technique.subtechnique]] + name = "Rundll32" + id = "T1218.011" + reference = "https://attack.mitre.org/techniques/T1218/011/" + + [[rule.threat.technique]] + name = "System Script Proxy Execution" + id = "T1216" + reference = "https://attack.mitre.org/techniques/T1216/" + + [[rule.threat.technique]] + name = "XSL Script Processing" + id = "T1220" + reference = "https://attack.mitre.org/techniques/T1220/" [rule.threat.tactic] -id = "TA0005" name = "Defense Evasion" +id = "TA0005" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 4475a3d53..1f765f65c 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 14bb98b6e..a5a22b38a 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Downloaded URL Files" risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 59c46879a..9fbea06f8 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies native Windows host and network enumeration commands spawned by the W Provider Service (WMIPrvSE). """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" @@ -32,14 +28,13 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -78,41 +73,27 @@ process where host.os.type == "windows" and event.type == "start" and process.co not process.args : "tenable_mw_scan" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" -[[rule.threat.technique.subtechnique]] -id = "T1016.001" -name = "Internet Connection Discovery" -reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" -[[rule.threat.technique]] -id = "T1057" -name = "Process Discovery" -reference = "https://attack.mitre.org/techniques/T1057/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -123,9 +104,22 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index ad08c31dc..00c433705 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies process execution from suspicious default Windows directories. This m malware in trusted paths. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" @@ -117,7 +113,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index ee8d103a5..569d4f4e1 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -38,12 +39,7 @@ malicious code in a CHM file and deliver it to a victim for execution. CHM conte program (hh.exe). """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Compiled HTML File" @@ -112,15 +108,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index 8fe4c6a5b..6ca1ac04c 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,13 +2,15 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/12" [rule] author = ["Elastic"] description = """ -Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious -command in an MSC file in order to trick victims into executing malicious commands. +Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command +in an MSC file in order to trick victims into executing malicious commands. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -43,17 +45,7 @@ references = ["https://www.genians.co.kr/blog/threat_intelligence/facebook"] risk_score = 73 rule_id = "e760c72b-bb1f-44f0-9f0d-37d51744ee75" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index ec3ebfe1b..d29168632 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -19,13 +21,7 @@ name = "Mofcomp Activity" risk_score = 21 rule_id = "210d4430-b371-470e-b879-80b7182aa75e" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -44,19 +40,19 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -74,4 +70,3 @@ reference = "https://attack.mitre.org/techniques/T1546/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index d441f9758..25359d1de 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -66,15 +68,14 @@ This rule searches for executable files written by MS Office applications execut risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -94,7 +95,6 @@ sequence with maxspan=2h ] by host.id, process.executable ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -102,12 +102,15 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -118,10 +121,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 55edc986b..bb2bbb41f 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies a suspicious file that was written by a PDF reader application and su often launched via exploitation of PDF applications. """ from = "now-120m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.file-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "endgame-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -72,16 +68,7 @@ This rule searches for executable files written by PDF reader software and execu risk_score = 73 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml index 96685e222..dc920086f 100644 --- a/rules/windows/execution_posh_hacktool_authors.toml +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/08" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -16,11 +18,6 @@ index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell HackTool Script by Author" -references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 73 -rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. @@ -39,14 +36,13 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: PowerShell Logs", +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] +risk_score = 73 +rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" +severity = "high" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 579739d59..45f71e908 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -123,15 +125,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -160,6 +154,7 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 4384952db..b8850975d 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -17,12 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "PsExec Network Connection" @@ -61,16 +58,7 @@ This rule identifies PsExec execution by looking for the creation of `PsExec.exe risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -109,22 +97,22 @@ name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index dc36a88a2..da54d2e10 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -43,12 +44,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Registration Utility" @@ -109,16 +105,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -152,6 +139,7 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.009" name = "Regsvcs/Regasm" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index afa9ece3f..e7a2ccfbb 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,12 +14,7 @@ within a short time period. This may indicate lateral movement or remote discove """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.library-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" @@ -28,13 +25,13 @@ risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ] type = "eql" query = ''' @@ -44,32 +41,30 @@ sequence by host.id, process.entity_id with maxspan = 5s [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index b5b97384f..b43dece27 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -32,15 +34,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index b2aa9aee9..33c1f0309 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta be indicative of adversary lateral movement. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" @@ -32,14 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -57,17 +46,17 @@ id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 9a1dba523..e29aa19bf 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,15 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 253e8841b..d77be8a3b 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies suspicious child processes of PDF reader applications. These child pr exploitation of PDF applications or social engineering. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious PDF Reader Child Process" @@ -80,16 +76,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -122,6 +109,7 @@ reference = "https://attack.mitre.org/techniques/T1203/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -133,8 +121,6 @@ id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 04bf6f51e..223ec981b 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/01" [rule] author = ["Elastic"] @@ -61,14 +63,13 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -92,20 +93,19 @@ host.os.type:windows and event.category:library and ) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -114,8 +114,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 8a48048d3..61e6eab2b 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -57,17 +59,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ] timestamp_override = "event.ingested" type = "eql" @@ -76,24 +77,24 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 0d012b1de..22b16f8f1 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -45,13 +47,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Process Activity via Compiled HTML File" @@ -123,15 +119,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 7398ebd3c..16e42c765 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -77,18 +79,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -116,6 +107,7 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,6 +120,7 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 4a6fd86e8..019b7b033 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,13 +2,15 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" + [rule] author = ["Elastic"] description = """ -This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials -via rogue UNC path injection. +This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection. """ from = "now-9m" index = ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -19,15 +21,7 @@ references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netn risk_score = 47 rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "new_terms" @@ -70,6 +64,7 @@ event.category:network and host.os.type:windows and process.pid:4 and ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -83,11 +78,12 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + + + [rule.new_terms] field = "new_terms_fields" value = ["destination.ip"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 5d756dbbc..ac8c3262b 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -69,15 +71,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -115,16 +109,15 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index e588e0625..afcc562e9 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and o system recovery. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Deleting Backup Catalogs with Wbadmin" @@ -71,15 +67,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -92,16 +80,16 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index f03d9bf2a..dc9b0e143 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/03" [rule] author = ["Elastic"] @@ -55,16 +57,9 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and @@ -79,11 +74,11 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,8 +90,6 @@ id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index a9398ce6b..cd48ff5c4 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of bcdedit.exe to delete boot configuration data. This tactic is attacker as a destructive technique. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Modification of Boot Configuration" @@ -71,15 +67,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 40e79f39b..6b9573fa2 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,13 +2,15 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/02" [rule] author = ["Elastic"] description = """ -Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote -ransomware attack via the SMB protocol. +Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware +attack via the SMB protocol. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -55,14 +57,7 @@ references = ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomwa risk_score = 73 rule_id = "78e9b5d5-7c07-40a7-a591-3dbbf464c386" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -81,21 +76,22 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -108,9 +104,7 @@ name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 275961dce..2427e4a92 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,9 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/02" [rule] author = ["Elastic"] @@ -55,14 +57,7 @@ note = """## Triage and analysis risk_score = 73 rule_id = "02bab13d-fb14-4d7c-b6fe-4a28874d37c5" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -80,21 +75,22 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1485" -name = "Data Destruction" -reference = "https://attack.mitre.org/techniques/T1485/" - [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -112,4 +108,3 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index f3b2a9e9f..4c7e219f9 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ This rule identifies a high number (10) of process terminations (stop, delete, o short time period. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "kuery" license = "Elastic License v2" name = "High Number of Process and/or Service Terminations" @@ -56,17 +52,9 @@ references = ["https://www.elastic.co/security-labs/luna-ransomware-attack-patte risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] -timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index c55fe69b9..8cba18227 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints ransomware or other destructive attacks. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deleted or Resized via VssAdmin" @@ -89,15 +85,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -120,4 +108,3 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 8ca781d1d..8fff537f8 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Austin Songer"] @@ -11,13 +13,7 @@ Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve occurs in tandem with ransomware or other destructive attacks. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via PowerShell" @@ -93,16 +89,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -127,6 +114,7 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 8cffe4dd6..737be0b3d 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly other destructive attacks. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via WMIC" @@ -89,16 +85,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Impact", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -121,14 +108,16 @@ reference = "https://attack.mitre.org/techniques/T1490/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 0c6d5e6f5..a3ebf3b31 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,7 +2,9 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -26,13 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 6d6d1b232..4c55b5c6d 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,9 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,31 +13,17 @@ Identifies the execution of a process with arguments pointing to the INetCache F content via WININET during initial access. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution from INET Cache" references = [ - "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", +"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html" ] risk_score = 73 rule_id = "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -59,11 +47,12 @@ name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -76,4 +65,3 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/windows/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml index 495c84b76..fd95d0db4 100644 --- a/rules/windows/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -19,13 +21,7 @@ name = "Execution from a Removable Media with Network Connection" risk_score = 21 rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -40,7 +36,6 @@ sequence by process.entity_id with maxspan=5m [network where host.os.type == "windows" and event.action == "connection_attempted"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,9 +43,7 @@ id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 054e39cfd..e8e45cc7b 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,13 +2,15 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] description = """ -Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may -abuse msiexec.exe to launch local or network accessible MSI files. +Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse +msiexec.exe to launch local or network accessible MSI files. """ from = "now-9m" index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] @@ -18,14 +20,7 @@ name = "Potential Remote File Execution via MSIEXEC" risk_score = 21 rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -62,7 +57,6 @@ sequence with maxspan=1m ] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -74,12 +68,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -97,4 +90,3 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index fd670734d..7c44a71a9 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,13 +2,16 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with -an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In. +Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or +with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing +MS Office Add-In. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"] @@ -16,22 +19,13 @@ language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Microsoft Office Add-Ins" references = [ - "https://github.com/Octoberfest7/XLL_Phishing", - "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/", +"https://github.com/Octoberfest7/XLL_Phishing", +"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" ] risk_score = 47 rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -96,6 +90,9 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -106,11 +103,8 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - - - + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index 6d2f0b2e5..52aa662a8 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -2,7 +2,9 @@ creation_date = "2023/03/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -15,23 +17,14 @@ index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon language = "kuery" license = "Elastic License v2" name = "First Time Seen Removable Device" -references = [ - "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", - "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings", -] risk_score = 21 rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Exfiltration", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", +references = [ +"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", +"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" ] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "new_terms" @@ -47,22 +40,23 @@ id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" -[[rule.threat.technique.subtechnique]] -id = "T1052.001" -name = "Exfiltration over USB" -reference = "https://attack.mitre.org/techniques/T1052/001/" + [[rule.threat.technique.subtechnique]] + id = "T1052.001" + name = "Exfiltration over USB" + reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] @@ -70,11 +64,10 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [rule.new_terms] field = "new_terms_fields" value = ["registry.