From 3fc34b86f215319039ee46bed42d987d671a1101 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Wed, 3 Mar 2021 22:12:11 -0900 Subject: [PATCH] Update License to Elastic v2 (#944) --- LICENSE.txt | 262 +++++------------- README.md | 4 +- detection_rules/__init__.py | 5 +- detection_rules/__main__.py | 5 +- detection_rules/attack.py | 5 +- detection_rules/beats.py | 5 +- detection_rules/devtools.py | 35 +-- detection_rules/docs.py | 5 +- detection_rules/ecs.py | 5 +- detection_rules/eswrap.py | 5 +- detection_rules/kbwrap.py | 5 +- detection_rules/main.py | 5 +- detection_rules/mappings.py | 5 +- detection_rules/misc.py | 10 +- detection_rules/packaging.py | 5 +- detection_rules/rule.py | 5 +- detection_rules/rule_formatter.py | 5 +- detection_rules/rule_loader.py | 5 +- detection_rules/schemas/__init__.py | 7 +- detection_rules/schemas/base.py | 5 +- detection_rules/schemas/rta_schema.py | 5 +- detection_rules/schemas/v7_10.py | 5 +- detection_rules/schemas/v7_11.py | 5 +- detection_rules/schemas/v7_12.py | 14 + detection_rules/schemas/v7_8.py | 5 +- detection_rules/schemas/v7_9.py | 7 +- detection_rules/semver.py | 5 +- detection_rules/utils.py | 5 +- kibana/__init__.py | 5 +- kibana/connector.py | 5 +- kibana/resources.py | 5 +- kql/__init__.py | 5 +- kql/ast.py | 5 +- kql/dsl.py | 5 +- kql/eql2kql.py | 5 +- kql/errors.py | 5 +- kql/evaluator.py | 5 +- kql/kql2eql.py | 5 +- kql/optimizer.py | 5 +- kql/parser.py | 5 +- rta/__init__.py | 5 +- rta/__main__.py | 5 +- rta/adobe_hijack.py | 5 +- rta/appcompat_shim.py | 5 +- rta/at_command.py | 5 +- rta/bin/__init__.py | 5 +- rta/bitsadmin_download.py | 5 +- rta/brute_force_login.py | 5 +- rta/certutil_file_obfuscation.py | 5 +- rta/certutil_webrequest.py | 5 +- rta/common.py | 5 +- rta/comsvcs_dump.py | 5 +- rta/dcom_lateral_movement_with_mmc.py | 5 +- rta/delete_bootconf.py | 5 +- rta/delete_catalogs.py | 5 +- rta/delete_usnjrnl.py | 5 +- rta/delete_volume_shadows.py | 5 +- rta/disable_windows_fw.py | 5 +- rta/enum_commands.py | 5 +- rta/findstr_pw_search.py | 5 +- rta/globalflags.py | 5 +- rta/hosts_file_modify.py | 5 +- rta/installutil_network.py | 5 +- rta/iqy_file_writes.py | 5 +- rta/lateral_command_psexec.py | 5 +- rta/lateral_commands.py | 5 +- rta/linux_compress_sensitive_files.py | 5 +- rta/linux_discovery_sensitive_files.py | 5 +- rta/mac_office_descendant.py | 5 +- ...dification_of_wdigest_security_provider.py | 5 +- rta/ms_office_drop_exe.py | 5 +- rta/msbuild_network.py | 5 +- rta/mshta_network.py | 5 +- rta/msiexec_http_installer.py | 5 +- rta/msxsl_network.py | 5 +- rta/net_user_add.py | 5 +- rta/obfuscated_cmd_commands.py | 5 +- rta/obfuscated_powershell.py | 5 +- rta/office_application_startup.py | 5 +- rta/persistent_scripts.py | 5 +- rta/port_monitor.py | 5 +- rta/powershell_args.py | 5 +- rta/powershell_base64_gzip.py | 5 +- rta/powershell_from_script.py | 5 +- rta/process_double_extension.py | 5 +- rta/process_extension_anomalies.py | 5 +- rta/process_name_masquerade.py | 5 +- rta/recycle_bin_process.py | 5 +- rta/registry_hive_export.py | 5 +- rta/registry_persistence_create.py | 5 +- rta/registry_rdp_enable.py | 5 +- rta/regsvr32_scrobj.py | 5 +- rta/rundll32_inf_callback.py | 5 +- rta/rundll32_javascript_callback.py | 5 +- rta/schtask_escalation.py | 5 +- rta/scrobj_com_hijack.py | 5 +- rta/secure_file_deletion.py | 5 +- rta/settingcontentms_files.py | 5 +- rta/sevenzip_encrypted.py | 5 +- rta/shortcut_file_suspicious_process.py | 5 +- rta/sip_provider.py | 5 +- rta/smb_connection.py | 5 +- rta/sticky_keys_write_execute.py | 5 +- rta/suspicious_dll_registration_regsvr32.py | 5 +- rta/suspicious_office_children.py | 5 +- rta/suspicious_office_descendant_fp.py | 5 +- rta/suspicious_powershell_download.py | 5 +- rta/suspicious_wmic_script.py | 5 +- rta/suspicious_wscript_parent.py | 5 +- rta/system_restore_process.py | 5 +- rta/trust_provider.py | 5 +- rta/uac_eventviewer.py | 5 +- rta/uac_sdclt.py | 5 +- rta/uac_sysprep.py | 5 +- rta/uncommon_persistence.py | 5 +- rta/unusual_ms_tool_network.py | 5 +- rta/unusual_parent_child.py | 5 +- rta/user_dir_escalation.py | 5 +- rta/vaultcmd_commands.py | 5 +- rta/werfault_persistence.py | 5 +- rta/wevtutil_log_clear.py | 5 +- rta/winrar_encrypted.py | 5 +- rta/winrar_startup_folder.py | 5 +- rta/wmi_incoming_logon.py | 5 +- rules/apm/apm_403_response_to_a_post.toml | 4 +- .../apm_405_response_method_not_allowed.toml | 4 +- rules/apm/apm_null_user_agent.toml | 4 +- rules/apm/apm_sqlmap_user_agent.toml | 4 +- ...collection_cloudtrail_logging_created.toml | 4 +- ...ccess_aws_iam_assume_role_brute_force.toml | 4 +- ...ial_access_iam_user_addition_to_group.toml | 4 +- ...cess_root_console_failure_brute_force.toml | 4 +- ..._access_secretsmanager_getsecretvalue.toml | 4 +- ...se_evasion_cloudtrail_logging_deleted.toml | 4 +- ..._evasion_cloudtrail_logging_suspended.toml | 4 +- ...nse_evasion_cloudwatch_alarm_deletion.toml | 4 +- ..._evasion_config_service_rule_deletion.toml | 4 +- ...vasion_configuration_recorder_stopped.toml | 4 +- ...defense_evasion_ec2_flow_log_deletion.toml | 4 +- ...ense_evasion_ec2_network_acl_deletion.toml | 4 +- ...e_evasion_guardduty_detector_deletion.toml | 4 +- ...sion_s3_bucket_configuration_deletion.toml | 4 +- .../aws/defense_evasion_waf_acl_deletion.toml | 4 +- ...asion_waf_rule_or_rule_group_deletion.toml | 4 +- ...ltration_ec2_snapshot_change_activity.toml | 4 +- .../impact_cloudtrail_logging_updated.toml | 4 +- .../impact_cloudwatch_log_group_deletion.toml | 4 +- ...impact_cloudwatch_log_stream_deletion.toml | 4 +- .../impact_ec2_disable_ebs_encryption.toml | 4 +- .../aws/impact_iam_deactivate_mfa_device.toml | 4 +- rules/aws/impact_iam_group_deletion.toml | 4 +- rules/aws/impact_rds_cluster_deletion.toml | 4 +- .../impact_rds_instance_cluster_stoppage.toml | 4 +- .../initial_access_console_login_root.toml | 4 +- .../aws/initial_access_password_recovery.toml | 4 +- .../initial_access_via_system_manager.toml | 4 +- .../persistence_ec2_network_acl_creation.toml | 4 +- rules/aws/persistence_iam_group_creation.toml | 4 +- .../aws/persistence_rds_cluster_creation.toml | 4 +- ...ege_escalation_root_login_without_mfa.toml | 4 +- ...ege_escalation_updateassumerolepolicy.toml | 4 +- ...collection_update_event_hub_auth_rule.toml | 4 +- .../credential_access_key_vault_modified.toml | 4 +- ...ccess_storage_account_key_regenerated.toml | 4 +- ...e_application_credential_modification.toml | 4 +- ...on_azure_diagnostic_settings_deletion.toml | 4 +- ...sion_azure_service_principal_addition.toml | 4 +- .../defense_evasion_event_hub_deletion.toml | 4 +- ...ense_evasion_firewall_policy_deletion.toml | 4 +- ...ense_evasion_network_watcher_deletion.toml | 4 +- .../discovery_blob_container_access_mod.toml | 4 +- .../execution_command_virtual_machine.toml | 4 +- ...pact_azure_automation_runbook_deleted.toml | 4 +- .../azure/impact_resource_group_deletion.toml | 4 +- ...ure_active_directory_high_risk_signin.toml | 4 +- ...re_active_directory_powershell_signin.toml | 4 +- ...tack_via_azure_registered_application.toml | 4 +- ...ial_access_external_guest_user_invite.toml | 4 +- ...ence_azure_automation_account_created.toml | 4 +- ...utomation_runbook_created_or_modified.toml | 4 +- ...ence_azure_automation_webhook_created.toml | 4 +- ...re_conditional_access_policy_modified.toml | 4 +- ...nce_azure_pim_user_added_global_admin.toml | 4 +- ...ged_identity_management_role_modified.toml | 4 +- ...rsistence_mfa_disabled_for_azure_user.toml | 4 +- ..._added_as_owner_for_azure_application.toml | 4 +- ..._as_owner_for_azure_service_principal.toml | 4 +- ...s_cookies_chromium_browsers_debugging.toml | 4 +- ...e_evasion_deleting_websvr_access_logs.toml | 4 +- .../discovery_security_software_grep.toml | 4 +- ...on_pentest_eggshell_remote_admin_tool.toml | 4 +- .../execution_python_script_in_cmdline.toml | 4 +- .../execution_revershell_via_shell_cmd.toml | 4 +- ...xecution_suspicious_jar_child_process.toml | 4 +- .../impact_hosts_file_modified.toml | 4 +- ..._access_zoom_meeting_with_no_passcode.toml | 4 +- ...l_access_modify_auth_module_or_config.toml | 4 +- ...stence_cron_jobs_creation_and_runtime.toml | 4 +- ...ersistence_shell_profile_modification.toml | 4 +- ...ence_ssh_authorized_keys_modification.toml | 4 +- ...lege_escalation_echo_nopasswd_sudoers.toml | 4 +- ...ation_setuid_setgid_bit_set_via_chmod.toml | 4 +- ...ilege_escalation_sudo_buffer_overflow.toml | 4 +- ...privilege_escalation_sudoers_file_mod.toml | 4 +- ...ion_gcp_pub_sub_subscription_creation.toml | 4 +- ...collection_gcp_pub_sub_topic_creation.toml | 4 +- ...nse_evasion_gcp_firewall_rule_created.toml | 4 +- ...nse_evasion_gcp_firewall_rule_deleted.toml | 4 +- ...se_evasion_gcp_firewall_rule_modified.toml | 4 +- ...e_evasion_gcp_logging_bucket_deletion.toml | 4 +- ...nse_evasion_gcp_logging_sink_deletion.toml | 4 +- ...ion_gcp_pub_sub_subscription_deletion.toml | 4 +- ...se_evasion_gcp_pub_sub_topic_deletion.toml | 4 +- ...storage_bucket_configuration_modified.toml | 4 +- ...p_storage_bucket_permissions_modified.toml | 4 +- ...tration_gcp_logging_sink_modification.toml | 4 +- rules/gcp/impact_gcp_iam_role_deletion.toml | 4 +- .../impact_gcp_service_account_deleted.toml | 4 +- .../impact_gcp_service_account_disabled.toml | 4 +- .../impact_gcp_storage_bucket_deleted.toml | 4 +- ...virtual_private_cloud_network_deleted.toml | 4 +- ...p_virtual_private_cloud_route_created.toml | 4 +- ...p_virtual_private_cloud_route_deleted.toml | 4 +- ...l_access_gcp_iam_custom_role_creation.toml | 4 +- ..._gcp_iam_service_account_key_deletion.toml | 4 +- ...e_gcp_key_created_for_service_account.toml | 4 +- ...rsistence_gcp_service_account_created.toml | 4 +- ...tion_added_to_google_workspace_domain.toml | 4 +- ...d_to_google_workspace_trusted_domains.toml | 4 +- .../google_workspace_admin_role_deletion.toml | 4 +- ...le_workspace_mfa_enforcement_disabled.toml | 4 +- .../google_workspace_policy_modified.toml | 4 +- ...led_for_google_workspace_organization.toml | 4 +- ...workspace_admin_role_assigned_to_user.toml | 4 +- ...a_domain_wide_delegation_of_authority.toml | 4 +- ...e_workspace_custom_admin_role_created.toml | 4 +- ...stence_google_workspace_role_modified.toml | 4 +- ...ial_access_collection_sensitive_files.toml | 4 +- .../credential_access_ssh_backdoor_log.toml | 4 +- .../credential_access_tcpdump_activity.toml | 4 +- ...tempt_to_disable_iptables_or_firewall.toml | 4 +- ...ion_attempt_to_disable_syslog_service.toml | 4 +- ..._base32_encoding_or_decoding_activity.toml | 4 +- ..._base64_encoding_or_decoding_activity.toml | 4 +- ...deletion_of_bash_command_line_history.toml | 5 +- ...fense_evasion_disable_selinux_attempt.toml | 4 +- ...fense_evasion_file_deletion_via_shred.toml | 4 +- ...defense_evasion_file_mod_writable_dir.toml | 4 +- ...ion_hex_encoding_or_decoding_activity.toml | 4 +- .../defense_evasion_hidden_file_dir_tmp.toml | 4 +- ...defense_evasion_kernel_module_removal.toml | 4 +- .../defense_evasion_log_files_deleted.toml | 4 +- .../defense_evasion_timestomp_touch.toml | 5 +- .../discovery_kernel_module_enumeration.toml | 4 +- ...covery_virtual_machine_fingerprinting.toml | 4 +- rules/linux/discovery_whoami_commmand.toml | 4 +- rules/linux/execution_perl_tty_shell.toml | 4 +- rules/linux/execution_python_tty_shell.toml | 4 +- .../linux/initial_access_login_failures.toml | 4 +- .../linux/initial_access_login_location.toml | 4 +- .../linux/initial_access_login_sessions.toml | 4 +- rules/linux/initial_access_login_time.toml | 4 +- ...ment_telnet_network_activity_external.toml | 4 +- ...ment_telnet_network_activity_internal.toml | 4 +- rules/linux/linux_hping_activity.toml | 4 +- rules/linux/linux_iodine_activity.toml | 4 +- rules/linux/linux_mknod_activity.toml | 4 +- .../linux_netcat_network_connection.toml | 4 +- rules/linux/linux_nmap_activity.toml | 4 +- rules/linux/linux_nping_activity.toml | 4 +- ...nux_process_started_in_temp_directory.toml | 4 +- rules/linux/linux_socat_activity.toml | 4 +- rules/linux/linux_strace_activity.toml | 4 +- ...credential_access_modify_ssh_binaries.toml | 4 +- ...ersistence_kde_autostart_modification.toml | 4 +- .../persistence_kernel_module_activity.toml | 4 +- ...sistence_shell_activity_by_web_server.toml | 4 +- ...lation_ld_preload_shared_object_modif.toml | 4 +- ...ccess_to_browser_credentials_procargs.toml | 4 +- ...edential_access_credentials_keychains.toml | 5 +- ...dential_access_dumping_hashes_bi_cmds.toml | 4 +- ...tial_access_dumping_keychain_security.toml | 4 +- .../credential_access_kerberosdump_kcc.toml | 4 +- ...s_keychain_pwd_retrieval_security_cmd.toml | 4 +- ...ential_access_mitm_localhost_webproxy.toml | 4 +- ...ntial_access_potential_ssh_bruteforce.toml | 9 +- ...al_access_promt_for_pwd_via_osascript.toml | 5 +- .../credential_access_systemkey_dumping.toml | 4 +- ...vasion_apple_softupdates_modification.toml | 4 +- ...evasion_attempt_del_quarantine_attrib.toml | 4 +- ...evasion_attempt_to_disable_gatekeeper.toml | 4 +- ...ense_evasion_install_root_certificate.toml | 4 +- ..._evasion_modify_environment_launchctl.toml | 4 +- ...cy_controls_tcc_database_modification.toml | 4 +- ...tion_privacy_pref_sshd_fulldiskaccess.toml | 4 +- .../defense_evasion_safari_config_change.toml | 4 +- ...dboxed_office_app_suspicious_zip_file.toml | 4 +- ...vasion_tcc_bypass_mounted_apfs_access.toml | 4 +- ..._evasion_unload_endpointsecurity_kext.toml | 4 +- ...covery_users_domain_built_in_commands.toml | 4 +- ...vasion_electron_app_childproc_node_js.toml | 4 +- ...l_access_suspicious_browser_childproc.toml | 4 +- ...ution_installer_spawned_network_event.toml | 5 +- ...cution_script_via_automator_workflows.toml | 10 +- ...ing_osascript_exec_followed_by_netcon.toml | 10 +- ...n_shell_execution_via_apple_scripting.toml | 9 +- ...uspicious_mac_ms_office_child_process.toml | 4 +- ...ential_access_kerberos_bifrostconsole.toml | 4 +- .../lateral_movement_mounting_smb_share.toml | 4 +- ...ral_movement_remote_ssh_login_enabled.toml | 4 +- ...teral_movement_vpn_connection_attempt.toml | 4 +- ...stence_account_creation_hide_at_logon.toml | 4 +- ...ce_creation_change_launch_agents_file.toml | 5 +- ..._creation_hidden_login_item_osascript.toml | 4 +- ...creation_modif_launch_deamon_sequence.toml | 5 +- ..._access_authorization_plugin_creation.toml | 4 +- ...launch_agent_deamon_logonitem_process.toml | 4 +- ...rectory_services_plugins_modification.toml | 4 +- ...e_docker_shortcuts_plist_modification.toml | 4 +- ...persistence_emond_rules_file_creation.toml | 4 +- ...istence_emond_rules_process_execution.toml | 4 +- .../persistence_enable_root_account.toml | 4 +- ...n_hidden_launch_agent_deamon_creation.toml | 4 +- ...sistence_finder_sync_plugin_pluginkit.toml | 14 +- ...istence_folder_action_scripts_runtime.toml | 8 +- ...rsistence_login_logout_hooks_defaults.toml | 4 +- ...stence_loginwindow_plist_modification.toml | 4 +- ...fication_sublime_app_plugin_or_script.toml | 4 +- ...ersistence_periodic_tasks_file_mdofiy.toml | 4 +- ...ence_suspicious_calendar_modification.toml | 4 +- ...tence_via_atom_init_file_modification.toml | 4 +- ...calation_applescript_with_admin_privs.toml | 4 +- ...calation_explicit_creds_via_scripting.toml | 4 +- ...alation_exploit_adobe_acrobat_updater.toml | 4 +- ..._escalation_local_user_added_to_admin.toml | 4 +- ...ilege_escalation_root_crontab_filemod.toml | 4 +- ..._365_brute_force_user_account_attempt.toml | 8 +- ...65_potential_password_spraying_attack.toml | 4 +- ...osoft_365_exchange_dlp_policy_removed.toml | 4 +- ...change_malware_filter_policy_deletion.toml | 4 +- ..._365_exchange_malware_filter_rule_mod.toml | 4 +- ...65_exchange_safe_attach_rule_disabled.toml | 4 +- ..._365_exchange_transport_rule_creation.toml | 4 +- ...osoft_365_exchange_transport_rule_mod.toml | 4 +- ...5_exchange_anti_phish_policy_deletion.toml | 4 +- ...soft_365_exchange_anti_phish_rule_mod.toml | 4 +- ...osoft_365_exchange_safelinks_disabled.toml | 4 +- ...exchange_dkim_signing_config_disabled.toml | 4 +- ..._teams_custom_app_interaction_allowed.toml | 4 +- ...5_exchange_management_role_assignment.toml | 4 +- ...oft_365_teams_external_access_enabled.toml | 4 +- ...rosoft_365_teams_guest_access_enabled.toml | 4 +- .../ml/ml_cloudtrail_error_message_spike.toml | 4 +- rules/ml/ml_cloudtrail_rare_error_code.toml | 4 +- .../ml/ml_cloudtrail_rare_method_by_city.toml | 4 +- .../ml_cloudtrail_rare_method_by_country.toml | 4 +- .../ml/ml_cloudtrail_rare_method_by_user.toml | 4 +- .../ml_linux_anomalous_compiler_activity.toml | 4 +- ...nux_anomalous_kernel_module_arguments.toml | 7 +- .../ml_linux_anomalous_metadata_process.toml | 4 +- .../ml/ml_linux_anomalous_metadata_user.toml | 4 +- .../ml_linux_anomalous_network_activity.toml | 4 +- ...linux_anomalous_network_port_activity.toml | 4 +- .../ml_linux_anomalous_network_service.toml | 4 +- ..._linux_anomalous_network_url_activity.toml | 4 +- .../ml_linux_anomalous_process_all_hosts.toml | 4 +- .../ml/ml_linux_anomalous_sudo_activity.toml | 4 +- rules/ml/ml_linux_anomalous_user_name.toml | 4 +- ...ml_linux_system_information_discovery.toml | 4 +- ...ystem_network_configuration_discovery.toml | 4 +- ...x_system_network_connection_discovery.toml | 4 +- .../ml/ml_linux_system_process_discovery.toml | 4 +- rules/ml/ml_linux_system_user_discovery.toml | 4 +- rules/ml/ml_packetbeat_dns_tunneling.toml | 4 +- rules/ml/ml_packetbeat_rare_dns_question.toml | 4 +- .../ml/ml_packetbeat_rare_server_domain.toml | 4 +- rules/ml/ml_packetbeat_rare_urls.toml | 4 +- rules/ml/ml_packetbeat_rare_user_agent.toml | 4 +- rules/ml/ml_rare_process_by_host_linux.toml | 4 +- rules/ml/ml_rare_process_by_host_windows.toml | 4 +- rules/ml/ml_suspicious_login_activity.toml | 4 +- ...ml_windows_anomalous_metadata_process.toml | 4 +- .../ml_windows_anomalous_metadata_user.toml | 4 +- ...ml_windows_anomalous_network_activity.toml | 4 +- .../ml_windows_anomalous_path_activity.toml | 4 +- ...l_windows_anomalous_process_all_hosts.toml | 4 +- ...ml_windows_anomalous_process_creation.toml | 4 +- rules/ml/ml_windows_anomalous_script.toml | 4 +- rules/ml/ml_windows_anomalous_service.toml | 4 +- rules/ml/ml_windows_anomalous_user_name.toml | 4 +- .../ml/ml_windows_rare_user_runas_event.toml | 4 +- ...windows_rare_user_type10_remote_login.toml | 4 +- ...mand_and_control_cobalt_strike_beacon.toml | 4 +- ...cobalt_strike_default_teamserver_cert.toml | 4 +- ..._control_dns_directly_to_the_internet.toml | 4 +- ...download_rar_powershell_from_internet.toml | 4 +- .../command_and_control_fin7_c2_behavior.toml | 4 +- ...fer_protocol_activity_to_the_internet.toml | 4 +- .../command_and_control_halfbaked_beacon.toml | 4 +- ...hat_protocol_activity_to_the_internet.toml | 4 +- ...d_control_nat_traversal_port_activity.toml | 4 +- .../command_and_control_port_26_activity.toml | 4 +- ...ol_port_8000_activity_to_the_internet.toml | 4 +- ..._to_point_tunneling_protocol_activity.toml | 4 +- ...l_proxy_port_activity_to_the_internet.toml | 4 +- ...te_desktop_protocol_from_the_internet.toml | 4 +- ...mand_and_control_smtp_to_the_internet.toml | 4 +- ..._server_port_activity_to_the_internet.toml | 4 +- ...ol_ssh_secure_shell_from_the_internet.toml | 4 +- ...trol_ssh_secure_shell_to_the_internet.toml | 4 +- ...mand_and_control_telnet_port_activity.toml | 4 +- ..._control_tor_activity_to_the_internet.toml | 4 +- ...l_network_computing_from_the_internet.toml | 4 +- ...ual_network_computing_to_the_internet.toml | 4 +- ...exploitation_public_ip_reconnaissance.toml | 4 +- ...mote_desktop_protocol_to_the_internet.toml | 4 +- ...mote_procedure_call_from_the_internet.toml | 4 +- ...remote_procedure_call_to_the_internet.toml | 4 +- ...file_sharing_activity_to_the_internet.toml | 4 +- ...al_access_unsecure_elasticsearch_node.toml | 4 +- ...tempt_to_deactivate_okta_network_zone.toml | 4 +- .../attempt_to_delete_okta_network_zone.toml | 4 +- ...l_access_attempted_bypass_of_okta_mfa.toml | 4 +- ...mpts_to_brute_force_okta_user_account.toml | 4 +- ...okta_brute_force_or_password_spraying.toml | 4 +- ...ser_password_reset_or_unlock_attempts.toml | 4 +- ...pact_attempt_to_revoke_okta_api_token.toml | 4 +- .../okta/impact_possible_okta_dos_attack.toml | 4 +- ...icious_activity_reported_by_okta_user.toml | 4 +- ...ttempt_to_deactivate_okta_application.toml | 4 +- ...kta_attempt_to_deactivate_okta_policy.toml | 4 +- ...ttempt_to_deactivate_okta_policy_rule.toml | 4 +- ...ta_attempt_to_delete_okta_application.toml | 4 +- .../okta_attempt_to_delete_okta_policy.toml | 4 +- ...ta_attempt_to_delete_okta_policy_rule.toml | 4 +- ...ta_attempt_to_modify_okta_application.toml | 4 +- ...a_attempt_to_modify_okta_network_zone.toml | 4 +- .../okta_attempt_to_modify_okta_policy.toml | 4 +- ...ta_attempt_to_modify_okta_policy_rule.toml | 4 +- ..._or_delete_application_sign_on_policy.toml | 4 +- ...threat_detected_by_okta_threatinsight.toml | 4 +- ...tor_privileges_assigned_to_okta_group.toml | 4 +- ...inistrator_role_assigned_to_okta_user.toml | 4 +- ...ence_attempt_to_create_okta_api_token.toml | 4 +- ..._deactivate_mfa_for_okta_user_account.toml | 4 +- ...set_mfa_factors_for_okta_user_account.toml | 4 +- rules/promotions/elastic_endpoint.toml | 4 +- .../endpoint_adversary_behavior_detected.toml | 4 +- .../endpoint_cred_dumping_detected.toml | 4 +- .../endpoint_cred_dumping_prevented.toml | 4 +- .../endpoint_cred_manipulation_detected.toml | 4 +- .../endpoint_cred_manipulation_prevented.toml | 4 +- .../promotions/endpoint_exploit_detected.toml | 4 +- .../endpoint_exploit_prevented.toml | 4 +- .../promotions/endpoint_malware_detected.toml | 4 +- .../endpoint_malware_prevented.toml | 4 +- .../endpoint_permission_theft_detected.toml | 4 +- .../endpoint_permission_theft_prevented.toml | 4 +- .../endpoint_process_injection_detected.toml | 4 +- .../endpoint_process_injection_prevented.toml | 4 +- .../endpoint_ransomware_detected.toml | 4 +- .../endpoint_ransomware_prevented.toml | 4 +- rules/promotions/external_alerts.toml | 5 +- ...ion_email_powershell_exchange_mailbox.toml | 4 +- ...ll_exch_mailbox_activesync_add_device.toml | 4 +- .../windows/collection_winrar_encryption.toml | 4 +- ...d_control_certutil_network_connection.toml | 4 +- ...ommand_and_control_common_webservices.toml | 4 +- ...nd_and_control_dns_tunneling_nslookup.toml | 4 +- ...control_encrypted_channel_freesslcert.toml | 4 +- .../command_and_control_iexplore_via_com.toml | 5 +- ...ol_remote_file_copy_desktopimgdownldr.toml | 4 +- ...and_control_remote_file_copy_mpcmdrun.toml | 4 +- ...d_control_remote_file_copy_powershell.toml | 4 +- ..._and_control_remote_file_copy_scripts.toml | 4 +- ...control_sunburst_c2_activity_detected.toml | 4 +- ...d_control_teamviewer_remote_file_copy.toml | 4 +- .../credential_access_cmdline_dump_tool.toml | 4 +- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 4 +- ...ial_access_credential_dumping_msbuild.toml | 4 +- ...cess_domain_backup_dpapi_private_keys.toml | 4 +- ...credential_access_dump_registry_hives.toml | 4 +- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 4 +- ..._access_iis_connectionstrings_dumping.toml | 4 +- ..._access_kerberoasting_unusual_process.toml | 4 +- ...ial_access_lsass_memdump_file_created.toml | 4 +- ...l_access_mimikatz_memssp_default_logs.toml | 4 +- ...ial_access_mimikatz_powershell_module.toml | 4 +- ..._access_mod_wdigest_security_provider.toml | 4 +- ...redential_access_saved_creds_vaultcmd.toml | 4 +- ...den_file_attribute_with_via_attribexe.toml | 4 +- ...e_evasion_clearing_windows_event_logs.toml | 4 +- ...vasion_clearing_windows_security_logs.toml | 4 +- ...efense_evasion_code_injection_conhost.toml | 5 +- ...e_evasion_create_mod_root_certificate.toml | 4 +- .../defense_evasion_cve_2020_0601.toml | 4 +- ...vasion_defender_disabled_via_registry.toml | 4 +- ...delete_volume_usn_journal_with_fsutil.toml | 4 +- ...deleting_backup_catalogs_with_wbadmin.toml | 4 +- ...ble_windows_firewall_rules_with_netsh.toml | 4 +- ...vasion_dotnet_compiler_parent_process.toml | 4 +- ...evasion_enable_inbound_rdp_with_netsh.toml | 4 +- ...coding_or_decoding_files_via_certutil.toml | 4 +- ...ense_evasion_execution_lolbas_wuauclt.toml | 4 +- ...ecution_msbuild_started_by_office_app.toml | 4 +- ...n_execution_msbuild_started_by_script.toml | 4 +- ...ion_msbuild_started_by_system_process.toml | 4 +- ...ion_execution_msbuild_started_renamed.toml | 4 +- ...cution_msbuild_started_unusal_process.toml | 4 +- ...execution_suspicious_explorer_winword.toml | 4 +- ...ution_via_trusted_developer_utilities.toml | 4 +- ..._evasion_file_creation_mult_extension.toml | 4 +- ...sion_hide_encoded_executable_registry.toml | 4 +- ...ense_evasion_iis_httplogging_disabled.toml | 4 +- .../defense_evasion_injection_msbuild.toml | 4 +- .../defense_evasion_installutil_beacon.toml | 4 +- ...querading_as_elastic_endpoint_process.toml | 4 +- ...e_evasion_masquerading_renamed_autoit.toml | 4 +- ...erading_suspicious_werfault_childproc.toml | 4 +- ...vasion_masquerading_trusted_directory.toml | 4 +- ...defense_evasion_masquerading_werfault.toml | 4 +- ...isc_lolbin_connecting_to_the_internet.toml | 4 +- ...e_evasion_modification_of_boot_config.toml | 4 +- ...fense_evasion_msbuild_beacon_sequence.toml | 4 +- ...on_msbuild_making_network_connections.toml | 4 +- .../windows/defense_evasion_mshta_beacon.toml | 4 +- ...sion_mshta_making_network_connections.toml | 4 +- .../windows/defense_evasion_msxsl_beacon.toml | 4 +- .../defense_evasion_msxsl_network.toml | 4 +- ...etwork_connection_from_windows_binary.toml | 4 +- ...vasion_port_forwarding_added_registry.toml | 4 +- ...evasion_potential_processherpaderping.toml | 4 +- ...cess_termination_followed_by_deletion.toml | 12 +- rules/windows/defense_evasion_reg_beacon.toml | 4 +- ...defense_evasion_rundll32_no_arguments.toml | 4 +- ...ion_scheduledjobs_at_protocol_enabled.toml | 4 +- ..._evasion_sdelete_like_filename_rename.toml | 5 +- .../defense_evasion_sip_provider_mod.toml | 4 +- ...ackdoor_service_disabled_via_registry.toml | 4 +- ...vasion_stop_process_service_threshold.toml | 4 +- ...n_suspicious_managedcode_host_process.toml | 4 +- ...efense_evasion_suspicious_scrobj_load.toml | 4 +- ...defense_evasion_suspicious_wmi_script.toml | 5 +- ...evasion_suspicious_zoom_child_process.toml | 4 +- ..._critical_proc_abnormal_file_activity.toml | 4 +- ...nse_evasion_unusual_ads_file_creation.toml | 4 +- .../defense_evasion_unusual_dir_ads.toml | 4 +- ...usual_network_connection_via_rundll32.toml | 4 +- ...on_unusual_process_network_connection.toml | 4 +- ...asion_unusual_system_vp_child_program.toml | 4 +- .../defense_evasion_via_filter_manager.toml | 4 +- ..._volume_shadow_copy_deletion_via_wmic.toml | 4 +- .../discovery_adfind_command_activity.toml | 4 +- rules/windows/discovery_admin_recon.toml | 4 +- .../windows/discovery_file_dir_discovery.toml | 4 +- .../discovery_net_command_system_account.toml | 4 +- rules/windows/discovery_net_view.toml | 4 +- .../windows/discovery_peripheral_device.toml | 4 +- ...rocess_discovery_via_tasklist_command.toml | 4 +- .../discovery_query_registry_via_reg.toml | 4 +- ...ote_system_discovery_commands_windows.toml | 4 +- .../discovery_security_software_wmic.toml | 4 +- .../discovery_whoami_command_activity.toml | 4 +- ...arwinds_backdoor_child_cmd_powershell.toml | 4 +- ...inds_backdoor_unusual_child_processes.toml | 4 +- .../windows/execution_com_object_xwizard.toml | 4 +- ...and_prompt_connecting_to_the_internet.toml | 4 +- ...n_command_shell_started_by_powershell.toml | 4 +- ...tion_command_shell_started_by_svchost.toml | 4 +- ...mand_shell_started_by_unusual_process.toml | 4 +- .../execution_command_shell_via_rundll32.toml | 4 +- .../execution_downloaded_shortcut_files.toml | 4 +- .../execution_downloaded_url_file.toml | 4 +- .../execution_enumeration_via_wmiprvse.toml | 4 +- .../execution_from_unusual_directory.toml | 4 +- .../execution_from_unusual_path_cmdline.toml | 4 +- ...le_program_connecting_to_the_internet.toml | 4 +- .../execution_ms_office_written_file.toml | 4 +- rules/windows/execution_pdf_written_file.toml | 4 +- ...ution_psexec_lateral_movement_command.toml | 4 +- ...er_program_connecting_to_the_internet.toml | 4 +- ...tion_scheduled_task_powershell_source.toml | 4 +- ...xecution_shared_modules_local_sxs_dll.toml | 4 +- .../windows/execution_suspicious_cmd_wmi.toml | 5 +- ...n_suspicious_image_load_wmi_ms_office.toml | 4 +- .../execution_suspicious_pdf_reader.toml | 4 +- ...ecution_suspicious_powershell_imgload.toml | 5 +- .../execution_suspicious_psexesvc.toml | 4 +- ...ecution_suspicious_short_program_name.toml | 4 +- .../execution_via_compiled_html_file.toml | 4 +- .../execution_via_hidden_shell_conhost.toml | 4 +- .../execution_via_net_com_assemblies.toml | 4 +- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 4 +- ...ume_shadow_copy_deletion_via_vssadmin.toml | 4 +- ...al_access_script_executing_powershell.toml | 4 +- ...ccess_scripts_process_started_via_wmi.toml | 4 +- ...ss_suspicious_ms_office_child_process.toml | 4 +- ...s_suspicious_ms_outlook_child_process.toml | 4 +- ...l_access_unusual_dns_service_children.toml | 4 +- ...ccess_unusual_dns_service_file_writes.toml | 4 +- ...explorer_suspicious_child_parent_args.toml | 4 +- .../windows/lateral_movement_cmd_service.toml | 4 +- rules/windows/lateral_movement_dcom_hta.toml | 4 +- .../windows/lateral_movement_dcom_mmc20.toml | 4 +- ...t_dcom_shellwindow_shellbrowserwindow.toml | 4 +- ...vement_direct_outbound_smb_connection.toml | 4 +- .../lateral_movement_dns_server_overflow.toml | 4 +- ...movement_executable_tool_transfer_smb.toml | 4 +- ..._movement_execution_from_tsclient_mup.toml | 4 +- ...nt_execution_via_file_shares_sequence.toml | 4 +- ...vement_incoming_winrm_shell_execution.toml | 4 +- .../lateral_movement_incoming_wmi.toml | 4 +- ...teral_movement_local_service_commands.toml | 4 +- ...ment_mount_hidden_or_webdav_share_net.toml | 4 +- ...l_movement_powershell_remoting_target.toml | 4 +- ...lateral_movement_rdp_enabled_registry.toml | 4 +- .../lateral_movement_rdp_sharprdp_target.toml | 4 +- .../lateral_movement_rdp_tunnel_plink.toml | 5 +- ...ovement_remote_file_copy_hidden_share.toml | 4 +- .../lateral_movement_remote_services.toml | 4 +- ...ateral_movement_scheduled_task_target.toml | 4 +- ...ement_suspicious_rdp_client_imageload.toml | 4 +- ...l_movement_via_startup_folder_rdp_smb.toml | 4 +- .../persistence_adobe_hijack_persistence.toml | 4 +- .../windows/persistence_app_compat_shim.toml | 4 +- .../persistence_appcertdlls_registry.toml | 4 +- .../persistence_appinitdlls_registry.toml | 4 +- ...evasion_hidden_local_account_creation.toml | 4 +- ...tence_evasion_registry_ifeo_injection.toml | 4 +- ...sistence_gpo_schtask_service_creation.toml | 4 +- ...istence_local_scheduled_task_commands.toml | 4 +- ...stence_local_scheduled_task_scripting.toml | 4 +- .../persistence_ms_office_addins_file.toml | 4 +- .../persistence_ms_outlook_vba_template.toml | 4 +- ...escalation_via_accessibility_features.toml | 4 +- .../persistence_registry_uncommon.toml | 4 +- ...persistence_run_key_and_startup_broad.toml | 4 +- ...ce_runtime_run_key_startup_susp_procs.toml | 4 +- .../persistence_services_registry.toml | 4 +- ...er_file_written_by_suspicious_process.toml | 4 +- ...lder_file_written_by_unsigned_process.toml | 4 +- .../persistence_startup_folder_scripts.toml | 4 +- ...stence_suspicious_com_hijack_registry.toml | 4 +- ...s_image_load_scheduled_task_ms_office.toml | 4 +- ...nce_suspicious_scheduled_task_runtime.toml | 4 +- ...e_suspicious_service_created_registry.toml | 4 +- ...ersistence_system_shells_via_services.toml | 4 +- .../persistence_time_provider_mod.toml | 4 +- ..._account_added_to_privileged_group_ad.toml | 4 +- .../persistence_user_account_creation.toml | 4 +- ...ence_user_account_creation_event_logs.toml | 4 +- .../persistence_via_application_shimming.toml | 4 +- ...sistence_via_hidden_run_key_valuename.toml | 4 +- ...sa_security_support_provider_registry.toml | 4 +- ...emetrycontroller_scheduledtask_hijack.toml | 4 +- ...ia_update_orchestrator_service_hijack.toml | 5 +- ...nt_instrumentation_event_subscription.toml | 4 +- ...ilege_escalation_disable_uac_registry.toml | 4 +- ...privilege_escalation_lsa_auth_package.toml | 4 +- ...e_escalation_named_pipe_impersonation.toml | 4 +- ...ge_escalation_persistence_phantom_dll.toml | 4 +- ...ion_port_monitor_print_pocessor_abuse.toml | 4 +- ...ation_printspooler_registry_copyfiles.toml | 4 +- ..._printspooler_service_suspicious_file.toml | 4 +- ...tion_printspooler_suspicious_spl_file.toml | 4 +- ...calation_rogue_windir_environment_var.toml | 4 +- ...lege_escalation_uac_bypass_com_clipup.toml | 5 +- ...ge_escalation_uac_bypass_com_ieinstal.toml | 5 +- ...n_uac_bypass_com_interface_icmluautil.toml | 4 +- ...alation_uac_bypass_diskcleanup_hijack.toml | 4 +- ...escalation_uac_bypass_dll_sideloading.toml | 4 +- ...ge_escalation_uac_bypass_event_viewer.toml | 4 +- ...ege_escalation_uac_bypass_mock_windir.toml | 4 +- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 4 +- .../privilege_escalation_uac_sdclt.toml | 4 +- ...tion_unusual_parentchild_relationship.toml | 4 +- ...n_unusual_svchost_childproc_childless.toml | 4 +- ...rivilege_escalation_wpad_exploitation.toml | 5 +- tests/__init__.py | 5 +- tests/kuery/__init__.py | 5 +- tests/kuery/test_dsl.py | 5 +- tests/kuery/test_eql2kql.py | 5 +- tests/kuery/test_evaluator.py | 5 +- tests/kuery/test_kql2eql.py | 5 +- tests/kuery/test_lint.py | 5 +- tests/kuery/test_parser.py | 5 +- tests/test_all_rules.py | 5 +- tests/test_mappings.py | 5 +- tests/test_packages.py | 7 +- tests/test_schemas.py | 11 +- tests/test_toml_formatter.py | 5 +- tests/test_utils.py | 5 +- 692 files changed, 1670 insertions(+), 1618 deletions(-) create mode 100644 detection_rules/schemas/v7_12.py diff --git a/LICENSE.txt b/LICENSE.txt index 7376ffc3f..809108b85 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,223 +1,93 @@ -ELASTIC LICENSE AGREEMENT +Elastic License 2.0 -PLEASE READ CAREFULLY THIS ELASTIC LICENSE AGREEMENT (THIS "AGREEMENT"), WHICH -CONSTITUTES A LEGALLY BINDING AGREEMENT AND GOVERNS ALL OF YOUR USE OF ALL OF -THE ELASTIC SOFTWARE WITH WHICH THIS AGREEMENT IS INCLUDED ("ELASTIC SOFTWARE") -THAT IS PROVIDED IN OBJECT CODE FORMAT, AND, IN ACCORDANCE WITH SECTION 2 BELOW, -CERTAIN OF THE ELASTIC SOFTWARE THAT IS PROVIDED IN SOURCE CODE FORMAT. BY -INSTALLING OR USING ANY OF THE ELASTIC SOFTWARE GOVERNED BY THIS AGREEMENT, YOU -ARE ASSENTING TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE -WITH SUCH TERMS AND CONDITIONS, YOU MAY NOT INSTALL OR USE THE ELASTIC SOFTWARE -GOVERNED BY THIS AGREEMENT. IF YOU ARE INSTALLING OR USING THE SOFTWARE ON -BEHALF OF A LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE THE ACTUAL -AUTHORITY TO AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT ON BEHALF OF -SUCH ENTITY. +URL: https://www.elastic.co/licensing/elastic-license -Posted Date: April 20, 2018 +## Acceptance -This Agreement is entered into by and between Elasticsearch BV ("Elastic") and -You, or the legal entity on behalf of whom You are acting (as applicable, -"You"). +By using the software, you agree to all of the terms and conditions below. -1. OBJECT CODE END USER LICENSES, RESTRICTIONS AND THIRD PARTY OPEN SOURCE -SOFTWARE +## Copyright License - 1.1 Object Code End User License. Subject to the terms and conditions of - Section 1.2 of this Agreement, Elastic hereby grants to You, AT NO CHARGE and - for so long as you are not in breach of any provision of this Agreement, a - License to the Basic Features and Functions of the Elastic Software. +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. - 1.2 Reservation of Rights; Restrictions. As between Elastic and You, Elastic - and its licensors own all right, title and interest in and to the Elastic - Software, and except as expressly set forth in Sections 1.1, and 2.1 of this - Agreement, no other license to the Elastic Software is granted to You under - this Agreement, by implication, estoppel or otherwise. You agree not to: (i) - reverse engineer or decompile, decrypt, disassemble or otherwise reduce any - Elastic Software provided to You in Object Code, or any portion thereof, to - Source Code, except and only to the extent any such restriction is prohibited - by applicable law, (ii) except as expressly permitted in this Agreement, - prepare derivative works from, modify, copy or use the Elastic Software Object - Code or the Commercial Software Source Code in any manner; (iii) except as - expressly permitted in Section 1.1 above, transfer, sell, rent, lease, - distribute, sublicense, loan or otherwise transfer, Elastic Software Object - Code, in whole or in part, to any third party; (iv) use Elastic Software - Object Code for providing time-sharing services, any software-as-a-service, - service bureau services or as part of an application services provider or - other service offering (collectively, "SaaS Offering") where obtaining access - to the Elastic Software or the features and functions of the Elastic Software - is a primary reason or substantial motivation for users of the SaaS Offering - to access and/or use the SaaS Offering ("Prohibited SaaS Offering"); (v) - circumvent the limitations on use of Elastic Software provided to You in - Object Code format that are imposed or preserved by any License Key, or (vi) - alter or remove any Marks and Notices in the Elastic Software. If You have any - question as to whether a specific SaaS Offering constitutes a Prohibited SaaS - Offering, or are interested in obtaining Elastic's permission to engage in - commercial or non-commercial distribution of the Elastic Software, please - contact elastic_license@elastic.co. +## Limitations - 1.3 Third Party Open Source Software. The Commercial Software may contain or - be provided with third party open source libraries, components, utilities and - other open source software (collectively, "Open Source Software"), which Open - Source Software may have applicable license terms as identified on a website - designated by Elastic. Notwithstanding anything to the contrary herein, use of - the Open Source Software shall be subject to the license terms and conditions - applicable to such Open Source Software, to the extent required by the - applicable licensor (which terms shall not restrict the license rights granted - to You hereunder, but may contain additional rights). To the extent any - condition of this Agreement conflicts with any license to the Open Source - Software, the Open Source Software license will govern with respect to such - Open Source Software only. Elastic may also separately provide you with - certain open source software that is licensed by Elastic. Your use of such - Elastic open source software will not be governed by this Agreement, but by - the applicable open source license terms. +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. -2. COMMERCIAL SOFTWARE SOURCE CODE +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. - 2.1 Limited License. Subject to the terms and conditions of Section 2.2 of - this Agreement, Elastic hereby grants to You, AT NO CHARGE and for so long as - you are not in breach of any provision of this Agreement, a limited, - non-exclusive, non-transferable, fully paid up royalty free right and license - to the Commercial Software in Source Code format, without the right to grant - or authorize sublicenses, to prepare Derivative Works of the Commercial - Software, provided You (i) do not hack the licensing mechanism, or otherwise - circumvent the intended limitations on the use of Elastic Software to enable - features other than Basic Features and Functions or those features You are - entitled to as part of a Subscription, and (ii) use the resulting object code - only for reasonable testing purposes. +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. - 2.2 Restrictions. Nothing in Section 2.1 grants You the right to (i) use the - Commercial Software Source Code other than in accordance with Section 2.1 - above, (ii) use a Derivative Work of the Commercial Software outside of a - Non-production Environment, in any production capacity, on a temporary or - permanent basis, or (iii) transfer, sell, rent, lease, distribute, sublicense, - loan or otherwise make available the Commercial Software Source Code, in whole - or in part, to any third party. Notwithstanding the foregoing, You may - maintain a copy of the repository in which the Source Code of the Commercial - Software resides and that copy may be publicly accessible, provided that you - include this Agreement with Your copy of the repository. +## Patents -3. TERMINATION +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. - 3.1 Termination. This Agreement will automatically terminate, whether or not - You receive notice of such Termination from Elastic, if You breach any of its - provisions. +## Notices - 3.2 Post Termination. Upon any termination of this Agreement, for any reason, - You shall promptly cease the use of the Elastic Software in Object Code format - and cease use of the Commercial Software in Source Code format. For the - avoidance of doubt, termination of this Agreement will not affect Your right - to use Elastic Software, in either Object Code or Source Code formats, made - available under the Apache License Version 2.0. +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. - 3.3 Survival. Sections 1.2, 2.2. 3.3, 4 and 5 shall survive any termination or - expiration of this Agreement. +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. -4. DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY +## No Other Rights - 4.1 Disclaimer of Warranties. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE - LAW, THE ELASTIC SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, - AND ELASTIC AND ITS LICENSORS MAKE NO WARRANTIES WHETHER EXPRESSED, IMPLIED OR - STATUTORY REGARDING OR RELATING TO THE ELASTIC SOFTWARE. TO THE MAXIMUM EXTENT - PERMITTED UNDER APPLICABLE LAW, ELASTIC AND ITS LICENSORS SPECIFICALLY - DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR - PURPOSE AND NON-INFRINGEMENT WITH RESPECT TO THE ELASTIC SOFTWARE, AND WITH - RESPECT TO THE USE OF THE FOREGOING. FURTHER, ELASTIC DOES NOT WARRANT RESULTS - OF USE OR THAT THE ELASTIC SOFTWARE WILL BE ERROR FREE OR THAT THE USE OF THE - ELASTIC SOFTWARE WILL BE UNINTERRUPTED. +These terms do not imply any licenses other than those expressly granted in +these terms. - 4.2 Limitation of Liability. IN NO EVENT SHALL ELASTIC OR ITS LICENSORS BE - LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT OR INDIRECT DAMAGES, - INCLUDING, WITHOUT LIMITATION, FOR ANY LOSS OF PROFITS, LOSS OF USE, BUSINESS - INTERRUPTION, LOSS OF DATA, COST OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY - SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, IN CONNECTION WITH - OR ARISING OUT OF THE USE OR INABILITY TO USE THE ELASTIC SOFTWARE, OR THE - PERFORMANCE OF OR FAILURE TO PERFORM THIS AGREEMENT, WHETHER ALLEGED AS A - BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE, EVEN IF ELASTIC - HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. +## Termination -5. MISCELLANEOUS +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. - This Agreement completely and exclusively states the entire agreement of the - parties regarding the subject matter herein, and it supersedes, and its terms - govern, all prior proposals, agreements, or other communications between the - parties, oral or written, regarding such subject matter. This Agreement may be - modified by Elastic from time to time, and any such modifications will be - effective upon the "Posted Date" set forth at the top of the modified - Agreement. If any provision hereof is held unenforceable, this Agreement will - continue without said provision and be interpreted to reflect the original - intent of the parties. This Agreement and any non-contractual obligation - arising out of or in connection with it, is governed exclusively by Dutch law. - This Agreement shall not be governed by the 1980 UN Convention on Contracts - for the International Sale of Goods. All disputes arising out of or in - connection with this Agreement, including its existence and validity, shall be - resolved by the courts with jurisdiction in Amsterdam, The Netherlands, except - where mandatory law provides for the courts at another location in The - Netherlands to have jurisdiction. The parties hereby irrevocably waive any and - all claims and defenses either might otherwise have in any such action or - proceeding in any of such courts based upon any alleged lack of personal - jurisdiction, improper venue, forum non conveniens or any similar claim or - defense. A breach or threatened breach, by You of Section 2 may cause - irreparable harm for which damages at law may not provide adequate relief, and - therefore Elastic shall be entitled to seek injunctive relief without being - required to post a bond. You may not assign this Agreement (including by - operation of law in connection with a merger or acquisition), in whole or in - part to any third party without the prior written consent of Elastic, which - may be withheld or granted by Elastic in its sole and absolute discretion. - Any assignment in violation of the preceding sentence is void. Notices to - Elastic may also be sent to legal@elastic.co. +## No Liability -6. DEFINITIONS +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* - The following terms have the meanings ascribed: +## Definitions - 6.1 "Affiliate" means, with respect to a party, any entity that controls, is - controlled by, or which is under common control with, such party, where - "control" means ownership of at least fifty percent (50%) of the outstanding - voting shares of the entity, or the contractual right to establish policy for, - and manage the operations of, the entity. +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. - 6.2 "Basic Features and Functions" means those features and functions of the - Elastic Software that are eligible for use under a Basic license, as set forth - at https://www.elastic.co/subscriptions, as may be modified by Elastic from - time to time. +**you** refers to the individual or entity agreeing to these terms. - 6.3 "Commercial Software" means the Elastic Software Source Code in any file - containing a header stating the contents are subject to the Elastic License or - which is contained in the repository folder labeled "x-pack", unless a LICENSE - file present in the directory subtree declares a different license. +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. - 6.4 "Derivative Work of the Commercial Software" means, for purposes of this - Agreement, any modification(s) or enhancement(s) to the Commercial Software, - which represent, as a whole, an original work of authorship. +**your licenses** are all the licenses granted to you for the software under +these terms. - 6.5 "License" means a limited, non-exclusive, non-transferable, fully paid up, - royalty free, right and license, without the right to grant or authorize - sublicenses, solely for Your internal business operations to (i) install and - use the