From 337f11fa7cc0d5f2db3a6511a05b54bcc70aa5a7 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 14 Nov 2023 10:18:34 -0300 Subject: [PATCH] [Rule Tuning] Fix Menasec Expired Links (#3271) (cherry picked from commit f53f46efd54ac50d776330a0191f6c93cbd39c8e) --- .../command_and_control_teamviewer_remote_file_copy.toml | 4 ++-- ...se_evasion_masquerading_suspicious_werfault_childproc.toml | 4 ++-- .../defense_evasion_suspicious_managedcode_host_process.toml | 2 +- .../lateral_movement_execution_via_file_shares_sequence.toml | 2 +- rules/windows/persistence_dontexpirepasswd_account.toml | 2 +- .../persistence_evasion_hidden_local_account_creation.toml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 3ad575dd8..364a9fdb8 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/10/23" +updated_date = "2023/11/13" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -92,7 +92,7 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst """ -references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] +references = ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" setup=""" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index bb0d0abc1..89db66023 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/11/13" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = [ "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", - "https://blog.menasec.net/2021/01/", + "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/", ] risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index faba440c8..ec4a40ec4 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -17,7 +17,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" -references = ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"] +references = ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"] risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index d610946c8..fb71e2ec9 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -91,7 +91,7 @@ Adversaries can use network shares to host tooling to support the compromise of - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"] +references = ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"] risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" severity = "medium" diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index dbcb55b4e..a17685c15 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -59,7 +59,7 @@ The setting is usually configured so a user account can act as a service account """ references = [ "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", - "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html", + "http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html", ] risk_score = 47 rule_id = "62a70f6f-3c37-43df-a556-f64fa475fba2" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index ce954695d..477e00059 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -47,7 +47,7 @@ This rule uses registry events to identify the creation of local hidden accounts """ references = [ - "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", + "http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign", ] risk_score = 73