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 60d4797b8..d721eef4d 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -17,31 +19,17 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious JetBrains TeamCity Child Process" references = [ - "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html", + "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html" ] risk_score = 47 rule_id = "730ed57d-ae0f-444f-af50-78708b57edd5" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -77,6 +65,8 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -87,16 +77,13 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 54732f29f..c1cf05089 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -76,17 +78,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -118,6 +110,8 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,7 +122,6 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index c9c97d1bc..578905ab6 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,29 +13,14 @@ Identifies use of the built-in Windows script interpreters (cscript.exe or wscri via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.library-*", - "logs-windows.sysmon_operational-*", - "endgame-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -86,13 +73,10 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -102,6 +86,10 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" [rule.threat.tactic] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index c82c46e2f..9e1d6e88d 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Austin Songer"] @@ -49,17 +51,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -93,6 +85,8 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 17f88e2e4..559342a05 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic", "Austin Songer"] @@ -17,13 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Spawning Suspicious Processes" @@ -42,16 +38,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -83,6 +70,7 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index ada3c4421..2b7e956e3 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -31,16 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -64,6 +57,7 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -74,14 +68,12 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 90ea17b54..3552617eb 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ These child processes are often launched during exploitation of Office applicati macros. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Suspicious MS Office Child Process" @@ -81,17 +77,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -159,6 +145,7 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -167,6 +154,7 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 34f4c925c..f3e9a2167 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,14 +13,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" @@ -80,18 +75,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -126,6 +110,7 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -148,6 +133,7 @@ reference = "https://attack.mitre.org/techniques/T1059/003/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -156,6 +142,7 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 8fb53b5a5..1bf889fb9 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,17 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -79,6 +71,7 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -94,7 +87,6 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -106,6 +98,7 @@ reference = "https://attack.mitre.org/techniques/T1059/005/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -114,6 +107,7 @@ name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index e4fe726f8..507f47c25 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,22 +2,18 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] description = """ -Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This -activity may indicate exploitation activity or access to an existing web shell backdoor. +Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may +indicate exploitation activity or access to an existing web shell backdoor. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "logs-system.security*", - "endgame-*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "ScreenConnect Server Spawning Suspicious Processes" @@ -25,16 +21,7 @@ references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-s risk_score = 73 rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -58,6 +45,7 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,14 +56,12 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index 4b35a4ed9..e757c7ffb 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,12 +2,14 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] description = """ -Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. +Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. """ from = "now-9m" @@ -18,14 +20,7 @@ name = "Remote XSL Script Execution via COM" risk_score = 21 rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -43,7 +38,6 @@ sequence with maxspan=1m "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,6 +55,7 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -73,4 +68,3 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index e2460af09..2e4d081e5 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -2,14 +2,16 @@ creation_date = "2023/03/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/01/16" [rule] author = ["Elastic"] description = """ -Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal -system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's -cleartext password. +Adversaries may pass the hash using stolen password hashes to move laterally within an environment, +bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user +without having access to the user's cleartext password. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] @@ -50,11 +52,11 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [rule.new_terms] field = "new_terms_fields" value = ["user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 191930a7c..1ac54fbac 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,26 +13,14 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 428f9abd7..2fbca0f11 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,12 +14,7 @@ launched via the HTA Application COM Object. This behavior may indicate an attac laterally while attempting to evade detection. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement via MSHTA" @@ -25,14 +22,7 @@ references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] risk_score = 73 rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 472b5eaa4..96af58d40 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,12 +14,7 @@ via the MMC20 Application COM Object. This behavior may indicate an attacker abu laterally. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with MMC" @@ -25,15 +22,7 @@ references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20 risk_score = 73 rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -64,19 +53,20 @@ reference = "https://attack.mitre.org/techniques/T1021/003/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index b2a95628a..b6dca9f73 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,12 +14,7 @@ the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may application to stealthily move laterally. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" @@ -25,14 +22,7 @@ references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round- risk_score = 47 rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 43a994b5e..e05a7b2c0 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -22,16 +24,7 @@ references = [ risk_score = 47 rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -61,6 +54,7 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,7 +62,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 3cdaefdf9..1ff1b29f6 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -95,14 +97,7 @@ This rule looks for unexpected processes making network connections over port 44 risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 0ef61678a..d2abebdb9 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,7 +2,9 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ indicative of an active RDP shadowing session. An adversary may abuse the RDP Sh other users active RDP sessions. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.registry-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "endgame-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Shadowing Activity" @@ -37,15 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -75,13 +63,12 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index f9b06fa6f..88d746d28 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -59,14 +61,7 @@ Adversaries can use network shares to host tooling to support the compromise of risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 7e06777f9..a49d4b795 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint ts indicate a lateral movement attempt. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" @@ -33,14 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -55,13 +44,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 78ee33364..03cf02f73 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -89,21 +91,11 @@ Adversaries can use network shares to host tooling to support the compromise of - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html", -] +references = ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"] risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 2384ec06e..1fc13abf8 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -17,26 +19,14 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming Execution via WinRM Remote Shell" risk_score = 47 rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -60,7 +50,6 @@ name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 296271162..b1ff8aaef 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -11,26 +13,14 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "WMI Incoming Lateral Movement" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -61,12 +51,12 @@ sequence by host.id with maxspan = 2s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 72bacb2d8..e1bdd3832 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies the use of net.exe to mount a WebDav or hidden remote share. This may preparation for data exfiltration. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" @@ -32,15 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -90,6 +78,7 @@ reference = "https://attack.mitre.org/techniques/T1078/003/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -100,14 +89,11 @@ reference = "https://attack.mitre.org/techniques/T1087/" id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" - [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 51b8ffdcf..abdb422d0 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -17,12 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "logs-windows.sysmon_operational-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming Execution via PowerShell Remoting" @@ -32,15 +29,7 @@ references = [ risk_score = 47 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -63,12 +52,11 @@ id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -81,7 +69,6 @@ name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index c7d277c00..2e5acf0e3 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -62,17 +64,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -107,6 +99,9 @@ reference = "https://attack.mitre.org/techniques/T1021/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -114,7 +109,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 6d75397aa..dd56f8c1e 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -22,13 +24,7 @@ references = [ risk_score = 73 rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 6517803a3..2d06b035c 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies a remote file copy attempt to a hidden network share. This may indica activity. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" @@ -32,14 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index a81566037..7230fa974 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Remote Windows Service Installed" risk_score = 47 rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index da85d66e7..aedaa22b5 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,12 +39,7 @@ Identifies remote execution of Windows services over remote procedure call (RPC) movement, but will be noisy if commonly done by administrators. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Remotely Started Services via RPC" @@ -106,15 +103,7 @@ references = [ risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index 388703c71..a82088772 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -2,11 +2,15 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/01" [rule] author = ["Elastic"] -description = "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\n" +description = """ +Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement. +""" from = "now-9m" index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "eql" @@ -45,8 +49,8 @@ risk_score = 47 rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] -timestamp_override = "event.ingested" type = "eql" +timestamp_override = "event.ingested" query = ''' iam where event.action == "scheduled-task-created" and diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 875bfd3ab..3234e9731 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,18 +2,15 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement." from = "now-9m" -index = [ - "logs-endpoint.events.registry-*", - "logs-endpoint.events.network-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", -] +index = ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Remote Scheduled Task Creation" @@ -48,15 +45,7 @@ note = """## Triage and analysis risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index b68fdf713..4bcc98b9f 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,15 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -71,13 +65,12 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index 31ee07927..a58605b33 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Unusual Child Process of dns.exe" @@ -81,16 +77,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index dea6f0ce6..0675a63a9 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -38,16 +40,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 650371712..2b52e22a8 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,15 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -56,13 +50,13 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 98eab1918..222a1d54e 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/31" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -25,14 +27,7 @@ references = [ risk_score = 73 rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" @@ -48,18 +43,17 @@ framework = "MITRE ATT&CK" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 7dce05cfb..7c944c247 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [transform] [[transform.osquery]] @@ -34,13 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Adobe Hijack Persistence" @@ -105,17 +101,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -129,11 +115,6 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1554" -name = "Compromise Client Software Binary" -reference = "https://attack.mitre.org/techniques/T1554/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -143,6 +124,11 @@ id = "T1574.010" name = "Services File Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/010/" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index d1bf7ee53..297c90897 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,14 +20,7 @@ name = "Installation of Custom Shim Databases" risk_score = 47 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 83d94b2e9..0313a9910 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Detects attempts to maintain persistence by creating registry keys using AppCert process using the common API functions to create processes. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.registry-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" @@ -32,17 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -74,6 +60,7 @@ reference = "https://attack.mitre.org/techniques/T1546/009/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 28fb63edc..104d726eb 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 5510e1a7d..32a8066c7 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -18,13 +20,7 @@ name = "Browser Extension Install" risk_score = 21 rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -49,7 +45,6 @@ file where host.os.type == "windows" and event.action : "creation" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,9 +52,7 @@ id = "T1176" name = "Browser Extensions" reference = "https://attack.mitre.org/techniques/T1176/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index 47ca6bb66..a17685c15 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -69,7 +71,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index f8fc9d5dc..fc11dc014 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -58,16 +60,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 5488b17de..d9072494d 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -21,16 +23,7 @@ references = [ risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -68,6 +61,9 @@ reference = "https://attack.mitre.org/techniques/T1546/012/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -75,7 +71,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 68063c7b4..466f46252 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -96,17 +98,7 @@ Techniques used within malware and by adversaries often leverage the Windows reg risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -152,6 +144,9 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -159,7 +154,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index aee75496d..2a6f2e67c 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/15" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ task scheduling functionality to facilitate initial or recurring execution of ma """ false_positives = ["Legitimate scheduled jobs may be created during installation of new software."