applicable Features and Functions of the Elastic Software in Object - Code, and (ii) permit Contractors and Your Affiliates to use the Elastic - software as set forth in (i) above, provided that such use by Contractors must - be solely for Your benefit and/or the benefit of Your Affiliates, and You - shall be responsible for all acts and omissions of such Contractors and - Affiliates in connection with their use of the Elastic software that are - contrary to the terms and conditions of this Agreement. +**use** means anything you do with the software requiring one of your licenses. - 6.6 "License Key" means a sequence of bytes, including but not limited to a - JSON blob, that is used to enable certain features and functions of the - Elastic Software. - - 6.7 "Marks and Notices" means all Elastic trademarks, trade names, logos and - notices present on the Documentation as originally provided by Elastic. - - 6.8 "Non-production Environment" means an environment for development, testing - or quality assurance, where software is not used for production purposes. - - 6.9 "Object Code" means any form resulting from mechanical transformation or - translation of Source Code form, including but not limited to compiled object - code, generated documentation, and conversions to other media types. - - 6.10 "Source Code" means the preferred form of computer software for making - modifications, including but not limited to software source code, - documentation source, and configuration files. - - 6.11 "Subscription" means the right to receive Support Services and a License - to the Commercial Software. +**trademark** means trademarks, service marks, and similar rights. diff --git a/README.md b/README.md index 816f9d41b..1f656341e 100644 --- a/README.md +++ b/README.md @@ -90,9 +90,9 @@ We welcome your contributions to Detection Rules! Before contributing, please fa ## Licensing -Everything in this repository — rules, code, RTA, etc. — is licensed under the [Elastic License](LICENSE.txt). These rules are designed to be used in the context of the Detection Engine within the Elastic Security application. If you’re using our [Elastic Cloud managed service](https://www.elastic.co/cloud/) or the default distribution of the Elastic Stack software that includes the [full set of free features](https://www.elastic.co/subscriptions), you’ll get the latest rules the first time you navigate to the detection engine. +Everything in this repository — rules, code, RTA, etc. — is licensed under the [Elastic License v2](LICENSE.txt). These rules are designed to be used in the context of the Detection Engine within the Elastic Security application. If you’re using our [Elastic Cloud managed service](https://www.elastic.co/cloud/) or the default distribution of the Elastic Stack software that includes the [full set of free features](https://www.elastic.co/subscriptions), you’ll get the latest rules the first time you navigate to the detection engine. -Occasionally, we may want to import rules from another repository that already have a license, such as MIT or Apache 2.0. This is welcome, as long as the license permits sublicensing under the Elastic License. We keep those license notices in `NOTICE.txt` and sublicense as the Elastic License with all other rules. We also require contributors to sign a [Contributor License Agreement](https://www.elastic.co/contributor-agreement) before contributing code to any Elastic repositories. +Occasionally, we may want to import rules from another repository that already have a license, such as MIT or Apache 2.0. This is welcome, as long as the license permits sublicensing under the Elastic License v2. We keep those license notices in `NOTICE.txt` and sublicense as the Elastic License v2 with all other rules. We also require contributors to sign a [Contributor License Agreement](https://www.elastic.co/contributor-agreement) before contributing code to any Elastic repositories. ## Questions? Problems? Suggestions? diff --git a/detection_rules/__init__.py b/detection_rules/__init__.py index e3d58b56d..aae5ac606 100644 --- a/detection_rules/__init__.py +++ b/detection_rules/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Detection rules.""" from . import devtools diff --git a/detection_rules/__main__.py b/detection_rules/__main__.py index 1aebdbc0f..0069aff34 100644 --- a/detection_rules/__main__.py +++ b/detection_rules/__main__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # coding=utf-8 """Shell for detection-rules.""" diff --git a/detection_rules/attack.py b/detection_rules/attack.py index e04e242f3..70c3e217d 100644 --- a/detection_rules/attack.py +++ b/detection_rules/attack.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Mitre attack info.""" import os diff --git a/detection_rules/beats.py b/detection_rules/beats.py index 3ac8f082e..99f110839 100644 --- a/detection_rules/beats.py +++ b/detection_rules/beats.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """ECS Schemas management.""" import os diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 7e3691519..8480a0593 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -1,9 +1,9 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """CLI commands for internal detection_rules dev team.""" -import glob import hashlib import io import json @@ -191,31 +191,32 @@ def kibana_commit(ctx, local_repo, github_repo, ssh, kibana_directory, base_bran @dev_group.command('license-check') +@click.option('--ignore-directory', '-i', multiple=True, help='Directories to skip (relative to base)') @click.pass_context -def license_check(ctx): +def license_check(ctx, ignore_directory): """Check that all code files contain a valid license.""" - + ignore_directory += ("env",) failed = False + base_path = Path(get_path()) - for path in glob.glob(get_path("**", "*.py"), recursive=True): - if path.startswith(get_path("env", "")): + for path in base_path.rglob('*.py'): + relative_path = path.relative_to(base_path) + if relative_path.parts[0] in ignore_directory: continue - relative_path = os.path.relpath(path) - with io.open(path, "rt", encoding="utf-8") as f: contents = f.read() - # skip over shebang lines - if contents.startswith("#!/"): - _, _, contents = contents.partition("\n") + # skip over shebang lines + if contents.startswith("#!/"): + _, _, contents = contents.partition("\n") - if not contents.lstrip("\r\n").startswith(PYTHON_LICENSE): - if not failed: - click.echo("Missing license headers for:", err=True) + if not contents.lstrip("\r\n").startswith(PYTHON_LICENSE): + if not failed: + click.echo("Missing license headers for:", err=True) - failed = True - click.echo(relative_path, err=True) + failed = True + click.echo(relative_path, err=True) ctx.exit(int(failed)) diff --git a/detection_rules/docs.py b/detection_rules/docs.py index 45a433630..8efda4779 100644 --- a/detection_rules/docs.py +++ b/detection_rules/docs.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Create summary documents for a rule package.""" from collections import defaultdict diff --git a/detection_rules/ecs.py b/detection_rules/ecs.py index 7c901ff67..dd4a67b9b 100644 --- a/detection_rules/ecs.py +++ b/detection_rules/ecs.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """ECS Schemas management.""" import copy diff --git a/detection_rules/eswrap.py b/detection_rules/eswrap.py index 672fd6960..743ed3b18 100644 --- a/detection_rules/eswrap.py +++ b/detection_rules/eswrap.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Elasticsearch cli commands.""" import json diff --git a/detection_rules/kbwrap.py b/detection_rules/kbwrap.py index 3b1e83ad7..7501dce55 100644 --- a/detection_rules/kbwrap.py +++ b/detection_rules/kbwrap.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Kibana cli commands.""" import click diff --git a/detection_rules/main.py b/detection_rules/main.py index 1ff414d4c..7209b6eca 100644 --- a/detection_rules/main.py +++ b/detection_rules/main.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """CLI commands for detection_rules.""" import glob diff --git a/detection_rules/mappings.py b/detection_rules/mappings.py index 8feb32080..a13138fce 100644 --- a/detection_rules/mappings.py +++ b/detection_rules/mappings.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """RTA to rule mappings.""" import os diff --git a/detection_rules/misc.py b/detection_rules/misc.py index c78bf65e6..e75bb00b2 100644 --- a/detection_rules/misc.py +++ b/detection_rules/misc.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Misc support.""" import hashlib @@ -42,8 +43,9 @@ _CONFIG = {} LICENSE_HEADER = """ Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -or more contributor license agreements. Licensed under the Elastic License; -you may not use this file except in compliance with the Elastic License. +or more contributor license agreements. Licensed under the Elastic License +2.0; you may not use this file except in compliance with the Elastic License +2.0. """.strip() LICENSE_LINES = LICENSE_HEADER.splitlines() diff --git a/detection_rules/packaging.py b/detection_rules/packaging.py index 63fe1e4b3..10823e47f 100644 --- a/detection_rules/packaging.py +++ b/detection_rules/packaging.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Packaging and preparation for releases.""" import base64 diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 8e2473178..dfcca19d5 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Rule object.""" import base64 import copy diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py index 83a8bd63d..859178842 100644 --- a/detection_rules/rule_formatter.py +++ b/detection_rules/rule_formatter.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Helper functions for managing rules in the repository.""" import copy diff --git a/detection_rules/rule_loader.py b/detection_rules/rule_loader.py index 5abe09a8e..5dfe891ba 100644 --- a/detection_rules/rule_loader.py +++ b/detection_rules/rule_loader.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Load rule metadata transform between rule and api formats.""" import functools diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index e80fd8c7d..58ef7de59 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. from .base import TomlMetadata from .rta_schema import validate_rta_mapping @@ -11,6 +12,7 @@ from .v7_8 import ApiSchema78 from .v7_9 import ApiSchema79 from .v7_10 import ApiSchema710 from .v7_11 import ApiSchema711 +from .v7_12 import ApiSchema712 __all__ = ( "all_schemas", @@ -26,6 +28,7 @@ all_schemas = [ ApiSchema79, ApiSchema710, ApiSchema711, + ApiSchema712, ] CurrentSchema = all_schemas[-1] available_versions = [cls.STACK_VERSION for cls in all_schemas] diff --git a/detection_rules/schemas/base.py b/detection_rules/schemas/base.py index d44840f38..1df4696f3 100644 --- a/detection_rules/schemas/base.py +++ b/detection_rules/schemas/base.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" diff --git a/detection_rules/schemas/rta_schema.py b/detection_rules/schemas/rta_schema.py index 8dc5ca0f5..f86bcd9f2 100644 --- a/detection_rules/schemas/rta_schema.py +++ b/detection_rules/schemas/rta_schema.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import jsl import jsonschema diff --git a/detection_rules/schemas/v7_10.py b/detection_rules/schemas/v7_10.py index c2bc2c137..3d99ba64b 100644 --- a/detection_rules/schemas/v7_10.py +++ b/detection_rules/schemas/v7_10.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" diff --git a/detection_rules/schemas/v7_11.py b/detection_rules/schemas/v7_11.py index f0a5d51f1..d13c419bc 100644 --- a/detection_rules/schemas/v7_11.py +++ b/detection_rules/schemas/v7_11.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" diff --git a/detection_rules/schemas/v7_12.py b/detection_rules/schemas/v7_12.py new file mode 100644 index 000000000..8a6b84a3c --- /dev/null +++ b/detection_rules/schemas/v7_12.py @@ -0,0 +1,14 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +"""Definitions for rule metadata and schemas.""" + +from .v7_11 import ApiSchema711 + + +class ApiSchema712(ApiSchema711): + """Schema for siem rule in API format.""" + + STACK_VERSION = "7.12" diff --git a/detection_rules/schemas/v7_8.py b/detection_rules/schemas/v7_8.py index 36f805154..74e1c3390 100644 --- a/detection_rules/schemas/v7_8.py +++ b/detection_rules/schemas/v7_8.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" diff --git a/detection_rules/schemas/v7_9.py b/detection_rules/schemas/v7_9.py index 87a2b2d05..f0ab9b60f 100644 --- a/detection_rules/schemas/v7_9.py +++ b/detection_rules/schemas/v7_9.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Definitions for rule metadata and schemas.""" @@ -50,7 +51,7 @@ class ApiSchema79(ApiSchema78): author = jsl.ArrayField(jsl.StringField(default="Elastic"), required=True, min_items=1) building_block_type = jsl.StringField(required=False) exceptions_list = jsl.ArrayField(required=False) - license = jsl.StringField(required=True, default="Elastic License") + license = jsl.StringField(required=True, default="Elastic License v2") risk_score_mapping = jsl.ArrayField(jsl.DocumentField(RiskScoreMapping), required=False, min_items=1) rule_name_override = jsl.StringField(required=False) severity_mapping = jsl.ArrayField(jsl.DocumentField(SeverityMapping), required=False, min_items=1) diff --git a/detection_rules/semver.py b/detection_rules/semver.py index 1cc9ea3e7..fe8d35fa9 100644 --- a/detection_rules/semver.py +++ b/detection_rules/semver.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Helper functionality for comparing semantic versions.""" import re diff --git a/detection_rules/utils.py b/detection_rules/utils.py index b461b7f9d..0507d3c9e 100644 --- a/detection_rules/utils.py +++ b/detection_rules/utils.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Util functions.""" import contextlib diff --git a/kibana/__init__.py b/kibana/__init__.py index ed1f5ed71..2e174fa04 100644 --- a/kibana/__init__.py +++ b/kibana/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Wrapper around Kibana APIs for the Security Application.""" diff --git a/kibana/connector.py b/kibana/connector.py index f4f6cbb42..b8c5e7d61 100644 --- a/kibana/connector.py +++ b/kibana/connector.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Wrapper around requests.Session for HTTP requests to Kibana.""" import json diff --git a/kibana/resources.py b/kibana/resources.py index eded7f159..8ec45cf19 100644 --- a/kibana/resources.py +++ b/kibana/resources.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import datetime from typing import List, Type diff --git a/kql/__init__.py b/kql/__init__.py index 9469b172c..e0889d40d 100644 --- a/kql/__init__.py +++ b/kql/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import eql diff --git a/kql/ast.py b/kql/ast.py index 33d35ddce..e6c7de11b 100644 --- a/kql/ast.py +++ b/kql/ast.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import re from string import Template diff --git a/kql/dsl.py b/kql/dsl.py index 2edc48adb..d9df95c7d 100644 --- a/kql/dsl.py +++ b/kql/dsl.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. from collections import defaultdict from eql import Walker diff --git a/kql/eql2kql.py b/kql/eql2kql.py index 9d139fc6f..68faf4a83 100755 --- a/kql/eql2kql.py +++ b/kql/eql2kql.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. #!/usr/bin/env python import eql diff --git a/kql/errors.py b/kql/errors.py index 8530c8109..eff0b9797 100644 --- a/kql/errors.py +++ b/kql/errors.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. from eql import EqlError, EqlParseError, EqlCompileError diff --git a/kql/evaluator.py b/kql/evaluator.py index 649c565f4..0a7eaa181 100644 --- a/kql/evaluator.py +++ b/kql/evaluator.