diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index c2dee5ffa..59bafda14 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/01/17" +updated_date = "2022/02/14" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ network which allows the adversary to blend into legitimate traffic. activity. T targeted since they have most likely been used before a compromise and allow adversaries to blend in the network. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Connection to Commonly Abused Web Services" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index ee392750e..6b11038b2 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/18" maturity = "production" -updated_date = "2021/03/18" +updated_date = "2022/02/14" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ the authentication credentials in clear text during user logon. """ false_positives = ["Authorized third party network logon providers."] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Network Logon Provider Registry Modification" diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 44f575342..63cc20e11 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/04" maturity = "production" -updated_date = "2021/08/14" +updated_date = "2022/02/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "External IP Lookup from Non-Browser Process" diff --git a/rules/windows/lateral_movement_service_control_spawned_script_int.toml b/rules/windows/lateral_movement_service_control_spawned_script_int.toml index c7a060ee1..1efedc685 100644 --- a/rules/windows/lateral_movement_service_control_spawned_script_int.toml +++ b/rules/windows/lateral_movement_service_control_spawned_script_int.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/15" +updated_date = "2022/02/14" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ Identifies Service Control (sc.exe) spawning from script interpreter processes t This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Service Control Spawned via Script Interpreter" @@ -22,6 +22,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' +/* This rule is not compatible with Sysmon due to user.id issues */ + process where event.type == "start" and (process.name : "sc.exe" or process.pe.original_file_name == "sc.exe") and process.parent.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index d2af1bc0a..0d33aa979 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2022/02/14" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ privilege escalation or persistence by placing a reference to a binary in the Wi executed by SYSTEM when the authentication packages are loaded. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential LSA Authentication Package Abuse"