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.file-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Scheduled Job Creation" @@ -33,16 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 26e1a4dba..1700e0056 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -23,14 +25,7 @@ references = [ risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index a3f1b4f8e..d553e5e1f 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ an adversary to establish persistence. """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.registry-*", - "logs-endpoint.events.library-*", - "logs-windows.sysmon_operational-*", - "endgame-*", -] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Scheduled Task Created by a Windows Script" @@ -28,16 +24,7 @@ Decode the base64 encoded Tasks Actions registry value to investigate the task's risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' @@ -69,6 +56,7 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index eccc979af..f40d7cb52 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,15 +26,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -54,13 +48,12 @@ framework = "MITRE ATT&CK" id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 8d5bf2ff5..89474f8e5 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -28,15 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 3efb314e3..8d7e3af7c 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -38,14 +40,7 @@ Audit User Account Management (Success,Failure) ``` """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_msoffice_startup_registry.toml b/rules/windows/persistence_msoffice_startup_registry.toml index f081de1f7..79bc50904 100644 --- a/rules/windows/persistence_msoffice_startup_registry.toml +++ b/rules/windows/persistence_msoffice_startup_registry.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -22,14 +24,7 @@ references = [ risk_score = 21 rule_id = "14dab405-5dd9-450c-8106-72951af2391f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -38,7 +33,6 @@ registry where host.os.type == "windows" and event.action != "deletion" and registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -49,13 +43,12 @@ reference = "https://attack.mitre.org/techniques/T1137/" id = "T1137.002" name = "Office Test" reference = "https://attack.mitre.org/techniques/T1137/002/" - - - + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -63,7 +56,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_netsh_helper_dll.toml b/rules/windows/persistence_netsh_helper_dll.toml index b7391f7f2..ef39af451 100644 --- a/rules/windows/persistence_netsh_helper_dll.toml +++ b/rules/windows/persistence_netsh_helper_dll.toml @@ -2,14 +2,16 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] description = """ -Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its -functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, -which can be done by administrators or a scheduled task. +Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. +Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done +by administrators or a scheduled task. """ from = "now-9m" index = ["logs-endpoint.events.registry-*", "endgame-*"] @@ -19,14 +21,7 @@ name = "Netsh Helper DLL" risk_score = 21 rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -51,11 +46,12 @@ name = "Netsh Helper DLL" reference = "https://attack.mitre.org/techniques/T1546/007/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,4 +64,3 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 37ab09c27..e7fbc4f3a 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" @@ -37,15 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -72,6 +60,7 @@ reference = "https://attack.mitre.org/techniques/T1098/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 668dc35ed..04eaf0402 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -102,16 +103,7 @@ references = [ risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -141,6 +133,7 @@ reference = "https://attack.mitre.org/techniques/T1546/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 857ad7581..e6088b0d8 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -108,16 +110,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 18011a988..22539edbe 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=27620 risk_score = 47 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" @@ -98,16 +93,6 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.002" -name = "Screensaver" -reference = "https://attack.mitre.org/techniques/T1546/002/" - - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -117,7 +102,14 @@ id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index a15ea8909..2d616617e 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/18" [rule] author = ["Elastic"] @@ -17,6 +19,7 @@ language = "eql" license = "Elastic License v2" name = "Account Password Reset Remotely" note = """ + ## Performance This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity. """ @@ -29,13 +32,7 @@ references = [ risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Impact", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"] type = "eql" query = ''' @@ -71,14 +68,15 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index b03de1503..7d7ea941d 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -101,15 +103,7 @@ Adversaries may achieve persistence by referencing a program with a registry run risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index e4e953843..8fc63c139 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,15 +20,7 @@ name = "Execution of Persistent Suspicious Program" risk_score = 47 rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index ed3a6f2fd..18db7189b 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index dd23a6bc2..a2b566ef3 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -2,7 +2,10 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" + [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index d5d88fd76..396217ba5 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -92,7 +94,7 @@ tags = [ "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" @@ -108,22 +110,22 @@ any where event.action == "Directory Service Changes" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index 4c9bda1fc..d348c770f 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,9 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,15 +20,7 @@ name = "Unsigned DLL Loaded by Svchost" risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -142,23 +136,24 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 813526bb1..7bd5af1c5 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/08" [transform] [[transform.osquery]] @@ -28,20 +30,15 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ @@ -97,13 +94,7 @@ This rule looks for suspicious services being created with suspicious traits com risk_score = 47 rule_id = "da87eee1-129c-4661-a7aa-57d0b9645fad" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index c58066cae..9fae059ac 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,16 +21,7 @@ name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -74,6 +67,9 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -81,7 +77,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index da4b46589..1cbcef5d6 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -109,16 +111,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 7e42c9674..e3c7edc80 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/04/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -100,15 +102,7 @@ This rule looks for unsigned processes writing to the Startup folder locations. risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -146,19 +140,19 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index fe6a4bcdd..a773d1af6 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -108,16 +110,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 29a569e13..8b63c6535 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/08" [rule] author = ["Elastic"] @@ -70,17 +72,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation","Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -156,6 +148,7 @@ reference = "https://attack.mitre.org/techniques/T1546/015/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -173,6 +166,9 @@ reference = "https://attack.mitre.org/techniques/T1546/015/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -180,7 +176,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index c03e8ea71..ee16c9b79 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -123,16 +124,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -150,30 +142,31 @@ framework = "MITRE ATT&CK" id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index d74b17c8c..7a9d64617 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,14 +26,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -94,6 +89,7 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -106,7 +102,6 @@ name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 2f2ffddac..5af4cd96a 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -18,16 +20,7 @@ name = "Suspicious ImagePath Service Creation" risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -58,6 +51,9 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -65,7 +61,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index 617d438f1..f575f2ec6 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,7 +2,9 @@ creation_date = "2023/02/02" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Related integrations field type changes in 8.8.0" +min_stack_version = "8.8.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -16,19 +18,13 @@ language = "eql" license = "Elastic License v2" name = "Suspicious WMI Event Subscription Created" references = [ - "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", - "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", + "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", + "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", ] risk_score = 47 rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -37,19 +33,18 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a winlog.event_data.Operation : "Created" and winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique.subtechnique]] -id = "T1546.003" -name = "Windows Management Instrumentation Event Subscription" -reference = "https://attack.mitre.org/techniques/T1546/003/" - + [[rule.threat.technique.subtechnique]] + id = "T1546.003" + name = "Windows Management Instrumentation Event Subscription" + reference = "https://attack.mitre.org/techniques/T1546/003/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 0d6cd6a01..cfc9e2311 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [transform] [[transform.osquery]] @@ -25,7 +27,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -33,14 +34,7 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati testers may run a shell as a service to gain SYSTEM permissions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "System Shells via Services" @@ -87,17 +81,7 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -128,6 +112,7 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -138,7 +123,6 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index f594f5be0..233359c3c 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/29" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -20,13 +22,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"] type = "eql" query = ''' @@ -35,7 +31,6 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -53,19 +48,20 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 6349b995f..96b066dde 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -97,16 +98,7 @@ references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -142,6 +134,7 @@ reference = "https://attack.mitre.org/techniques/T1547/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 5d34c49c0..a9bf18fa9 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Skoetting"] @@ -59,15 +61,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 1f23de1ad..bd955a90f 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies attempts to create new users. This is sometimes done by attackers to on a system or domain. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "User Account Creation" @@ -65,15 +61,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index fdebc251f..de2cfc044 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/01" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ changes over time. This Windows functionality has been abused by attackers to st code execution in legitimate Windows processes. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" @@ -33,14 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 4dd8ee1d9..b0b62e819 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -2,7 +2,9 @@ creation_date = "2021/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ that runs after a job finishes transferring data or after a job enters a specifi system. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.sysmon_operational-*", - "endgame-*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Persistence via BITS Job Notify Cmdline" @@ -39,16 +35,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 93cbe924c..db0134e02 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,17 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -79,8 +71,10 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" @@ -91,6 +85,8 @@ reference = "https://attack.mitre.org/techniques/T1106/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -98,7 +94,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 9f8ee232a..9a700a80b 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,16 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -68,6 +61,9 @@ reference = "https://attack.mitre.org/techniques/T1547/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -75,7 +71,6 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index a981690a0..58ffb83f7 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,17 +13,13 @@ Detects the successful hijack of Microsoft Compatibility Appraiser scheduled tas integrity level of system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" -references = ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"] +references = [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence", +] risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" setup = """## Setup @@ -33,15 +31,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -74,13 +64,14 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -90,13 +81,13 @@ id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 51551db3b..58ef5c3fe 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -105,17 +107,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -157,6 +149,7 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 02d9eb646..0e9060c0e 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -2,7 +2,9 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -12,13 +14,7 @@ bindings that execute code when a defined event occurs. Adversaries may use the event and execute arbitrary code when that event occurs, providing persistence on a system. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Persistence via WMI Event Subscription" @@ -34,15 +30,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -71,14 +59,15 @@ reference = "https://attack.mitre.org/techniques/T1546/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 8d26a4ebe..625e1c3c6 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,7 +2,9 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -100,14 +101,7 @@ references = [ risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 41d3b2611..9e7f7d5da 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" @@ -66,15 +62,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -93,37 +81,38 @@ process where host.os.type == "windows" and event.type == "start" and process.pa ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 3fa3d1644..2c40fa273 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,9 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "SentinelOne integration package minimum version for validation." +min_stack_version = "8.11.0" +updated_date = "2024/05/16" [rule] author = ["Elastic"] @@ -14,14 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", - "logs-sentinel_one_cloud_funnel.*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Web Shell Detection: Script Process Child of Common Web Processes" @@ -84,18 +79,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Initial Access", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: SentinelOne", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] timestamp_override = "event.ingested" type = "eql" @@ -145,13 +129,9 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -160,18 +140,22 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index fa3636187..2ca1d4296 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ references = ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.h risk_score = 21 rule_id = "205b52c4-9c28-4af4-8979-935f3278d61a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -46,11 +41,12 @@ id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -63,4 +59,3 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index ecd4afd29..9f6d7a2e6 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml index ffd8fd020..d3675bbc2 100644 --- a/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +++ b/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: process.Ext.effective_parent.executable, process.Ext.effective_parent.name, process.Ext.relative_file_creation_time, process.Ext.relative_file_name_modify_time" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -15,17 +17,13 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Process Created with a Duplicated Token" -references = ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"] +references = [ + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw", +] risk_score = 47 rule_id = "1b0b4818-5655-409b-9c73-341cac4bb73f" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -66,6 +64,7 @@ framework = "MITRE ATT&CK" id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" @@ -82,4 +81,3 @@ reference = "https://attack.mitre.org/techniques/T1134/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 8c3dc14a8..154f98b3d 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,9 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -41,14 +43,7 @@ Audit Directory Service Changes (Success,Failure) ``` """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Data Source: Active Directory", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 2dd83bb73..007400959 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -80,16 +82,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -127,11 +120,6 @@ name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1112" -name = "Modify Registry" -reference = "https://attack.mitre.org/techniques/T1112/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -141,7 +129,6 @@ id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -151,6 +138,11 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] @@ -158,3 +150,4 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index 4b8812b03..8bcae7a6e 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -1,32 +1,30 @@ [metadata] creation_date = "2022/12/19" -integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +integration = ["endpoint"] +updated_date = "2024/03/28" [transform] [[transform.osquery]] label = "Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == "Microsoft" AND signed == "1") """ [[transform.osquery]] label = "Osquery - Retrieve All Unsigned Drivers with Virustotal Link" query = """ -SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, -issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = -authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == "0" """ - [rule] author = ["Elastic"] description = """ -Identifies the load of a driver with an original file name and signature values that were observed for the first time -during the last 30 days. This rule type can help baseline drivers installation within your environment. +Identifies the load of a driver with an original file name and signature values that were observed +for the first time during the last 30 days. This rule type can help baseline drivers installation +within your environment. """ from = "now-9m" index = ["logs-endpoint.events.library-*"] @@ -99,15 +97,7 @@ references = ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-drive risk_score = 47 rule_id = "df0fd41e-5590-4965-ad5e-cd079ec22fa9" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" @@ -115,7 +105,6 @@ query = ''' event.category:"driver" and host.os.type:windows and event.action:"load" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -128,6 +117,8 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -140,7 +131,6 @@ name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -152,5 +142,3 @@ value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-30d" - - diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index 5026c5b06..a94586c12 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -16,19 +18,12 @@ language = "eql" license = "Elastic License v2" name = "Expired or Revoked Driver Loaded" references = [ - "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" ] risk_score = 47 rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -37,7 +32,6 @@ driver where host.os.type == "windows" and process.pid == 4 and dll.code_signature.status : ("errorExpired", "errorRevoked") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,19 +44,20 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index d73ec6d3b..a25aab233 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,32 +2,27 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/23" [rule] author = ["Elastic"] -description = "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\n" +description = """ +Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution. +""" from = "now-9m" index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential privilege escalation via CVE-2022-38028" references = [ - "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/", + "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" ] risk_score = 73 rule_id = "dffbd37c-d4c5-46f8-9181-5afdd9172b4c" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -37,7 +32,6 @@ file where host.os.type == "windows" and "?