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import operator import re diff --git a/kql/kql2eql.py b/kql/kql2eql.py index 0bab5d741..cca3e362f 100755 --- a/kql/kql2eql.py +++ b/kql/kql2eql.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import eql diff --git a/kql/optimizer.py b/kql/optimizer.py index 0612a4888..9893f431d 100644 --- a/kql/optimizer.py +++ b/kql/optimizer.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import functools diff --git a/kql/parser.py b/kql/parser.py index b8e770a00..058dfcfae 100644 --- a/kql/parser.py +++ b/kql/parser.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import contextlib import os diff --git a/rta/__init__.py b/rta/__init__.py index aa71197ac..08e649e33 100644 --- a/rta/__init__.py +++ b/rta/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import glob import importlib diff --git a/rta/__main__.py b/rta/__main__.py index a5173ca2f..b57d7db37 100644 --- a/rta/__main__.py +++ b/rta/__main__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import argparse import importlib diff --git a/rta/adobe_hijack.py b/rta/adobe_hijack.py index e58c788ae..f17327164 100644 --- a/rta/adobe_hijack.py +++ b/rta/adobe_hijack.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Adobe Hijack Persistence # RTA: adobe_hijack.py diff --git a/rta/appcompat_shim.py b/rta/appcompat_shim.py index 93c8ad2a2..71dcabc87 100644 --- a/rta/appcompat_shim.py +++ b/rta/appcompat_shim.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Application Compatibility Shims # RTA: appcompat_shim.py diff --git a/rta/at_command.py b/rta/at_command.py index d82a523da..083ad1bc7 100644 --- a/rta/at_command.py +++ b/rta/at_command.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: AT Command Lateral Movement # RTA: at_command.py diff --git a/rta/bin/__init__.py b/rta/bin/__init__.py index 7f7806bc8..e56d61909 100644 --- a/rta/bin/__init__.py +++ b/rta/bin/__init__.py @@ -1,4 +1,5 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. diff --git a/rta/bitsadmin_download.py b/rta/bitsadmin_download.py index b7ad524cf..39c7c6a7f 100644 --- a/rta/bitsadmin_download.py +++ b/rta/bitsadmin_download.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious BitsAdmin Download File # RTA: bitsadmin_download.py diff --git a/rta/brute_force_login.py b/rta/brute_force_login.py index 5c57fc3a5..00b4a7684 100644 --- a/rta/brute_force_login.py +++ b/rta/brute_force_login.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Brute Force Login Attempts # RTA: brute_force_login.py diff --git a/rta/certutil_file_obfuscation.py b/rta/certutil_file_obfuscation.py index 84e7ccfd9..ed1e2806e 100644 --- a/rta/certutil_file_obfuscation.py +++ b/rta/certutil_file_obfuscation.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Certutil Encode / Decode # RTA: certutil_file_obfuscation.py diff --git a/rta/certutil_webrequest.py b/rta/certutil_webrequest.py index ea1c10524..c76f4a2e3 100644 --- a/rta/certutil_webrequest.py +++ b/rta/certutil_webrequest.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Downloading Files With Certutil # RTA: certutil_webrequest.py diff --git a/rta/common.py b/rta/common.py index ad6a634b9..c7a4d06a1 100644 --- a/rta/common.py +++ b/rta/common.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. from __future__ import unicode_literals, print_function diff --git a/rta/comsvcs_dump.py b/rta/comsvcs_dump.py index b14903cbd..0fe256d91 100644 --- a/rta/comsvcs_dump.py +++ b/rta/comsvcs_dump.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Memory Dump via Comsvcs # RTA: comsvcs_dump.py diff --git a/rta/dcom_lateral_movement_with_mmc.py b/rta/dcom_lateral_movement_with_mmc.py index 4ebdf5931..14574823c 100644 --- a/rta/dcom_lateral_movement_with_mmc.py +++ b/rta/dcom_lateral_movement_with_mmc.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: DCOM Lateral Movement with MMC # RTA: dcom_lateral_movement_with_mmc.py diff --git a/rta/delete_bootconf.py b/rta/delete_bootconf.py index c68505027..39509056a 100644 --- a/rta/delete_bootconf.py +++ b/rta/delete_bootconf.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Boot Config Deletion With bcdedit # RTA: delete_bootconf.py diff --git a/rta/delete_catalogs.py b/rta/delete_catalogs.py index 4fac92e73..954b26f6d 100644 --- a/rta/delete_catalogs.py +++ b/rta/delete_catalogs.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Catalog Deletion with wbadmin.exe # RTA: delete_catalogs.py diff --git a/rta/delete_usnjrnl.py b/rta/delete_usnjrnl.py index 6b401ffb5..4e571a669 100644 --- a/rta/delete_usnjrnl.py +++ b/rta/delete_usnjrnl.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: USN Journal Deletion with fsutil.exe # RTA: delete_usnjrnl.py diff --git a/rta/delete_volume_shadows.py b/rta/delete_volume_shadows.py index 85e27b825..b8264a551 100644 --- a/rta/delete_volume_shadows.py +++ b/rta/delete_volume_shadows.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Volume Shadow Copy Deletion with vssadmin and wmic # RTA: delete_volume_shadow.py diff --git a/rta/disable_windows_fw.py b/rta/disable_windows_fw.py index 69765df82..df0cf752d 100644 --- a/rta/disable_windows_fw.py +++ b/rta/disable_windows_fw.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Disable Windows Firewall # RTA: disable_windows_fw.py diff --git a/rta/enum_commands.py b/rta/enum_commands.py index 21127d36f..585eb49cc 100644 --- a/rta/enum_commands.py +++ b/rta/enum_commands.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Common Enumeration Commands # RTA: enum_commands.py diff --git a/rta/findstr_pw_search.py b/rta/findstr_pw_search.py index a2137a01c..84b14859f 100644 --- a/rta/findstr_pw_search.py +++ b/rta/findstr_pw_search.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Recursive Password Search # RTA: findstr_pw_search.py diff --git a/rta/globalflags.py b/rta/globalflags.py index 639d5ae5a..8bb9d1f22 100644 --- a/rta/globalflags.py +++ b/rta/globalflags.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Persistence using GlobalFlags # RTA: globalflags.py diff --git a/rta/hosts_file_modify.py b/rta/hosts_file_modify.py index 79fb121bd..56778dcc1 100644 --- a/rta/hosts_file_modify.py +++ b/rta/hosts_file_modify.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Hosts File Modified # RTA: hosts_file_modify.py diff --git a/rta/installutil_network.py b/rta/installutil_network.py index 36426b057..717c1d036 100644 --- a/rta/installutil_network.py +++ b/rta/installutil_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Network Traffic from InstallUtil # RTA: installutil_network.py diff --git a/rta/iqy_file_writes.py b/rta/iqy_file_writes.py index 7860b0d1b..a12a495f4 100644 --- a/rta/iqy_file_writes.py +++ b/rta/iqy_file_writes.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious IQY/PUB File Writes # RTA: iqy_file_writes.py diff --git a/rta/lateral_command_psexec.py b/rta/lateral_command_psexec.py index f03ddbad7..11bf562fb 100755 --- a/rta/lateral_command_psexec.py +++ b/rta/lateral_command_psexec.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: PsExec Lateral Movement # RTA: lateral_command_psexec.py diff --git a/rta/lateral_commands.py b/rta/lateral_commands.py index 6148bb356..69c054f3e 100644 --- a/rta/lateral_commands.py +++ b/rta/lateral_commands.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Lateral Movement Commands # RTA: lateral_commands.py diff --git a/rta/linux_compress_sensitive_files.py b/rta/linux_compress_sensitive_files.py index 171743e9c..7b2104818 100644 --- a/rta/linux_compress_sensitive_files.py +++ b/rta/linux_compress_sensitive_files.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Compression of sensitive files # RTA: linux_compress_sensitive_files.py diff --git a/rta/linux_discovery_sensitive_files.py b/rta/linux_discovery_sensitive_files.py index 328f96295..b8561a5f5 100644 --- a/rta/linux_discovery_sensitive_files.py +++ b/rta/linux_discovery_sensitive_files.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Reading sensitive files # RTA: linux_discovery_sensitive_files.py diff --git a/rta/mac_office_descendant.py b/rta/mac_office_descendant.py index cbb1c640b..a9e51584c 100644 --- a/rta/mac_office_descendant.py +++ b/rta/mac_office_descendant.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Mac Descendant of an Office Application # RTA: mac_office_descendant.py diff --git a/rta/modification_of_wdigest_security_provider.py b/rta/modification_of_wdigest_security_provider.py index 0ac0d9cc6..f3e721230 100644 --- a/rta/modification_of_wdigest_security_provider.py +++ b/rta/modification_of_wdigest_security_provider.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Modification of WDigest Security Provider # RTA: modification_of_wdigest_security_provider.py diff --git a/rta/ms_office_drop_exe.py b/rta/ms_office_drop_exe.py index 085f59009..ecce23f1b 100644 --- a/rta/ms_office_drop_exe.py +++ b/rta/ms_office_drop_exe.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Emulate MS Office Dropping an executable file to disk # RTA: ms_office_drop_exe.py diff --git a/rta/msbuild_network.py b/rta/msbuild_network.py index ff80e00b4..36d215325 100644 --- a/rta/msbuild_network.py +++ b/rta/msbuild_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: MsBuild with Network Activity # RTA: msbuild_network.py diff --git a/rta/mshta_network.py b/rta/mshta_network.py index 65977f9bc..f21480129 100644 --- a/rta/mshta_network.py +++ b/rta/mshta_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Microsoft HTA tool (mshta.exe) with Network Callback # RTA: mshta_network.py diff --git a/rta/msiexec_http_installer.py b/rta/msiexec_http_installer.py index e999809d2..402b90301 100644 --- a/rta/msiexec_http_installer.py +++ b/rta/msiexec_http_installer.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: MsiExec with HTTP Installer # RTA: msiexec_http_installer.py diff --git a/rta/msxsl_network.py b/rta/msxsl_network.py index 015c377f9..a7e063f46 100644 --- a/rta/msxsl_network.py +++ b/rta/msxsl_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: msxsl.exe Network # RTA: msxsl_network.py diff --git a/rta/net_user_add.py b/rta/net_user_add.py index 12f57eede..e0e642579 100644 --- a/rta/net_user_add.py +++ b/rta/net_user_add.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Create User with net.exe # RTA: net_user_add.py diff --git a/rta/obfuscated_cmd_commands.py b/rta/obfuscated_cmd_commands.py index bd3fa8c64..312912d07 100644 --- a/rta/obfuscated_cmd_commands.py +++ b/rta/obfuscated_cmd_commands.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Emulate Obfuscated cmd Commands # RTA: obfuscated_cmd_commands.py diff --git a/rta/obfuscated_powershell.py b/rta/obfuscated_powershell.py index 417beb422..180ed7b34 100644 --- a/rta/obfuscated_powershell.py +++ b/rta/obfuscated_powershell.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Obfuscated PowerShell Commands # RTA: obfuscated_powershell.py diff --git a/rta/office_application_startup.py b/rta/office_application_startup.py index 3c262da54..607e18465 100644 --- a/rta/office_application_startup.py +++ b/rta/office_application_startup.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Office Application Startup # RTA: office_application_startup.py diff --git a/rta/persistent_scripts.py b/rta/persistent_scripts.py index 059a90451..4b8d46074 100644 --- a/rta/persistent_scripts.py +++ b/rta/persistent_scripts.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Persistent Scripts # RTA: persistent_scripts.py diff --git a/rta/port_monitor.py b/rta/port_monitor.py index fbb8230ab..1d0d2ac90 100644 --- a/rta/port_monitor.py +++ b/rta/port_monitor.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Privilege Escalation via Port Monitor Registration # RTA: port_monitor.py diff --git a/rta/powershell_args.py b/rta/powershell_args.py index 9c5cdfd0d..abaaeda16 100644 --- a/rta/powershell_args.py +++ b/rta/powershell_args.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Powershell with Suspicious Arguments # RTA: powershell_args.py diff --git a/rta/powershell_base64_gzip.py b/rta/powershell_base64_gzip.py index 955404dc3..c64de3ca5 100644 --- a/rta/powershell_base64_gzip.py +++ b/rta/powershell_base64_gzip.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: PowerShell with base64/gzip # RTA: powershell_base64_gzip.py diff --git a/rta/powershell_from_script.py b/rta/powershell_from_script.py index bfa4ac620..9e82b408f 100644 --- a/rta/powershell_from_script.py +++ b/rta/powershell_from_script.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: PowerShell Launched from Script # RTA: powershell_from_script.py diff --git a/rta/process_double_extension.py b/rta/process_double_extension.py index 962cda58e..22c7727a1 100644 --- a/rta/process_double_extension.py +++ b/rta/process_double_extension.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Double Process Extension # RTA: process_double_extension.py diff --git a/rta/process_extension_anomalies.py b/rta/process_extension_anomalies.py index 8eb5dbb52..5618df1d8 100644 --- a/rta/process_extension_anomalies.py +++ b/rta/process_extension_anomalies.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Executable with Unusual Extensions # RTA: process_extension_anomalies.py diff --git a/rta/process_name_masquerade.py b/rta/process_name_masquerade.py index 4549bd981..2cfd65039 100644 --- a/rta/process_name_masquerade.py +++ b/rta/process_name_masquerade.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Windows Core Process Masquerade # RTA: process_name_masquerade.py diff --git a/rta/recycle_bin_process.py b/rta/recycle_bin_process.py index 9d114172a..656f13a2b 100644 --- a/rta/recycle_bin_process.py +++ b/rta/recycle_bin_process.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Run Process from the Recycle Bin # RTA: recycle_bin_process.py diff --git a/rta/registry_hive_export.py b/rta/registry_hive_export.py index 358894ebd..2a8505b62 100644 --- a/rta/registry_hive_export.py +++ b/rta/registry_hive_export.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Export Registry Hives # RTA: registry_hive_export.py diff --git a/rta/registry_persistence_create.py b/rta/registry_persistence_create.py index db9ea3bad..96a6e967b 100644 --- a/rta/registry_persistence_create.py +++ b/rta/registry_persistence_create.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Registry persistence creation # RTA: registry_persistence_create.py diff --git a/rta/registry_rdp_enable.py b/rta/registry_rdp_enable.py index 34f14447f..5731e0d87 100644 --- a/rta/registry_rdp_enable.py +++ b/rta/registry_rdp_enable.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Enable RDP Through Registry # RTA: registry_rdp_enable.py diff --git a/rta/regsvr32_scrobj.py b/rta/regsvr32_scrobj.py index 35dc00c67..ba1e035cf 100644 --- a/rta/regsvr32_scrobj.py +++ b/rta/regsvr32_scrobj.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: RegSvr32 Backdoor with .sct Files # RTA: regsvr32_scrobj.py diff --git a/rta/rundll32_inf_callback.py b/rta/rundll32_inf_callback.py index 6a0a28bdf..91f266b13 100644 --- a/rta/rundll32_inf_callback.py +++ b/rta/rundll32_inf_callback.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: RunDll32 with .inf Callback # RTA: rundll32_inf_callback.py diff --git a/rta/rundll32_javascript_callback.py b/rta/rundll32_javascript_callback.py index 1b03be4ee..71bc347fb 100644 --- a/rta/rundll32_javascript_callback.py +++ b/rta/rundll32_javascript_callback.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: RunDLL32 Javascript Callback # RTA: rundll32_javascript_callback.py diff --git a/rta/schtask_escalation.py b/rta/schtask_escalation.py index 0d7fb3e24..0d5fbe7a8 100644 --- a/rta/schtask_escalation.py +++ b/rta/schtask_escalation.