[Rule Tuning] Fix Menasec Expired Links (#3271)

(cherry picked from commit f53f46efd5)
2023-11-14 10:18:34 -03:00
parent b342660c3a
commit 337f11fa7c
6 changed files with 8 additions and 8 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2023/10/23"
+updated_date = "2023/11/13"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -92,7 +92,7 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst


 """
-references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"]
+references = ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"]
 risk_score = 47
 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee"
 setup="""
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2023/11/13"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
    "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
    "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
-    "https://blog.menasec.net/2021/01/",
+    "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/",
 ]
 risk_score = 47
 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
@@ -17,7 +17,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Managed Code Hosting Process"
-references = ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"]
+references = ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"]
 risk_score = 73
 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40"
 severity = "high"
@@ -91,7 +91,7 @@ Adversaries can use network shares to host tooling to support the compromise of
 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
-references = ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"]
+references = ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"]
 risk_score = 47
 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e"
 severity = "medium"
@@ -59,7 +59,7 @@ The setting is usually configured so a user account can act as a service account
 """
 references = [
    "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire",
-    "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html",
+    "http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html",
 ]
 risk_score = 47
 rule_id = "62a70f6f-3c37-43df-a556-f64fa475fba2"
@@ -47,7 +47,7 @@ This rule uses registry events to identify the creation of local hidden accounts

 """
 references = [
-    "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html",
+    "http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html",
    "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign",
 ]
 risk_score = 73