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,6 +44,7 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,7 +52,6 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 5208f641c..11fcae30c 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,16 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -65,6 +58,7 @@ reference = "https://attack.mitre.org/techniques/T1484/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 51ebb21e5..e7e5d9fdd 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -90,7 +92,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index cd65fe208..ba092d3ff 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -72,7 +74,7 @@ tags = [ "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 53ad7a334..f40348e6c 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -93,7 +95,7 @@ tags = [ "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", - "Use Case: Active Directory Monitoring", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" @@ -134,8 +136,10 @@ reference = "https://attack.mitre.org/techniques/T1484/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" @@ -146,4 +150,3 @@ reference = "https://attack.mitre.org/techniques/T1570/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index d1f06892c..aed4bd9d3 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,9 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -108,15 +110,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 83e22935c..07bf29f33 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,9 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,15 +27,7 @@ references = [ risk_score = 73 rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Credential Access", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 2815d0320..9464e43ef 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,14 +21,7 @@ name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 4127468df..9ee903cf9 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -2,13 +2,15 @@ creation_date = "2023/12/04" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/15" [rule] author = ["Elastic"] description = """ -Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new -token to escalate privileges and bypass access controls. +Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may +create a new token to escalate privileges and bypass access controls. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -72,4 +74,3 @@ reference = "https://attack.mitre.org/techniques/T1134/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 1edba51e5..ff81077a5 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies a privilege escalation attempt via named pipe impersonation. An adver utilizing a framework such Metasploit's meterpreter getsystem command. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Named Pipe Impersonation" @@ -120,7 +116,7 @@ tags = [ "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml index 5787866e3..d8b013c2e 100644 --- a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -2,23 +2,25 @@ creation_date = "2023/11/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/01/15" [rule] author = ["Elastic"] description = """ -Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access -token forging capability that are often abused to bypass access control restrictions. +Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token +forging capability that are often abused to bypass access control restrictions. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen NewCredentials Logon Process" -references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] risk_score = 47 rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" severity = "medium" +references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "new_terms" @@ -40,17 +42,15 @@ name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index ed74562df..8759499b7 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,9 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -85,7 +87,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Sysmon", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" @@ -150,19 +152,19 @@ reference = "https://attack.mitre.org/techniques/T1574/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 4c4ac047e..02021929a 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -20,14 +22,7 @@ references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-gro risk_score = 47 rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -54,7 +49,6 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" - [[rule.threat.technique.subtechnique]] id = "T1547.012" name = "Print Processors" @@ -76,7 +70,6 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" - [[rule.threat.technique.subtechnique]] id = "T1547.012" name = "Print Processors" diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 104f6ed94..8542b8686 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,7 +2,9 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -128,13 +129,7 @@ references = [ risk_score = 47 rule_id = "11dd9713-0ec6-4110-9707-32daae1ee68c" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: PowerShell Logs", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 03ba85956..c0752b55e 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,16 +26,7 @@ references = [ risk_score = 73 rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 2b31df40e..80d175281 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -31,16 +33,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 8fee45cb7..da760c6a0 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -33,16 +35,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index f6e2619c9..04705ffe7 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -106,16 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 07e9726f3..369de22ae 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -19,15 +21,7 @@ references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variable risk_score = 73 rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index ed2a9f31a..818894d17 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,7 +2,9 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -34,16 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" @@ -56,6 +49,7 @@ iam where event.action == "renamed-user-account" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index fb37b69ba..a7540a238 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [transform] [[transform.osquery]] @@ -25,7 +27,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -79,17 +80,7 @@ The `sc.exe` command line utility is used to manage and control Windows services risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -117,19 +108,13 @@ id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1047" -name = "Windows Management Instrumentation" -reference = "https://attack.mitre.org/techniques/T1047/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -138,29 +123,35 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -172,7 +163,6 @@ name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index 20cd76492..df47b515e 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/21" [rule] author = ["Elastic"] @@ -24,15 +26,7 @@ references = [ risk_score = 73 rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Active Directory Monitoring", - "Data Source: Active Directory", - "Use Case: Vulnerability", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 52b35de4d..842ee2320 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/20" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/01/16" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index bc934e48b..2b333cea9 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,17 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -66,6 +58,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -83,6 +76,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 252307c82..cf28f5d3c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,17 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -68,6 +60,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -85,6 +78,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -102,4 +96,3 @@ reference = "https://attack.mitre.org/techniques/T1559/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index dc53b6788..094f11fde 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -26,17 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -65,6 +57,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -82,6 +75,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 9989095fd..6e72533b8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -11,13 +13,7 @@ Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled stealthily execute code with elevated permissions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" @@ -32,16 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -71,6 +58,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -88,6 +76,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 2f8b17208..f7d97510c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -30,16 +32,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -69,6 +62,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -79,8 +73,6 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -97,3 +89,4 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index d0c4a6726..c6d243d34 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass elevated permissions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Bypass UAC via Event Viewer" @@ -112,16 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -153,6 +140,7 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 7d67405a5..e664bf293 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Attackers may bypass UAC to stealthily execute code with elevated permissions. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Windows Directory Masquerading" @@ -112,16 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -148,18 +135,9 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" -[[rule.threat.technique.subtechnique]] -id = "T1036.005" -name = "Match Legitimate Name or Location" -reference = "https://attack.mitre.org/techniques/T1036/005/" - - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -169,6 +147,15 @@ id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 54e126d89..5d47b701d 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -106,17 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -146,18 +138,9 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.014" -name = "MMC" -reference = "https://attack.mitre.org/techniques/T1218/014/" - - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -166,6 +149,15 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index c84307aa9..1b27f6a89 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -19,13 +21,7 @@ name = "Potential Exploitation of an Unquoted Service Path Vulnerability" risk_score = 21 rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -40,6 +36,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -50,9 +47,7 @@ name = "Path Interception by Unquoted Path" reference = "https://attack.mitre.org/techniques/T1574/009/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 4c3ec0857..2a2df5486 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/03/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [transform] [[transform.osquery]] @@ -37,13 +39,7 @@ Identifies Windows programs run from unexpected parent processes. This could ind activity on a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent-Child Relationship" @@ -112,15 +108,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index f9fa449d1..1cc52ef44 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -2,7 +2,9 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -33,14 +35,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Use Case: Vulnerability", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 8aae57f66..62cfc4928 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -2,7 +2,9 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -27,16 +29,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" @@ -99,7 +92,6 @@ name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index 57c9603c9..c5c94e637 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -24,13 +26,7 @@ references = [ risk_score = 73 rule_id = "26b01043-4f04-4d2f-882a-5a1d2e95751b" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 52704a927..3cdd594f3 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,9 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -34,13 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Sysmon", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index 4e4c0049a..62f573c97 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -2,7 +2,9 @@ creation_date = "2022/10/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, process.Ext.effective_parent.executable" +min_stack_version = "8.4.0" +updated_date = "2024/03/28" [rule] author = ["Elastic"] @@ -22,13 +24,7 @@ references = [ risk_score = 73 rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 034fdc255..cd608a639 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,9 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/05/14" [rule] author = ["Elastic"] diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index 445af055e..a8f4f0650 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -2,34 +2,29 @@ creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration. """ from = "now-119m" -index = ["logs-endpoint.events.library-*"] interval = "60m" +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Compression DLL Loaded by Unusual Process" risk_score = 21 rule_id = "d197478e-39f0-4347-a22f-ba654718b148" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' library where host.os.type == "windows" and event.action == "load" and @@ -53,7 +48,6 @@ library where host.os.type == "windows" and event.action == "load" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,9 +55,7 @@ id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 8cbf9f554..7799e6863 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = "endpoint" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -32,7 +34,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "windows" and event.type in ("creation", "change") and process.executable != null and not user.id : ("S-1-5-18", "S-1-5-17") and file.Ext.header_bytes : ( @@ -114,58 +115,59 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1074" -name = "Data Staged" -reference = "https://attack.mitre.org/techniques/T1074/" -[[rule.threat.technique.subtechnique]] -id = "T1074.001" -name = "Local Data Staging" -reference = "https://attack.mitre.org/techniques/T1074/001/" - - -[[rule.threat.technique]] -id = "T1560" -name = "Archive Collected Data" -reference = "https://attack.mitre.org/techniques/T1560/" -[[rule.threat.technique.subtechnique]] -id = "T1560.001" -name = "Archive via Utility" -reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + + [[rule.threat.technique]] + id = "T1560" + name = "Archive Collected Data" + reference = "https://attack.mitre.org/techniques/T1560/" + + [[rule.threat.technique.subtechnique]] + id = "T1560.001" + name = "Archive via Utility" + reference = "https://attack.mitre.org/techniques/T1560/001/" + + [[rule.threat.technique]] + id = "T1074" + name = "Data Staged" + reference = "https://attack.mitre.org/techniques/T1074/" + + [[rule.threat.technique.subtechnique]] + id = "T1074.001" + name = "Local Data Staging" + reference = "https://attack.mitre.org/techniques/T1074/001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1132" -name = "Data Encoding" -reference = "https://attack.mitre.org/techniques/T1132/" -[[rule.threat.technique.subtechnique]] -id = "T1132.001" -name = "Standard Encoding" -reference = "https://attack.mitre.org/techniques/T1132/001/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat.technique]] + id = "T1132" + name = "Data Encoding" + reference = "https://attack.mitre.org/techniques/T1132/" + + [[rule.threat.technique.subtechnique]] + id = "T1132.001" + name = "Standard Encoding" + reference = "https://attack.mitre.org/techniques/T1132/001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat.technique]] + id = "T1027" + name = "Obfuscated Files or Information" + reference = "https://attack.mitre.org/techniques/T1027/" diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 9b62ea0f7..bfebdb55c 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,33 +2,28 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses. """ from = "now-119m" -index = ["logs-endpoint.events.file-*"] interval = "60m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "File Staged in Root Folder of Recycle Bin" risk_score = 21 rule_id = "57bccf1d-daf5-4e1a-9049-ff79b5254704" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -38,22 +33,20 @@ file where host.os.type == "windows" and event.type == "creation" and not file.name : "desktop.ini" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" -[[rule.threat.technique.subtechnique]] -id = "T1074.001" -name = "Local Data Staging" -reference = "https://attack.mitre.org/techniques/T1074/001/" + [[rule.threat.technique.subtechnique]] + id = "T1074.001" + name = "Local Data Staging" + reference = "https://attack.mitre.org/techniques/T1074/001/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml index 7705f9a89..d48ae3695 100644 --- a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml +++ b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml @@ -2,19 +2,20 @@ creation_date = "2023/07/27" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] -building_block_type = "default" description = """ This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Potential Suspicious Clipboard Activity Detected" @@ -22,33 +23,32 @@ risk_score = 21 rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] -timestamp_override = "event.ingested" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] type = "new_terms" - +timestamp_override = "event.ingested" +building_block_type = "default" query = ''' event.category:process and host.os.type:"linux" and event.type:"start" and event.action:("exec" or "exec_event" or "executed" or "process_started") and process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1115" name = "Clipboard Data" reference = "https://attack.mitre.org/techniques/T1115/" - [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -57,8 +57,7 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.group_leader.