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Scheduled Task Privilege Escalation # RTA: schtask_escalation.py diff --git a/rta/scrobj_com_hijack.py b/rta/scrobj_com_hijack.py index f195b2851..7dd0d7b5f 100644 --- a/rta/scrobj_com_hijack.py +++ b/rta/scrobj_com_hijack.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: COM Hijack via Script Object # RTA: scrobj_com_hijack.py diff --git a/rta/secure_file_deletion.py b/rta/secure_file_deletion.py index 3de40b15f..adc657096 100644 --- a/rta/secure_file_deletion.py +++ b/rta/secure_file_deletion.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import os import subprocess diff --git a/rta/settingcontentms_files.py b/rta/settingcontentms_files.py index e037aa8b6..fe71224a0 100644 --- a/rta/settingcontentms_files.py +++ b/rta/settingcontentms_files.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Abusing SettingContent-ms Files # RTA: settingcontentms_files.py diff --git a/rta/sevenzip_encrypted.py b/rta/sevenzip_encrypted.py index 455000fb5..58db54130 100644 --- a/rta/sevenzip_encrypted.py +++ b/rta/sevenzip_encrypted.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Encrypting files with 7zip # RTA: sevenzip_encrypted.py diff --git a/rta/shortcut_file_suspicious_process.py b/rta/shortcut_file_suspicious_process.py index e75c28cc9..7ba2e7aff 100644 --- a/rta/shortcut_file_suspicious_process.py +++ b/rta/shortcut_file_suspicious_process.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Shortcut File Suspicious Process # RTA: shortcut_file_suspicious_process.py diff --git a/rta/sip_provider.py b/rta/sip_provider.py index 56a1987fc..607896f44 100644 --- a/rta/sip_provider.py +++ b/rta/sip_provider.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: SIP Provider Modification # RTA: sip_provider.py diff --git a/rta/smb_connection.py b/rta/smb_connection.py index b4024b337..e0be24b34 100644 --- a/rta/smb_connection.py +++ b/rta/smb_connection.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Outbound SMB from a User Process # RTA: smb_connection.py diff --git a/rta/sticky_keys_write_execute.py b/rta/sticky_keys_write_execute.py index 847928cb6..f64b02376 100644 --- a/rta/sticky_keys_write_execute.py +++ b/rta/sticky_keys_write_execute.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Overwrite Accessibiity Binaries # RTA: sticky_keys_write_execute.py diff --git a/rta/suspicious_dll_registration_regsvr32.py b/rta/suspicious_dll_registration_regsvr32.py index 6f9a453d9..3dde49aff 100644 --- a/rta/suspicious_dll_registration_regsvr32.py +++ b/rta/suspicious_dll_registration_regsvr32.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious DLL Registration by Regsvr32 # RTA: suspicious_dll_registration_regsvr32.py diff --git a/rta/suspicious_office_children.py b/rta/suspicious_office_children.py index 0aedecbe6..aae249c38 100644 --- a/rta/suspicious_office_children.py +++ b/rta/suspicious_office_children.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Emulate Suspect MS Office Child Processes # RTA: suspect_office_children.py diff --git a/rta/suspicious_office_descendant_fp.py b/rta/suspicious_office_descendant_fp.py index 3d36eac72..f95a84a51 100644 --- a/rta/suspicious_office_descendant_fp.py +++ b/rta/suspicious_office_descendant_fp.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Emulate Suspect MS Office Child Processes # RTA: suspect_office_children.py diff --git a/rta/suspicious_powershell_download.py b/rta/suspicious_powershell_download.py index b5aae55f0..f0471a4f3 100644 --- a/rta/suspicious_powershell_download.py +++ b/rta/suspicious_powershell_download.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious PowerShell Download # RTA: suspicious_powershell_download.py diff --git a/rta/suspicious_wmic_script.py b/rta/suspicious_wmic_script.py index 2b021535a..d743943f0 100644 --- a/rta/suspicious_wmic_script.py +++ b/rta/suspicious_wmic_script.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious WMIC script execution # RTA: suspicious_wmic_script.py diff --git a/rta/suspicious_wscript_parent.py b/rta/suspicious_wscript_parent.py index 29684421d..d8e7d7b41 100644 --- a/rta/suspicious_wscript_parent.py +++ b/rta/suspicious_wscript_parent.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Suspicious WScript parent # RTA: suspicious_wscript_parent.py diff --git a/rta/system_restore_process.py b/rta/system_restore_process.py index 1316b5e4d..bdf523253 100644 --- a/rta/system_restore_process.py +++ b/rta/system_restore_process.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Process Execution in System Restore # RTA: system_restore_process.py diff --git a/rta/trust_provider.py b/rta/trust_provider.py index 99ef62a6c..d7e51f130 100644 --- a/rta/trust_provider.py +++ b/rta/trust_provider.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Trust Provider Modification # RTA: trust_provider.py diff --git a/rta/uac_eventviewer.py b/rta/uac_eventviewer.py index 7dacc5f54..51cc81e03 100644 --- a/rta/uac_eventviewer.py +++ b/rta/uac_eventviewer.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Bypass UAC via Event Viewer # RTA: uac_eventviewer.py diff --git a/rta/uac_sdclt.py b/rta/uac_sdclt.py index e397007d6..02360aa67 100644 --- a/rta/uac_sdclt.py +++ b/rta/uac_sdclt.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Bypass UAC via Sdclt # RTA: uac_sdclt.py diff --git a/rta/uac_sysprep.py b/rta/uac_sysprep.py index 0c49c374f..5a4784880 100644 --- a/rta/uac_sysprep.py +++ b/rta/uac_sysprep.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Bypass UAC via Sysprep # RTA: uac_sysprep.py diff --git a/rta/uncommon_persistence.py b/rta/uncommon_persistence.py index 34915d2bd..6d48c1592 100644 --- a/rta/uncommon_persistence.py +++ b/rta/uncommon_persistence.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Uncommon Registry Persistence Change # RTA: uncommon_persistence.py diff --git a/rta/unusual_ms_tool_network.py b/rta/unusual_ms_tool_network.py index a26303573..3c28d4242 100644 --- a/rta/unusual_ms_tool_network.py +++ b/rta/unusual_ms_tool_network.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Unexpected Network Activity from Microsoft Tools # RTA: unusual_ms_tool_network.py diff --git a/rta/unusual_parent_child.py b/rta/unusual_parent_child.py index e1a5fe6d1..187f20022 100644 --- a/rta/unusual_parent_child.py +++ b/rta/unusual_parent_child.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Invalid Process Trees in Windows # RTA: unusual_parent_child.py diff --git a/rta/user_dir_escalation.py b/rta/user_dir_escalation.py index f1884cfa3..0516c7199 100644 --- a/rta/user_dir_escalation.py +++ b/rta/user_dir_escalation.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: SYSTEM Escalation from User Directory # RTA: user_dir_escalation.py diff --git a/rta/vaultcmd_commands.py b/rta/vaultcmd_commands.py index 76df13584..7159ff57c 100644 --- a/rta/vaultcmd_commands.py +++ b/rta/vaultcmd_commands.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Searching Credential Vaults via VaultCmd # RTA: vaultcmd_commands.py diff --git a/rta/werfault_persistence.py b/rta/werfault_persistence.py index 563a9934b..499e014e1 100644 --- a/rta/werfault_persistence.py +++ b/rta/werfault_persistence.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: WerFault.exe Persistence # RTA: werfault_persistence.py diff --git a/rta/wevtutil_log_clear.py b/rta/wevtutil_log_clear.py index d1fbdf337..ac7a0662a 100644 --- a/rta/wevtutil_log_clear.py +++ b/rta/wevtutil_log_clear.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Clearing Windows Event Logs # RTA: wevutil_log_clear.py diff --git a/rta/winrar_encrypted.py b/rta/winrar_encrypted.py index b7ec300a6..790d5198c 100644 --- a/rta/winrar_encrypted.py +++ b/rta/winrar_encrypted.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: Encrypting files with WinRAR # RTA: winrar_encrypted.py diff --git a/rta/winrar_startup_folder.py b/rta/winrar_startup_folder.py index 48c41ba5e..3e60a5a4a 100644 --- a/rta/winrar_startup_folder.py +++ b/rta/winrar_startup_folder.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: WinRAR Startup Folder # RTA: winrar_startup_folder.py diff --git a/rta/wmi_incoming_logon.py b/rta/wmi_incoming_logon.py index e3cf71e77..d9db0f8e4 100644 --- a/rta/wmi_incoming_logon.py +++ b/rta/wmi_incoming_logon.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. # Name: WMI Incoming Lateral Movement # RTA: wmi_incoming_logon.py diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index 2f7ee47e6..ad1f77c66 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["apm-*-transaction*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Web Application Suspicious Activity: POST Request Declined" references = ["https://en.wikipedia.org/wiki/HTTP_403"] risk_score = 47 diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index d5e62fbc4..3308ffe19 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["apm-*-transaction*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Web Application Suspicious Activity: Unauthorized Method" references = ["https://en.wikipedia.org/wiki/HTTP_405"] risk_score = 47 diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml index 8afec8188..6751cb4f9 100644 --- a/rules/apm/apm_null_user_agent.toml +++ b/rules/apm/apm_null_user_agent.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ ] index = ["apm-*-transaction*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Web Application Suspicious Activity: No User Agent" references = ["https://en.wikipedia.org/wiki/User_agent"] risk_score = 47 diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index 630178522..4706ed1b4 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["apm-*-transaction*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Web Application Suspicious Activity: sqlmap User Agent" references = ["http://sqlmap.org/"] risk_score = 47 diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index 9da2ea84f..2da21d22e 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudTrail Log Created" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml index d9e48e41b..d1e5ee76b 100644 --- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ role exists before attempting to assume or hijack the discovered role. from = "now-20m" index = ["filebeat-*", "logs-aws*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Brute Force of Assume Role Policy" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index f74b6b52a..180bdd6ce 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM User Addition to Group" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"] diff --git a/rules/aws/credential_access_root_console_failure_brute_force.toml b/rules/aws/credential_access_root_console_failure_brute_force.toml index d1e6a4e85..6778ab6fd 100644 --- a/rules/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/aws/credential_access_root_console_failure_brute_force.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/21" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-20m" index = ["filebeat-*", "logs-aws*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Management Console Brute Force of Root User Identity" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml index 36af18b95..638fa6b06 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Nick Jones", "Elastic"] @@ -19,7 +19,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Access Secret in Secrets Manager" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index b23e79319..804968321 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudTrail Log Deleted" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 9d9591d68..c47283cdd 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudTrail Log Suspended" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 6f909426e..cd761d270 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudWatch Alarm Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index c78159701..37661fd88 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Config Service Tampering" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index 88a527123..3cd46cd4c 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Configuration Recorder Stopped" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index eb68d0a95..b30044f83 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Flow Log Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 3e6e714ee..4edf8c09f 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Network Access Control List Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index eef349875..7ec7b11b4 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS GuardDuty Detector Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 272b3735f..e73d8b6a7 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS S3 Bucket Configuration Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index 67022ac20..6e64e4d8e 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS WAF Access Control List Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 377e8d445..abfcc098b 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/09" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS WAF Rule or Rule Group Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index 9065017eb..a7b1daf29 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Snapshot Activity" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index ef5749fa5..c4d15ec7f 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudTrail Log Updated" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index 76b3849c2..488d7b386 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudWatch Log Group Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 3e0487546..42af3b058 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS CloudWatch Log Stream Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index 164d65f07..adf424904 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Encryption Disabled" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index 120912365..8b1d451fc 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Deactivation of MFA Device" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 86ead91d7..0d64969c6 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Group Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index a70f3c5f8..91d201627 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS RDS Cluster Deletion" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index 35ecad5ca..d3e2a5a84 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS RDS Instance/Cluster Stoppage" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index b7be52fbf..9369c6b2a 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/11" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Management Console Root Login" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index 4132af1c9..34f7e81dc 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Password Recovery Requested" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"] diff --git a/rules/aws/initial_access_via_system_manager.toml b/rules/aws/initial_access_via_system_manager.toml index 234c296d0..9202b9921 100644 --- a/rules/aws/initial_access_via_system_manager.toml +++ b/rules/aws/initial_access_via_system_manager.