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 3362ff8a2..6b5b04cb0 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,34 +2,29 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, -access, or modification of these files. +Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or +modification of these files. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Accessing Outlook Data Files" risk_score = 21 rule_id = "2e311539-cd88-4a85-a301-04f38795007c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -40,22 +35,19 @@ process where host.os.type == "windows" and event.type == "start" and process.ar ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index 5090c481c..cfc5929a8 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,34 +2,29 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Bitsadmin Activity" risk_score = 21 rule_id = "8eec4df1-4b4b-4502-b6c3-c788714604c9" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -45,7 +40,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -58,6 +52,7 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -70,6 +65,7 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -82,4 +78,3 @@ reference = "https://attack.mitre.org/techniques/T1197/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index c2e4b44ff..15bce7b66 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -2,7 +2,9 @@ creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" bypass_bbr_timing = true [transform] diff --git a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml index 3a1341bca..1caa23c11 100644 --- a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -29,19 +31,18 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers -can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert +can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux SSH X11 Forwarding" @@ -109,34 +110,31 @@ risk_score = 21 rule_id = "29f0cf93-d17c-4b12-b4f3-a433800539fa" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules_building_block/command_and_control_non_standard_http_port.toml b/rules_building_block/command_and_control_non_standard_http_port.toml index 44d1e9f9f..db386d382 100644 --- a/rules_building_block/command_and_control_non_standard_http_port.toml +++ b/rules_building_block/command_and_control_non_standard_http_port.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [transform] [[transform.osquery]] @@ -29,18 +31,18 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For -example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to -the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data. +Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. +For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. +Adversaries may make changes to the standard port a protocol uses to bypass filtering or +muddle analysis/parsing of network data. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Non-Standard Port HTTP/HTTPS connection" @@ -106,46 +108,46 @@ risk_score = 21 rule_id = "62b68eb2-1e47-4da7-85b6-8f478db5b272" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( "connection_attempted", "ipv4_connection_attempt_event", "connection_accepted", "ipv4_connection_accept_event" ) and destination.ip != "127.0.0.1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1071" -name = "Application Layer Protocol" -reference = "https://attack.mitre.org/techniques/T1071/" -[[rule.threat.technique.subtechnique]] -id = "T1071.001" -name = "Web Protocols" -reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1573" name = "Encrypted Channel" reference = "https://attack.mitre.org/techniques/T1573/" + [[rule.threat.technique.subtechnique]] id = "T1573.001" name = "Symmetric Cryptography" @@ -156,10 +158,7 @@ id = "T1573.002" name = "Asymmetric Cryptography" reference = "https://attack.mitre.org/techniques/T1573/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules_building_block/credential_access_mdmp_file_creation.toml b/rules_building_block/credential_access_mdmp_file_creation.toml index 938d4cba5..c9da48cd0 100644 --- a/rules_building_block/credential_access_mdmp_file_creation.toml +++ b/rules_building_block/credential_access_mdmp_file_creation.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory. @@ -20,15 +21,9 @@ name = "Potential Credential Access via Memory Dump File Creation" risk_score = 21 rule_id = "e707a7be-cc52-41ac-8ab3-d34b38c20005" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -95,4 +90,3 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml index 666c28d4f..2a9735df4 100644 --- a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml +++ b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/09/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses. @@ -20,16 +21,9 @@ name = "Memory Dump File with Unusual Extension" risk_score = 21 rule_id = "c0b9dc99-c696-4779-b086-0d37dc2b3778" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -67,6 +61,8 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -79,9 +75,7 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index 9ae2286ca..42b71291c 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,31 +2,28 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\n" +description = """ +Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment. +""" from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Attempted Private Key Access" risk_score = 21 rule_id = "c55badd3-3e61-4292-836f-56209dc8a601" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -50,7 +47,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -68,4 +64,3 @@ reference = "https://attack.mitre.org/techniques/T1552/004/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 8e6fdd616..399b4d52f 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,32 +2,28 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\n" +description = """ +Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. +""" from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Binary Content Copy via Cmd.exe" risk_score = 21 rule_id = "53dedd83-1be7-430f-8026-363256395c8b" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -36,32 +32,33 @@ process where host.os.type == "windows" and event.type == "start" and (process.args : "copy" and process.args : "/b")) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index 75a9ca7c7..a3bc97b36 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -2,35 +2,32 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via CMSTP.exe" -references = ["https://attack.mitre.org/techniques/T1218/003/"] +references = [ + "https://attack.mitre.org/techniques/T1218/003/", +] risk_score = 21 rule_id = "bd3d058d-5405-4cee-b890-337f09366ba2" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -56,4 +53,3 @@ reference = "https://attack.mitre.org/techniques/T1218/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml index e59ad5a89..77c7aae2f 100644 --- a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml +++ b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. @@ -20,15 +21,9 @@ name = "Archive File with Unusual Extension" risk_score = 21 rule_id = "cffbaf47-9391-4e09-a83c-1f27d7474826" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -54,7 +49,6 @@ file where host.os.type == "windows" and event.action != "deletion" and not (process.executable : "?:\\Windows\\System32\\inetsrv\\w3wp.exe" and file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -67,9 +61,7 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml index 0e9ddb9fa..303f5a25a 100644 --- a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code. @@ -20,16 +21,9 @@ name = "Suspicious Communication App Child Process" risk_score = 21 rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -261,6 +255,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -271,17 +266,16 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -289,7 +283,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml index 8bad6f8fe..0e918df36 100644 --- a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml @@ -2,18 +2,20 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt -to evade detection. +Identify activity related where adversaries can add the 'hidden' flag to files to hide +them from the user in an attempt to evade detection. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Hidden Files and Directories via Hidden Flag" @@ -21,39 +23,36 @@ risk_score = 21 rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where event.type == "creation" and process.name == "chflags" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 68d23e228..35f81a544 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,34 +2,29 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. """ from = "now-119m" -index = ["logs-endpoint.events.library-*"] interval = "60m" +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL Loaded by a Trusted Process" risk_score = 21 rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -87,6 +82,7 @@ framework = "MITRE ATT&CK" id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL Search Order Hijacking" @@ -99,8 +95,8 @@ reference = "https://attack.mitre.org/techniques/T1574/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml index 79332fc53..11d2c4033 100644 --- a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -2,32 +2,27 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/25" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes. """ from = "now-119m" -index = ["logs-endpoint.events.*"] interval = "60m" +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Execution via Microsoft DotNet ClickOnce Host" risk_score = 21 rule_id = "5297b7f1-bccd-4611-93fa-ea342a01ff84" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" type = "eql" query = ''' @@ -40,6 +35,7 @@ sequence by user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" @@ -49,15 +45,13 @@ reference = "https://attack.mitre.org/techniques/T1127/" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.011" -name = "Rundll32" -reference = "https://attack.mitre.org/techniques/T1218/011/" - + [[rule.threat.technique.subtechnique]] + id = "T1218.011" + name = "Rundll32" + reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 0e65e8b4c..1a64a5acf 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -2,38 +2,32 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Identifies unusual files downloaded from outside the local network that have the potential to be abused for code -execution. +Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution. """ +references = [ + "https://x.com/Laughing_Mantis/status/1518766501385318406", + "https://wikileaks.org/ciav7p1/cms/page_13763375.html" +] from = "now-119m" -index = ["logs-endpoint.events.file-*"] interval = "60m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "File with Suspicious Extension Downloaded" -references = [ - "https://x.com/Laughing_Mantis/status/1518766501385318406", - "https://wikileaks.org/ciav7p1/cms/page_13763375.html", -] risk_score = 21 rule_id = "8d366588-cbd6-43ba-95b4-0971c3f906e5" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' file where host.os.type == "windows" and event.type == "creation" and @@ -61,16 +55,17 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique]] + name = "System Binary Proxy Execution" + id = "T1218" + reference = "https://attack.mitre.org/techniques/T1218/" + + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index 2eecbdb9c..2233ab0f3 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -2,39 +2,33 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a trusted visual studio project to execute a malicious command during the project build process. """ +references = [ + "https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", + "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx" +] from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Execution via MS VisualStudio Pre/Post Build Events" -references = [ - "https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", - "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx", -] risk_score = 21 rule_id = "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" type = "eql" query = ''' @@ -100,4 +94,3 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/defense_evasion_file_permission_modification.toml b/rules_building_block/defense_evasion_file_permission_modification.toml index f58bdff58..11a0e1a76 100644 --- a/rules_building_block/defense_evasion_file_permission_modification.toml +++ b/rules_building_block/defense_evasion_file_permission_modification.toml @@ -2,33 +2,28 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the change of permissions/ownership of files/folders through built-in Windows utilities. Threat actors may require permission modification of files/folders to change, modify or delete them. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "File and Directory Permissions Modification" risk_score = 21 rule_id = "bc9e4f5a-e263-4213-a2ac-1edf9b417ada" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -51,15 +46,14 @@ framework = "MITRE ATT&CK" id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index 845c9e554..548a7d4d0 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -2,33 +2,28 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "File or Directory Deletion Command" risk_score = 21 rule_id = "5919988c-29e1-4908-83aa-1f087a838f63" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -52,6 +47,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" @@ -61,10 +57,7 @@ id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml index 1b0edce3e..360c17149 100644 --- a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml +++ b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml @@ -2,37 +2,27 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\n" +description = """ +Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe. +""" from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Indirect Command Execution via Forfiles/Pcalua" risk_score = 21 rule_id = "98843d35-645e-4e66-9d6a-5049acd96ce1" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -53,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1202/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml index 6d1c96172..92008c11f 100644 --- a/rules_building_block/defense_evasion_injection_from_msoffice.toml +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -2,36 +2,29 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual process arguments and path. This behavior is often observed during exploitation of Office applications or from documents with malicious macros. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Potential Process Injection from Malicious Document" risk_score = 21 rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -49,7 +42,6 @@ process where host.os.type == "windows" and event.action == "start" and "?:\\Windows\\System32\\notepad.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -57,11 +49,12 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -69,11 +62,12 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -85,10 +79,7 @@ id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/defense_evasion_installutil_command_activity.toml b/rules_building_block/defense_evasion_installutil_command_activity.toml index 18335f50a..cca9b3bca 100644 --- a/rules_building_block/defense_evasion_installutil_command_activity.toml +++ b/rules_building_block/defense_evasion_installutil_command_activity.toml @@ -2,41 +2,29 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "InstallUtil Activity" risk_score = 21 rule_id = "90babaa8-5216-4568-992d-d4a01a105d98" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -62,4 +50,3 @@ reference = "https://attack.mitre.org/techniques/T1218/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml index 2017bffb2..1ab179118 100644 --- a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml +++ b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml @@ -2,33 +2,28 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary. """ from = "now-119m" -index = ["logs-endpoint.events.library-*"] interval = "60m" +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Image Loaded with Invalid Signature" risk_score = 21 rule_id = "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -41,22 +36,20 @@ library where host.os.type == "windows" and event.action == "load" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_masquerading_browsers.toml b/rules_building_block/defense_evasion_masquerading_browsers.toml index 05eab7af3..3f033afb3 100644 --- a/rules_building_block/defense_evasion_masquerading_browsers.toml +++ b/rules_building_block/defense_evasion_masquerading_browsers.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into @@ -21,16 +22,9 @@ name = "Potential Masquerading as Browser Process" risk_score = 21 rule_id = "5b9eb30f-87d6-45f4-9289-2bf2024f0376" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -165,6 +159,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -176,11 +171,11 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -188,7 +183,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml index 7df37c105..0e92d42ba 100644 --- a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml +++ b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml @@ -2,33 +2,28 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. """ from = "now-119m" -index = ["logs-endpoint.events.file-*"] interval = "60m" +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Executable File with Unusual Extension" risk_score = 21 rule_id = "ecd4857b-5bac-455e-a7c9-a88b66e56a9e" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -64,9 +59,7 @@ name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index a27d78317..719e094cd 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate @@ -21,16 +22,9 @@ name = "Potential Masquerading as VLC DLL" risk_score = 21 rule_id = "4494c14f-5ff8-4ed2-8e99-bf816a1642fc" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -49,6 +43,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -60,11 +55,12 @@ name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -72,7 +68,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index 41bd9f17d..3cd09f3fd 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign @@ -21,16 +22,9 @@ name = "Potential Masquerading as System32 DLL" risk_score = 21 rule_id = "fb01d790-9f74-4e76-97dd-b4b0f7bf6435" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -112,6 +106,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -122,11 +117,11 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL Search Order Hijacking" @@ -138,11 +133,12 @@ name = "DLL Side-Loading" reference = "https://attack.mitre.org/techniques/T1574/002/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -150,7 +146,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index bed9eb796..803b5fea6 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables. @@ -20,16 +21,9 @@ name = "Potential Masquerading as System32 Executable" risk_score = 21 rule_id = "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47" severity = "low" -tags = [ - "Domain: Endpoint", - "Data Source: Elastic Defend", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -86,6 +80,7 @@ framework = "MITRE ATT&CK" id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -96,12 +91,12 @@ id = "T1036.005" name = "Match Legitimate Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -109,7 +104,6 @@ id = "T1554" name = "Compromise Client Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index a29c08022..870180263 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,41 +2,31 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an -unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. +Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual +parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. """ -from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", +references = [ + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd" ] +from = "now-119m" interval = "60m" +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Troubleshooting Pack Cabinet Execution" -references = ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd"] risk_score = 21 rule_id = "808291d3-e918-4a3a-86cd-73052a0c9bdc" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -58,14 +48,13 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1218" -name = "System Binary Proxy Execution" -reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique]] + name = "System Binary Proxy Execution" + id = "T1218" + reference = "https://attack.mitre.org/techniques/T1218/" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml index 1a910a7c3..8ee273efc 100644 --- a/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml +++ b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml @@ -2,33 +2,30 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/26" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the execution of an installer from an archive or with suspicious properties. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files in an attempt to bypass application whitelisting. """ +references = [ + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/" +] from = "now-119m" -index = ["logs-endpoint.events.*"] interval = "60m" +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Windows Installer with Suspicious Properties" -references = ["https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"] risk_score = 21 rule_id = "55f07d1b-25bc-4a0f-aa0c-05323c1319d0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" type = "eql" query = ''' @@ -66,4 +63,3 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml index c5e63bbb8..e0133519d 100644 --- a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml +++ b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml @@ -2,18 +2,20 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity -to evade default file handling mechanisms. +Identify instances where adversaries include trailing space characters to mimic regular files, disguising their +activity to evade default file handling mechanisms. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Processes with Trailing Spaces" @@ -21,40 +23,37 @@ risk_score = 21 rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name : "* " ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.006" name = "Space after Filename" reference = "https://attack.mitre.org/techniques/T1036/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index c1f1d49da..f822fdc3a 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -2,18 +2,19 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies attempts to modify services start settings using processes other than services.exe. Attackers may attempt to modify security and monitoring services to avoid detection or delay response. """ from = "now-119m" -index = ["logs-endpoint.events.registry-*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.registry-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Service Disabled via Registry Modification" @@ -27,9 +28,10 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR", + "Rule Type: BBR" ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -58,6 +60,7 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -70,4 +73,3 @@ reference = "https://attack.mitre.org/techniques/T1489/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 7dbda2f6f..3dbc25b09 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,18 +2,19 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation. """ from = "now-119m" -index = ["logs-endpoint.events.registry-*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.registry-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Service Path Modification" @@ -27,9 +28,10 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR", + "Rule Type: BBR" ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -60,25 +62,29 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -94,4 +100,3 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 2cb09abc8..c26ac369c 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,18 +2,19 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.process-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Service Path Modification via sc.exe" @@ -27,9 +28,10 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Rule Type: BBR", + "Rule Type: BBR" ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -50,25 +52,29 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" -[[rule.threat.technique.subtechnique]] -id = "T1543.003" -name = "Windows Service" -reference = "https://attack.mitre.org/techniques/T1543/003/" + [[rule.threat.technique.subtechnique]] + id = "T1543.003" + name = "Windows Service" + reference = "https://attack.mitre.org/techniques/T1543/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -84,4 +90,3 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml index c5f71c75d..6625b9806 100644 --- a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml +++ b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml @@ -2,38 +2,32 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files. """ +references = [ + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/" +] from = "now-119m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via MSIEXEC" -references = [ - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", - "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/", -] risk_score = 21 rule_id = "708c9d92-22a3-4fe0-b6b9-1f861c55502d" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -85,4 +79,3 @@ reference = "https://attack.mitre.org/techniques/T1218/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_unsigned_bits_client.toml b/rules_building_block/defense_evasion_unsigned_bits_client.toml index 84012c3b2..36adfe503 100644 --- a/rules_building_block/defense_evasion_unsigned_bits_client.toml +++ b/rules_building_block/defense_evasion_unsigned_bits_client.toml @@ -2,37 +2,32 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS functionality to download or upload data using the BITS service. """ +references = [ + "https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" +] from = "now-119m" -index = ["logs-endpoint.events.library-*"] interval = "60m" +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned BITS Service Client Process" -references = [ - "https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", - "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2", -] risk_score = 21 rule_id = "9a3884d0-282d-45ea-86ce-b9c81100f026" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -44,24 +39,23 @@ not process.code_signature.status : ("errorExpired", "errorCode_endpoint*") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1197" +name = "BITS Jobs" +reference = "https://attack.mitre.org/techniques/T1197/" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" -[[rule.threat.technique]] -id = "T1197" -name = "BITS Jobs" -reference = "https://attack.mitre.org/techniques/T1197/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_unusual_process_extension.toml b/rules_building_block/defense_evasion_unusual_process_extension.toml index 62072e9e4..695bf5aea 100644 --- a/rules_building_block/defense_evasion_unusual_process_extension.toml +++ b/rules_building_block/defense_evasion_unusual_process_extension.toml @@ -2,31 +2,28 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Identifies processes running with unusual extensions that are not typically valid for Windows executables.\n" +description = """ +Identifies processes running with unusual extensions that are not typically valid for Windows executables. +""" from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Extension" risk_score = 21 rule_id = "800e01be-a7a4-46d0-8de9-69f3c9582b44" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -60,22 +57,19 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.008" name = "Masquerade File Type" reference = "https://attack.mitre.org/techniques/T1036/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index b65efa354..2337423bd 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,38 +2,28 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" -description = "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\n" +description = """ +Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes. +""" from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution on WBEM Path" risk_score = 21 rule_id = "1f460f12-a3cf-4105-9ebb-f788cc63f365" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -51,7 +41,6 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -59,9 +48,7 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index 09e5dd121..ddd47f1ea 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,11 +2,12 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/08" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated @@ -15,16 +16,11 @@ compromised accounts additional rights, ultimately compromising the target objec lateral movement, and persistence. """ from = "now-119m" -index = ["winlogbeat-*", "logs-system.security*", "logs-windows.*"] interval = "60m" +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "WRITEDAC Access on Active Directory Object" -references = [ - "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf", -] -risk_score = 21 -rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97" setup = """## Setup The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). @@ -41,38 +37,35 @@ DS Access > Audit Directory Service Access (Success,Failure) ``` """ -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Active Directory", - "Use Case: Active Directory Monitoring", - "Rule Type: BBR", +references = [ + "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf" ] +risk_score = 21 +rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" +building_block_type = "default" query = ''' host.os.type: "windows" and event.action : ("Directory Service Access" or "object-operation-performed") and event.code : "4662" and winlog.event_data.AccessMask:"0x40000" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" -name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" +name = "File and Directory Permissions Modification" + [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index ff88b1d33..305f6b593 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -1,15 +1,17 @@ [metadata] -bypass_bbr_timing = true creation_date = "2022/11/01" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows +Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. """ from = "now-9m" @@ -55,16 +57,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Execution", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -74,9 +75,9 @@ process where host.os.type == "windows" and event.type == "start" and not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" @@ -87,26 +88,25 @@ id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index eb8dadcd5..2b0ab58fa 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -20,14 +22,13 @@ name = "Windows Account or Group Discovery" risk_score = 21 rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -61,13 +62,14 @@ process where host.os.type == "windows" and event.type == "start" and and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -78,11 +80,16 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -93,15 +100,7 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - -[[rule.threat.technique]] -id = "T1201" -name = "Password Policy Discovery" -reference = "https://attack.mitre.org/techniques/T1201/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index bafbf1c86..d56783275 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -13,28 +15,21 @@ This rule identifies the execution of commands that can be used to enumerate run enumerate processes to identify installed applications and security solutions. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "logs-system.security*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", -] +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Discovery Using Built-in Tools" risk_score = 21 rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" @@ -49,17 +44,15 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index cfe2edba2..d645ef76a 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -21,14 +23,13 @@ name = "Query Registry using Built-in Tools" risk_score = 21 rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -53,15 +54,14 @@ host.os.type:windows and event.category:process and event.type:start and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -70,8 +70,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml index 8a3177bf2..74bee0709 100644 --- a/rules_building_block/discovery_hosts_file_access.toml +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -12,8 +14,8 @@ Identifies the use of built-in tools to read the contents of \\etc\\hosts on a l to discover remote machines in an environment that may be used for Lateral Movement from the current system. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "System Hosts File Access" @@ -21,35 +23,32 @@ risk_score = 21 rule_id = "f75f65cf-ed04-48df-a7ff-b02a8bfe636e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("vi", "nano", "cat", "more", "less") and process.args == "/etc/hosts" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 2ae9e761e..e518e8a81 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/01/11" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -21,14 +23,13 @@ name = "Discovery of Internet Capabilities via Built-in Tools" risk_score = 21 rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -38,20 +39,19 @@ process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "::1") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -60,8 +60,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 00a0f082b..d351ec77f 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,16 +2,17 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate -information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod -and kmod to list the available kernel modules. +information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as +lsmod and kmod to list the available kernel modules. """ false_positives = [ """ @@ -20,8 +21,8 @@ false_positives = [ """, ] from = "now-119m" -index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules via Proc" @@ -46,29 +47,28 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "new_terms" - +building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" and not process.name:(grep or python* or chef-client) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -77,8 +77,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 05b04fa4b..e58678343 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,20 +2,21 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or +Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized -kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the +kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. """ from = "now-119m" -index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Modprobe File Event" @@ -45,15 +46,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "new_terms" - +building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and not process.name:( @@ -62,15 +63,14 @@ file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -79,8 +79,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index f01834a99..e02b8d697 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,19 +2,20 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential -unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl +Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential +unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. """ from = "now-119m" -index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Sysctl File Event" @@ -45,15 +46,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ - "Data Source: Auditd Manager", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "new_terms" - +building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not process.name:( @@ -61,15 +62,14 @@ file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not p ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -78,8 +78,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_linux_system_information_discovery.toml b/rules_building_block/discovery_linux_system_information_discovery.toml index 431c60f43..af04ae90d 100644 --- a/rules_building_block/discovery_linux_system_information_discovery.toml +++ b/rules_building_block/discovery_linux_system_information_discovery.toml @@ -2,15 +2,17 @@ creation_date = "2023/07/10" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" description = "Enrich process events with uname and other command lines that imply Linux system information discovery." from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Linux System Information Discovery" @@ -18,18 +20,17 @@ risk_score = 21 rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( process.name: "uname" or ( @@ -38,17 +39,15 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml index 2e2c8d3de..461660560 100644 --- a/rules_building_block/discovery_linux_system_owner_user_discovery.toml +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/10" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -12,8 +14,8 @@ Identifies the use of built-in tools which adversaries may use to enumerate the system. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "System Owner/User Discovery Linux" @@ -21,26 +23,25 @@ risk_score = 21 rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name : ("whoami", "w", "who", "users", "id") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" @@ -51,9 +52,7 @@ id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index dff948bf5..1a9085fe9 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,33 +2,28 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement. """ from = "now-119m" -index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] interval = "60m" +index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Network Share Discovery" risk_score = 21 rule_id = "b2318c71-5959-469a-a3ce-3a0768e63b9c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR"] type = "eql" +building_block_type = "default" query = ''' sequence by user.name, source.port, source.ip with maxspan=15s @@ -40,7 +35,6 @@ sequence by user.name, source.port, source.ip with maxspan=15s source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,19 +42,19 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index 10e11ec99..c07a15596 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -53,17 +55,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Collection", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -85,9 +86,9 @@ process where host.os.type == "windows" and event.type == "start" and */ ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -98,19 +99,20 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml index 534e6b19c..eb07c9ed3 100644 --- a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml +++ b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml @@ -2,15 +2,19 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" -description = "Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.\n" +description = """ +Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. +""" from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Account or Group Discovery via Built-In Tools" @@ -18,19 +22,18 @@ risk_score = 21 rule_id = "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( (process.name in ("groups", "id")) or @@ -41,13 +44,14 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -58,11 +62,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -73,10 +77,7 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index 6a1122dd0..fc2e465b2 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -12,8 +14,8 @@ Identifies the execution of Linux built-in commands related to account or group and group information to orient themselves before deciding how to act. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Discovery of Domain Groups" @@ -21,18 +23,17 @@ risk_score = 21 rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -40,17 +41,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index 717f91f01..ff9a476a5 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,18 +2,19 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. """ from = "now-119m" -index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" +index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Password Policy Discovery Capabilities" @@ -38,17 +39,10 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Tactic: Execution", - "Data Source: PowerShell Logs", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" +building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and @@ -98,11 +92,12 @@ id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index ca94235fe..e43887f64 100644 --- a/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2020/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -62,15 +64,14 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -130,27 +131,25 @@ network where host.os.type == "windows" and network.protocol == "dns" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1614" name = "System Location Discovery" reference = "https://attack.mitre.org/techniques/T1614/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index 8b6be1ce1..d6dc62b89 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -22,17 +24,16 @@ risk_score = 21 rule_id = "035a6f21-4092-471d-9cda-9e379f459b1e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "tail" and process.args == "-c") or @@ -42,17 +43,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml index d38263710..8b3047008 100644 --- a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -2,15 +2,17 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" description = "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint." from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Discovery via Built-In Applications" @@ -18,18 +20,17 @@ risk_score = 21 rule_id = "3f4d7734-2151-4481-b394-09d7c6c91f75" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( "ps", "pstree", "htop", "pgrep" @@ -37,9 +38,9 @@ process where event.type == "start" and event.action in ("exec", "exec_event") a not process.parent.name in ("amazon-ssm-agent", "snap") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -49,15 +50,13 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index b7e1e6414..4fbf67ecc 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -53,16 +55,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -90,9 +91,9 @@ process where host.os.type == "windows" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -103,9 +104,7 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index 42a76b8cd..7811c935f 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -1,25 +1,20 @@ [metadata] -bypass_bbr_timing = true creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" @@ -62,17 +57,17 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -81,32 +76,32 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml index 6697231b3..5c46f3400 100644 --- a/rules_building_block/discovery_signal_unusual_user_host.toml +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -1,8 +1,10 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/10" maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/10" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -19,16 +21,14 @@ name = "Unusual Discovery Activity by User" risk_score = 21 rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: Higher-Order Rule", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or @@ -39,7 +39,6 @@ host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -51,8 +50,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_suspicious_memory_grep_activity.toml b/rules_building_block/discovery_suspicious_memory_grep_activity.toml index e5e09b922..238e3a740 100644 --- a/rules_building_block/discovery_suspicious_memory_grep_activity.toml +++ b/rules_building_block/discovery_suspicious_memory_grep_activity.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2024/02/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ building_block_type = "default" description = """ Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may -read a process's memory map to identify memory addresses for code injection or process hijacking. +read a process's memory map to identify memory addresses for code injection or process hijacking. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -23,33 +25,30 @@ risk_score = 21 rule_id = "d74d6506-427a-4790-b170-0c2a6ddac799" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack]", "[vdso]", "[heap]") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index 5416dfa0a..58422eaad 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -2,19 +2,20 @@ creation_date = "2023/06/09" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/19" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal -activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about -running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. +This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal +activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about +running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. """ from = "now-119m" -index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Proc Pseudo File System Enumeration" @@ -46,12 +47,12 @@ tags = [ "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", -] + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "threshold" - +building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : ( @@ -59,9 +60,9 @@ file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.nam ) and not process.parent.pid : 1 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -72,7 +73,6 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -81,8 +81,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.pid", "process.name"] value = 1 + [[rule.threshold.cardinality]] field = "file.path" value = 100 - - diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index 146fae92b..8445acfed 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -2,15 +2,17 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] building_block_type = "default" description = "Adversaries may attempt to get a listing of network connections to or from a compromised system." from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "System Network Connections Discovery" @@ -18,35 +20,32 @@ risk_score = 21 rule_id = "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("netstat", "lsof", "who", "w") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 284105bfc..e558d25c5 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -1,41 +1,35 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" description = """ -Detects the usage of commonly used system service discovery techniques, which attackers may use during the -reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or -escalate privileges. +Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase +after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -50,17 +44,15 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 537fc9d8a..7f57882ce 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -1,40 +1,35 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" description = """ Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance -phase after compromising a system. +phase after compromising a system. """ from = "now-9m" -index = [ - "winlogbeat-*", - "logs-endpoint.events.process-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "System Time Discovery" risk_score = 21 rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -50,17 +45,15 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" reference = "https://attack.mitre.org/techniques/T1124/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index dc1f9d257..318357b4d 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -1,17 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may -attempt to get a listing of network connections to or from a compromised system to identify targets within an -environment. +attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. """ from = "now-9m" index = ["logs-endpoint.events.process-*"] @@ -21,14 +22,13 @@ name = "Windows System Network Connections Discovery" risk_score = 21 rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -49,9 +49,9 @@ process where event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -62,9 +62,7 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 3116404c9..0cd59156c 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -20,15 +22,13 @@ name = "Windows System Information Discovery" risk_score = 21 rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" @@ -52,17 +52,15 @@ process.parent.executable : ( ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index cc3256581..411b406a4 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,12 +3,16 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.\n" +description = """ +Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence GitHub Event for a Personal Access Token (PAT)" risk_score = 21 rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ event.action:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,11 +50,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "event.action"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index f8c429ed7..98e6201bb 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,12 +3,16 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.\n" +description = """ +Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of Private Repo Event from Specific GitHub Personal Acc risk_score = 21 rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -35,7 +38,6 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal github.repository_public:false ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -49,11 +51,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.repo"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index eeb371692..9f9002042 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,12 +3,16 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new private repo interaction for a GitHub user not seen in the last 14 days.\n" +description = """ +Detects a new private repo interaction for a GitHub user not seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of GitHub User Interaction with Private Repo" risk_score = 21 rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.repo:* and user.name:* and github.repository_public:false ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,11 +50,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.repo"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index e8232137b..c10de1f2e 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,12 +3,16 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" [rule] author = ["Elastic"] building_block_type = "default" -description = "A new GitHub repository was created.\n" +description = """ +A new GitHub repository was created. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "GitHub Repo Created" risk_score = 21 rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "repo.create" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1648/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 52daf9d6e..a9b685231 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.\n" +description = """ +Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of GitHub Repo Interaction From a New IP" risk_score = 21 rule_id = "0294f105-d7af-4a02-ae90-35f56763ffa2" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Execution", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.actor_ip:* and github.repo:* and github.repository_public:false ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,11 +50,11 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [rule.new_terms] field = "new_terms_fields" value = ["github.repo", "github.actor_ip"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml index e1d006ca6..052ee0410 100644 --- a/rules_building_block/execution_linux_segfault.toml +++ b/rules_building_block/execution_linux_segfault.toml @@ -3,11 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/26" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Monitors kernel logs for segfault messages. A segfault, or segmentation fault, is an error that occurs when a program tries to access a memory location that it's not allowed to access, typically leading to program termination. A segfault @@ -46,15 +47,20 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" +building_block_type = "default" type = "query" - query = ''' host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:segfault ''' - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index cef517d3a..f4834c928 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,11 +3,12 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses. @@ -17,19 +18,15 @@ index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Creation of SettingContent-ms Files" -references = ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"] +references = [ + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", +] risk_score = 21 rule_id = "1e6363a6-3af5-41d4-b7ea-d475389c0ceb" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -41,39 +38,40 @@ file where host.os.type == "windows" and event.type == "creation" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" -[[rule.threat.technique.subtechnique]] -id = "T1204.002" -name = "Malicious File" -reference = "https://attack.mitre.org/techniques/T1204/002/" + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.001" -name = "Spearphishing Attachment" -reference = "https://attack.mitre.org/techniques/T1566/001/" + [[rule.threat.technique.subtechnique]] + id = "T1566.001" + name = "Spearphishing Attachment" + reference = "https://attack.mitre.org/techniques/T1566/001/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/execution_unix_socket_communication.toml b/rules_building_block/execution_unix_socket_communication.toml index bd444e795..26e055dbe 100644 --- a/rules_building_block/execution_unix_socket_communication.toml +++ b/rules_building_block/execution_unix_socket_communication.toml @@ -1,18 +1,19 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ -This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local -Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate -privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to -evade detection. +This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local +Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate +privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to +evade detection. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -23,18 +24,18 @@ risk_score = 21 rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -45,17 +46,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index e6c2b4816..ee7b2e8f6 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -20,15 +22,14 @@ name = "Execution of an Unsigned Service" risk_score = 21 rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Defense Evasion", - "Rule Type: BBR", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -39,37 +40,36 @@ process.parent.executable:"C:\\Windows\\System32\\services.exe" and not process.code_signature.status : (errorCode_endpoint* or "errorChaining") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -78,8 +78,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" - - +value = "now-14d" \ No newline at end of file diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml index 0e8da7c05..6f65b1aca 100644 --- a/rules_building_block/execution_wmi_wbemtest.toml +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -2,40 +2,28 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "WMI WBEMTEST Utility Execution" risk_score = 21 rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -45,14 +33,13 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml index 9b6f36d68..ddffcc741 100644 --- a/rules_building_block/impact_github_member_removed_from_organization.toml +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "A member was removed or their invitation to join was removed from a GitHub Organization.\n" +description = """ +A member was removed or their invitation to join was removed from a GitHub Organization. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "Member Removed From GitHub Organization" risk_score = 21 rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.remove_member" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index 40804acb1..aa9fc0e0c 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Access to private GitHub organization resources was revoked for a PAT.\n" +description = """ +Access to private GitHub organization resources was revoked for a PAT. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "GitHub PAT Access Revoked" risk_score = 21 rule_id = "8a0fd93a-7df8-410d-8808-4cc5e340f2b9" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml index 01bce32d7..96daeacf8 100644 --- a/rules_building_block/impact_github_user_blocked_from_organization.toml +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "A GitHub user was blocked from access to an organization.\n" +description = """ +A GitHub user was blocked from access to an organization. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "GitHub User Blocked From Organization" risk_score = 21 rule_id = "4030c951-448a-4017-a2da-ed60f6d14f4f" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Impact", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.block_user" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/initial_access_cross_site_scripting.toml b/rules_building_block/initial_access_cross_site_scripting.toml index c2a27be30..318d16160 100644 --- a/rules_building_block/initial_access_cross_site_scripting.toml +++ b/rules_building_block/initial_access_cross_site_scripting.toml @@ -2,19 +2,20 @@ creation_date = "2023/07/12" integration = ["apm"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/12" [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS -attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side -script. This detection rule identifies the potential malicious executions of such browser-side scripts. +Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. +In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a +browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts. """ from = "now-119m" -index = ["apm-*-transaction*", "traces-apm*"] interval = "60m" +index = ["apm-*-transaction*", "traces-apm*"] language = "eql" license = "Elastic License v2" name = "Potential Cross Site Scripting (XSS)" @@ -24,6 +25,7 @@ rule_id = "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c" severity = "low" tags = ["Data Source: APM", "Use Case: Threat Detection", "Tactic: Initial Access"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index 85b7086c0..b1fa1b90d 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.\n" +description = """ +Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of IP Address For GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "fc909baa-fb34-4c46-9691-be276ef4234c" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.actor_ip:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,8 +48,6 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -56,8 +56,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.actor_ip"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/initial_access_github_new_ip_address_for_user.toml b/rules_building_block/initial_access_github_new_ip_address_for_user.toml index 25ef2800c..38bb8adf0 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_user.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_user.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new IP address used for a GitHub user not previously seen in the last 14 days.\n" +description = """ +Detects a new IP address used for a GitHub user not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of IP Address For GitHub User" risk_score = 21 rule_id = "3af4cb9b-973f-4c54-be2b-7623c0e21b2b" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -33,7 +36,6 @@ event.dataset:"github.audit" and event.category:"configuration" and github.actor_ip:* and user.name:* ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,8 +47,6 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -55,8 +55,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index b47383907..64308ff17 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.\n" +description = """ +Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)" risk_score = 21 rule_id = "0e4367a0-a483-439d-ad2e-d90500b925fd" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.user_agent:* and github.hashed_token:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,8 +48,6 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -56,8 +56,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.user_agent"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/initial_access_github_new_user_agent_for_user.toml b/rules_building_block/initial_access_github_new_user_agent_for_user.toml index 8463648e6..7980a538d 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_user.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_user.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "Detects a new user agent used for a GitHub user not previously seen in the last 14 days.\n" +description = """ +Detects a new user agent used for a GitHub user not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of User-Agent For a GitHub User" risk_score = 21 rule_id = "41761cd3-380f-4d4d-89f3-46d6853ee35d" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Initial Access", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -33,7 +36,6 @@ event.dataset:"github.audit" and event.category:"configuration" and github.user_agent:* and user.name:* ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,8 +47,6 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -55,8 +55,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.user_agent"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 17e6965f8..0ccabf7ce 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -2,41 +2,29 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement. """ from = "now-119m" -index = [ - "logs-endpoint.events.process-*", - "winlogbeat-*", - "logs-windows.*", - "endgame-*", - "logs-system.security*", -] interval = "60m" +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "At.exe Command Lateral Movement" risk_score = 21 rule_id = "b483365c-98a8-40c0-92d8-0458ca25058a" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Rule Type: BBR", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -45,22 +33,25 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" @@ -71,10 +62,7 @@ id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml index 4a6aa3206..6110207d5 100644 --- a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml +++ b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml @@ -2,33 +2,29 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral -movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP -connection to evade detection. +movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish +an RDP connection to evade detection. """ from = "now-119m" -index = ["logs-endpoint.events.network-*"] interval = "60m" +index = ["logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Potential Outgoing RDP Connection by Unusual Process" risk_score = 21 rule_id = "8e39f54e-910b-4adb-a87e-494fbba5fb65" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -67,4 +63,3 @@ reference = "https://attack.mitre.org/techniques/T1021/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index dbc9fce69..1739922bb 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -1,16 +1,17 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ -Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of -SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. +Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL +instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. """ from = "now-9m" index = ["logs-endpoint.events.process-*"] @@ -19,22 +20,15 @@ license = "Elastic License v2" name = "Unusual Process For MSSQL Service Accounts" references = [ "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", - "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16", + "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16" ] risk_score = 21 rule_id = "e74d645b-fec6-431e-bf93-ca64a538e0de" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' process where event.type == "start" and host.os.type == "windows" and @@ -88,21 +82,21 @@ reference = "https://attack.mitre.org/techniques/T1210/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 273375289..9238c44be 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,33 +2,28 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] interval = "60m" +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "WMIC Remote Command" risk_score = 21 rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -42,31 +37,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml index f4aaaef46..ed153da86 100644 --- a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/30" [rule] author = ["Elastic"] @@ -30,7 +32,7 @@ tags = [ "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Rule Type: BBR", + "Rule Type: BBR" ] timestamp_override = "event.ingested" type = "query" @@ -44,6 +46,14 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" +[[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" @@ -53,17 +63,6 @@ name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique.subtechnique]] -id = "T1098.003" -name = "Additional Cloud Roles" -reference = "https://attack.mitre.org/techniques/T1098/003/" - - - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules_building_block/persistence_creation_of_kernel_module.toml b/rules_building_block/persistence_creation_of_kernel_module.toml index 4ba49615d..1a5f88f21 100644 --- a/rules_building_block/persistence_creation_of_kernel_module.toml +++ b/rules_building_block/persistence_creation_of_kernel_module.toml @@ -2,15 +2,19 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/02/22" [rule] author = ["Elastic"] building_block_type = "default" -description = "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.\n" +description = """ +Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory. +""" from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Creation of Kernel Module" @@ -18,17 +22,16 @@ risk_score = 21 rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and file.extension == "ko" and not process.name : ( @@ -36,22 +39,20 @@ file.extension == "ko" and not process.name : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index a7cfbd7e4..cfef12dc0 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "A new PAT was used for a GitHub user not previously seen in the last 14 days.\n" +description = """ +A new PAT was used for a GitHub user not previously seen in the last 14 days. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" @@ -17,14 +21,13 @@ name = "First Occurrence of Personal Access Token (PAT) Use For a GitHub User" risk_score = 21 rule_id = "f94e898e-94f1-4545-8923-03e4b2866211" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -34,7 +37,6 @@ github.hashed_token:* and user.name:* and github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -46,8 +48,6 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -56,8 +56,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.hashed_token"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index 6de318f91..685fa8fbe 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -1,14 +1,18 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] building_block_type = "default" -description = "A new user was added to a GitHub organization.\n" +description = """ +A new user was added to a GitHub organization. +""" from = "now-9m" index = ["logs-github.audit-*"] language = "eql" @@ -17,14 +21,13 @@ name = "New User Added To GitHub Organization" risk_score = 21 rule_id = "61336fe6-c043-4743-ab6e-41292f439603" severity = "low" -tags = [ - "Domain: Cloud", - "Use Case: Threat Detection", - "Use Case: UEBA", - "Tactic: Persistence", - "Rule Type: BBR", - "Data Source: Github", -] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" @@ -32,7 +35,6 @@ query = ''' configuration where event.dataset == "github.audit" and event.action == "org.add_member" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,10 +46,7 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_startup_folder_lnk.toml b/rules_building_block/persistence_startup_folder_lnk.toml index 0cfb8ff93..c8967f887 100644 --- a/rules_building_block/persistence_startup_folder_lnk.toml +++ b/rules_building_block/persistence_startup_folder_lnk.toml @@ -1,13 +1,14 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" +bypass_bbr_timing = true [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies shortcut files written to or modified in the startup folder. Adversaries may use this technique to maintain persistence. @@ -20,15 +21,9 @@ name = "Shortcut File Written or Modified on Startup Folder" risk_score = 21 rule_id = "ee53d67a-5f0c-423c-a53c-8084ae562b5c" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' @@ -68,4 +63,3 @@ reference = "https://attack.mitre.org/techniques/T1547/009/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index 41a64eb14..993b637e4 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -2,19 +2,20 @@ creation_date = "2023/07/14" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/04/05" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence. """ from = "now-119m" -index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" +index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "Microsoft Exchange Transport Agent Install Script" @@ -36,16 +37,10 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: PowerShell Logs", - "Rule Type: BBR", -] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" +building_block_type = "default" query = ''' event.category: "process" and host.os.type:windows and @@ -63,35 +58,34 @@ event.category: "process" and host.os.type:windows and ) ''' - [[rule.filters]] - [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -case_insensitive = true -value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" -[[rule.filters]] +"case_insensitive" = true +"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" +[[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -case_insensitive = true -value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" -[[rule.filters]] +"case_insensitive" = true +"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" +[[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -case_insensitive = true -value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" -[[rule.filters]] +"case_insensitive" = true +"value" = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" +[[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] -case_insensitive = true -value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" +"case_insensitive" = true +"value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -126,4 +120,3 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/privilege_escalation_trap_execution.toml b/rules_building_block/privilege_escalation_trap_execution.toml index 52787ad90..f077ca029 100644 --- a/rules_building_block/privilege_escalation_trap_execution.toml +++ b/rules_building_block/privilege_escalation_trap_execution.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -12,8 +14,8 @@ Identify activity related where adversaries can include a trap command which the commands that will be executed upon receiving interrupt signals. """ from = "now-119m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] interval = "60m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Trap Signals Execution" @@ -21,40 +23,37 @@ risk_score = 21 rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", -] + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "trap" and process.args : "SIG*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.005" name = "Trap" reference = "https://attack.mitre.org/techniques/T1546/005/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index f73dcd8f4..2170d5a75 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -28,7 +28,7 @@ from detection_rules.rule import (AlertSuppressionMapping, QueryRuleData, QueryV ThresholdAlertSuppression, TOMLRuleContents) from detection_rules.rule_loader import FILE_PATTERN from detection_rules.rule_validators import EQLValidator, KQLValidator -from detection_rules.schemas import definitions, get_min_supported_stack_version, get_stack_schemas +from detection_rules.schemas import definitions, get_stack_schemas from detection_rules.utils import INTEGRATION_RULE_DIR, PatchedTemplate, get_path, load_etc_dump from detection_rules.version_lock import default_version_lock from rta import get_available_tests @@ -1111,7 +1111,6 @@ class TestBuildTimeFields(BaseRuleTest): def test_build_fields_min_stack(self): """Test that newly introduced build-time fields for a min_stack for applicable rules.""" current_stack_ver = PACKAGE_STACK_VERSION - min_supported_stack_version = get_min_supported_stack_version() invalids = [] for rule in self.production_rules: @@ -1121,12 +1120,7 @@ class TestBuildTimeFields(BaseRuleTest): errors = [] for build_field, field_versions in build_fields.items(): start_ver, end_ver = field_versions - # when a _new_ build time field is introduced, _all_ rules _must_ have a min_stack_version for the stack - # version in which the field was introduced. This is because the initial change will result in a hash - # change which is different because of the build time fields. - # This also ensures that the introduced version is greater than the min supported, in order to age off - # old and unneeded checks. (i.e. 8.3.0 < 8.9.0 min supported, so it is irrelevant now) - if start_ver is not None and current_stack_ver >= start_ver >= min_supported_stack_version: + if start_ver is not None and current_stack_ver >= start_ver: if min_stack is None or not Version.parse(min_stack) >= start_ver: errors.append(f'{build_field} >= {start_ver}')