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Execution via System Manager" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"] diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index b04207e36..2c60125d6 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS EC2 Network Access Control List Creation" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index ad208b8a5..fca401806 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Group Creation" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index 65c70ecbe..dff2bddb0 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS RDS Cluster Creation" note = "The AWS Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index 9343b0a20..a366cd7ef 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS Root Login Without MFA" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index 15fc18844..acb113033 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-60m" index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "AWS IAM Assume Role Policy Update" note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"] diff --git a/rules/azure/collection_update_event_hub_auth_rule.toml b/rules/azure/collection_update_event_hub_auth_rule.toml index eb12e6dd9..a4827df93 100644 --- a/rules/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/azure/collection_update_event_hub_auth_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Event Hub Authorization Rule Created or Updated" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"] diff --git a/rules/azure/credential_access_key_vault_modified.toml b/rules/azure/credential_access_key_vault_modified.toml index a7158fa7e..29fc658b7 100644 --- a/rules/azure/credential_access_key_vault_modified.toml +++ b/rules/azure/credential_access_key_vault_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Key Vault Modified" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/credential_access_storage_account_key_regenerated.toml b/rules/azure/credential_access_storage_account_key_regenerated.toml index 56d9f7e30..11c8026ac 100644 --- a/rules/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/azure/credential_access_storage_account_key_regenerated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Storage Account Key Regenerated" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/defense_evasion_azure_application_credential_modification.toml b/rules/azure/defense_evasion_azure_application_credential_modification.toml index 8dff11176..f834d36ca 100644 --- a/rules/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/azure/defense_evasion_azure_application_credential_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Application Credential Modification" note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index b4721e635..f018a5214 100644 --- a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Diagnostic Settings Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"] diff --git a/rules/azure/defense_evasion_azure_service_principal_addition.toml b/rules/azure/defense_evasion_azure_service_principal_addition.toml index 300e08378..b7c0c8c42 100644 --- a/rules/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/azure/defense_evasion_azure_service_principal_addition.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Service Principal Addition" note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/defense_evasion_event_hub_deletion.toml b/rules/azure/defense_evasion_event_hub_deletion.toml index 547488246..263fb8acd 100644 --- a/rules/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/azure/defense_evasion_event_hub_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Event Hub Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/defense_evasion_firewall_policy_deletion.toml b/rules/azure/defense_evasion_firewall_policy_deletion.toml index 463316d10..c4bf8cb2d 100644 --- a/rules/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Firewall Policy Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"] diff --git a/rules/azure/defense_evasion_network_watcher_deletion.toml b/rules/azure/defense_evasion_network_watcher_deletion.toml index 400802c68..262b45fb3 100644 --- a/rules/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/azure/defense_evasion_network_watcher_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Network Watcher Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"] diff --git a/rules/azure/discovery_blob_container_access_mod.toml b/rules/azure/discovery_blob_container_access_mod.toml index dd9985506..5ac49a4a0 100644 --- a/rules/azure/discovery_blob_container_access_mod.toml +++ b/rules/azure/discovery_blob_container_access_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Blob Container Access Level Modification" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"] diff --git a/rules/azure/execution_command_virtual_machine.toml b/rules/azure/execution_command_virtual_machine.toml index 880e01760..98d4af502 100644 --- a/rules/azure/execution_command_virtual_machine.toml +++ b/rules/azure/execution_command_virtual_machine.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Command Execution on Virtual Machine" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/impact_azure_automation_runbook_deleted.toml b/rules/azure/impact_azure_automation_runbook_deleted.toml index 75c0859d1..3faa1b71e 100644 --- a/rules/azure/impact_azure_automation_runbook_deleted.toml +++ b/rules/azure/impact_azure_automation_runbook_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ disrupt their target's automated business operations or to remove a malicious ru from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Automation Runbook Deleted" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/impact_resource_group_deletion.toml b/rules/azure/impact_resource_group_deletion.toml index 716d04e2a..10d6ac2fb 100644 --- a/rules/azure/impact_resource_group_deletion.toml +++ b/rules/azure/impact_resource_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Resource Group Deletion" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml index 07898d580..a7cae357c 100644 --- a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic", "Willem D'Haese"] @@ -14,7 +14,7 @@ compromised. from = "now-25m" index = ["filebeat-*", "logs-azure.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Active Directory High Risk Sign-in" note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml index 8afbbc0f1..fb3a78d6e 100644 --- a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Active Directory PowerShell Sign-in" note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 745d27ec3..e2c02c756 100644 --- a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ as contact information, email, or documents. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Possible Consent Grant Attack via Azure-Registered Application" note = """- The Azure Filebeat module must be enabled to use this rule. - In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account. diff --git a/rules/azure/initial_access_external_guest_user_invite.toml b/rules/azure/initial_access_external_guest_user_invite.toml index 24d242249..ed5cbbdb2 100644 --- a/rules/azure/initial_access_external_guest_user_invite.toml +++ b/rules/azure/initial_access_external_guest_user_invite.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure External Guest User Invitation" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"] diff --git a/rules/azure/persistence_azure_automation_account_created.toml b/rules/azure/persistence_azure_automation_account_created.toml index 97c638594..b92d24b5c 100644 --- a/rules/azure/persistence_azure_automation_account_created.toml +++ b/rules/azure/persistence_azure_automation_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ persistence in their target's environment. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Automation Account Created" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml index 2e53389f1..c15293fff 100644 --- a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Automation runbook to execute malicious code and maintain persistence in their t from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Automation Runbook Created or Modified" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_azure_automation_webhook_created.toml b/rules/azure/persistence_azure_automation_webhook_created.toml index 3245d127b..897559caa 100644 --- a/rules/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/azure/persistence_azure_automation_webhook_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ adversary may create a webhook in order to trigger a runbook that contains malic from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Automation Webhook Created" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/azure/persistence_azure_conditional_access_policy_modified.toml index 5b0770938..424f6682c 100644 --- a/rules/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/azure/persistence_azure_conditional_access_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ weaken their target's security controls. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Conditional Access Policy Modified" note = "The Azure Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"] diff --git a/rules/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/azure/persistence_azure_pim_user_added_global_admin.toml index 2c001fdbf..69602dc43 100644 --- a/rules/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/azure/persistence_azure_pim_user_added_global_admin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Global Administrator Role Addition to PIM User" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml index 8db1b6a44..8e52d7908 100644 --- a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ maintain persistence in their target's environment or modify a PIM role to weake from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Azure Privilege Identity Management Role Modified" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/azure/persistence_mfa_disabled_for_azure_user.toml index 6f1049aa9..c0a0ffdc1 100644 --- a/rules/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/azure/persistence_mfa_disabled_for_azure_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ for a user account in order to weaken the authentication requirements for the ac from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Multi-Factor Authentication Disabled for an Azure User" note = "The Azure Filebeat module must be enabled to use this rule." risk_score = 47 diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml index 515db430c..8b88fe34b 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ another account. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Added as Owner for Azure Application" note = "The Azure Filebeat module must be enabled to use this rule." risk_score = 21 diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 5924e4569..c19d87165 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ application can do in the Azure AD tenant. from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Added as Owner for Azure Service Principal" note = "The Azure Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index f1c2408ad..28a57eb64 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Developers performing browsers plugin or extension debugging from = "now-9m" index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Potential Cookies Theft via Browser Debugging" references = [ diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index c4b3b134e..b0f7f6259 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ evidence on a system. from = "now-9m" index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "WebServer Access Logs Deleted" risk_score = 47 rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 7018a7450..9c7703144 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/20" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ or Host Firewall details. from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Security Software Discovery via Grep" risk_score = 47 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655" diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index a976c90d9..82bbbe816 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the execution of and EggShell Backdoor. EggShell is a from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "EggShell Backdoor Execution" references = ["https://github.com/neoneggplant/EggShell"] risk_score = 73 diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index 47a901e43..23f4b3843 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "development" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate Python scripting activity."] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Python Script Execution via Command Line" risk_score = 47 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 48b8e2496..39bbe8207 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the execution of a shell process with suspicious argum from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Reverse Shell Activity via Terminal" references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 4dc89b606..0cd63a9ac 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ evade detection. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious JAR Child Process" risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 90ef323f0..b2d539236 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/07" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ RHEL) and macOS systems. from = "now-9m" index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Hosts File Modified" note = "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml." references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"] diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index b3c4e9636..05ad411c9 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ that is lewd, obscene, racist, or antisemitic in nature, typically resulting of """ index = ["filebeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Zoom Meeting with no Passcode" note = "This rule requires the Zoom Filebeat module." references = [ diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index 239e46e6a..a2e388b34 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Standard Authentication Module or Configuration" references = [ "https://github.com/zephrax/linux-pam-backdoor", diff --git a/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml b/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml index 55cd06719..af7999c33 100644 --- a/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml +++ b/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/15" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate software or scripts using cron jobs for recurring from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Cron Job" references = ["https://archive.f-secure.com/weblog/archives/00002576.html", "https://ss64.com/osx/crontab.html"] risk_score = 21 diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index f53706cd8..63547bdae 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Bash Shell Profile Modification" references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"] risk_score = 47 diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 3c80c6ad1..2ea1bead4 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ authentication. Adversaries may modify it to maintain persistence on a victim ho from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 7c66c2448..e0df3d8aa 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/26" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ of these configurations to execute commands as other users or spawn processes wi from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Privilege Escalation via Sudoers File Modification" risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 5c356b9bb..7b5095135 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ future. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Setuid / Setgid Bit Set via chmod" risk_score = 21 diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 7232835e9..b104be2a7 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/03" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Sudo Heap-Based Buffer Overflow Attempt" references = [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index f414d1289..ede884934 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ advantage of these configurations to execute commands as other users or spawn pr from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Sudoers File Modification" risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" diff --git a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml index 364dc3446..97ec23ad8 100644 --- a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Pub/Sub Subscription Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/pubsub/docs/overview"] diff --git a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml index a578dcb77..196be90b9 100644 --- a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Pub/Sub Topic Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/pubsub/docs/admin"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml index 99f9ffda4..ce3664160 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Firewall Rule Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/firewalls"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 42d2d7d55..082fc6af0 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Firewall Rule Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/firewalls"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml index cde5d9cc6..945eb96c8 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Firewall Rule Modification" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/firewalls"] diff --git a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index a2e02e6cd..5ac477009 100644 --- a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Logging Bucket Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"] diff --git a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml index c6f120c8c..17ebbe970 100644 --- a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Logging Sink Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/logging/docs/export"] diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index b17b0d5dc..0f9a6cdb6 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Pub/Sub Subscription Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/pubsub/docs/overview"] diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index a66a0cf3b..7a0bdaeb5 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Pub/Sub Topic Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/pubsub/docs/overview"] diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 4f020c777..35decf433 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Storage Bucket Configuration Modification" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 25e101d64..25d059aba 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Storage Bucket Permissions Modification" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/storage/docs/access-control/iam-permissions"] diff --git a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml index 5cb16669b..57ceaddd4 100644 --- a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Logging Sink Modification" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] diff --git a/rules/gcp/impact_gcp_iam_role_deletion.toml b/rules/gcp/impact_gcp_iam_role_deletion.toml index 287a46743..980f6432b 100644 --- a/rules/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/gcp/impact_gcp_iam_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP IAM Role Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/understanding-roles"] diff --git a/rules/gcp/impact_gcp_service_account_deleted.toml b/rules/gcp/impact_gcp_service_account_deleted.toml index ad324d745..ef5b9a3b6 100644 --- a/rules/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/gcp/impact_gcp_service_account_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Service Account Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/service-accounts"] diff --git a/rules/gcp/impact_gcp_service_account_disabled.toml b/rules/gcp/impact_gcp_service_account_disabled.toml index 39e6ba0c0..24c6e4bb6 100644 --- a/rules/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/gcp/impact_gcp_service_account_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Service Account Disabled" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/service-accounts"] diff --git a/rules/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/gcp/impact_gcp_storage_bucket_deleted.toml index 4d5922151..58773704a 100644 --- a/rules/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Storage Bucket Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml index f870cfd0a..053d2267b 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Virtual Private Cloud Network Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/vpc"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml index 5be9a2f5a..f1a32ea39 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Virtual Private Cloud Route Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml index b53d0fdd6..2d2dfb7eb 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Virtual Private Cloud Route Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"] diff --git a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml index 5f0f07f4e..c17077902 100644 --- a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP IAM Custom Role Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] diff --git a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 0ed1ab4f0..669ec9249 100644 --- a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP IAM Service Account Key Deletion" note = "The GCP Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/gcp/persistence_gcp_key_created_for_service_account.toml index 5354563bd..b0e053784 100644 --- a/rules/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Service Account Key Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/gcp/persistence_gcp_service_account_created.toml b/rules/gcp/persistence_gcp_service_account_created.toml index 70e43f6eb..39b4155f8 100644 --- a/rules/gcp/persistence_gcp_service_account_created.toml +++ b/rules/gcp/persistence_gcp_service_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-gcp*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "GCP Service Account Creation" note = "The GCP Filebeat module must be enabled to use this rule." references = ["https://cloud.google.com/iam/docs/service-accounts"] diff --git a/rules/google-workspace/application_added_to_google_workspace_domain.toml b/rules/google-workspace/application_added_to_google_workspace_domain.toml index b54283e68..fc6a78204 100644 --- a/rules/google-workspace/application_added_to_google_workspace_domain.toml +++ b/rules/google-workspace/application_added_to_google_workspace_domain.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Application Added to Google Workspace Domain" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml b/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml index c7463ee8c..2b19c8998 100644 --- a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Domain Added to Google Workspace Trusted Domains" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/google_workspace_admin_role_deletion.toml b/rules/google-workspace/google_workspace_admin_role_deletion.toml index 16c71a40b..e73d06a8b 100644 --- a/rules/google-workspace/google_workspace_admin_role_deletion.toml +++ b/rules/google-workspace/google_workspace_admin_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Admin Role Deletion" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml index acbb3e381..9b004a660 100644 --- a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml +++ b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace MFA Enforcement Disabled" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/google_workspace_policy_modified.toml b/rules/google-workspace/google_workspace_policy_modified.toml index c2280b2e0..a822c3bb7 100644 --- a/rules/google-workspace/google_workspace_policy_modified.toml +++ b/rules/google-workspace/google_workspace_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Password Policy Modified" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml index 361857dd7..109d2549e 100644 --- a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml +++ b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "MFA Disabled for Google Workspace Organization" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index e9ed12fdc..109659514 100644 --- a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Admin Role Assigned to a User" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index 7833e15d0..e620c2bde 100644 --- a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace API Access Granted via Domain-Wide Delegation of Authority" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml index 35f937b5a..92d427563 100644 --- a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Custom Admin Role Created" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/google-workspace/persistence_google_workspace_role_modified.toml b/rules/google-workspace/persistence_google_workspace_role_modified.toml index 2799f51b4..e612b0955 100644 --- a/rules/google-workspace/persistence_google_workspace_role_modified.toml +++ b/rules/google-workspace/persistence_google_workspace_role_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-130m" index = ["filebeat-*", "logs-google_workspace*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Google Workspace Role Modified" note = """### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 84de80a36..974b60247 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ and system configurations. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Sensitive Files Compression" references = [ "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 2cc053e8b..524cf72bd 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Updates to approved and trusted SSH executables can trigger from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" references = [ "https://github.com/eset/malware-ioc/tree/master/sshdoor", diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml index 849e77412..cbe991846 100644 --- a/rules/linux/credential_access_tcpdump_activity.toml +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Network Sniffing via Tcpdump" risk_score = 21 rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 3c9ff0c9d..9b0638931 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ receive or send network traffic. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" risk_score = 47 rule_id = "125417b8-d3df-479f-8418-12d7e034fee3" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 8db4eb600..6fbe0d379 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ detection by security controls. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Disable Syslog Service" risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 649422604..b5e5cf34a 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml index 0c582b4b3..a05793044 100644 --- a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Base64 Encoding/Decoding Activity" risk_score = 21 rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b" diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index a260a2cfb..d6298a198 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ investigations. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Tampering of Bash Command-Line History" risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" @@ -50,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1070/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index ee9317630..e712df9eb 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/22" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ activities. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Disabling of SELinux" risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index bf92a747d..13c7192ca 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ remove them at the end as part of the post-intrusion cleanup process. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "File Deletion via Shred" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index c98935283..fd9012555 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "File Permission Modification in Writable Directory" risk_score = 21 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml index eb15faa32..b0ff5b3de 100644 --- a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Hex Encoding/Decoding Activity" risk_score = 21 rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index f4511a806..41c6a9f72 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/29" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Creation of Hidden Files and Directories" risk_score = 47 diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 779693daf..da385d91c 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Kernel Module Removal" references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] risk_score = 73 diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 2d655265e..86b49de39 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ forensic evidence on a system. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "System Log File Deletion" references = [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", diff --git a/rules/linux/defense_evasion_timestomp_touch.toml b/rules/linux/defense_evasion_timestomp_touch.toml index ebdf4c185..80c4b29dc 100644 --- a/rules/linux/defense_evasion_timestomp_touch.toml +++ b/rules/linux/defense_evasion_timestomp_touch.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ are in the same folder. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Timestomping using Touch Command" risk_score = 47 @@ -45,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1070/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 5ca7bea94..732997b8e 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Enumeration of Kernel Modules" risk_score = 47 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index dc447b0ca..044841ca2 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Virtual Machine Fingerprinting" risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml index ff2d9ab2d..26219cd15 100644 --- a/rules/linux/discovery_whoami_commmand.toml +++ b/rules/linux/discovery_whoami_commmand.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Discovery via Whoami" risk_score = 21 rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 9d3516c5a..baf9c4323 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ interactive tty after obtaining initial access to a host. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Interactive Terminal Spawned via Perl" risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index ba16bcb0e..ebef8d618 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ interactive tty after obtaining initial access to a host. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" diff --git a/rules/linux/initial_access_login_failures.toml b/rules/linux/initial_access_login_failures.toml index f093c08b4..6f1f569b9 100644 --- a/rules/linux/initial_access_login_failures.toml +++ b/rules/linux/initial_access_login_failures.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = "Identifies that the maximum number of failed login attempts has been reached for a user." index = ["auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Auditd Max Failed Login Attempts" references = [ "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574", diff --git a/rules/linux/initial_access_login_location.toml b/rules/linux/initial_access_login_location.toml index c19fc1b03..a617d4719 100644 --- a/rules/linux/initial_access_login_location.toml +++ b/rules/linux/initial_access_login_location.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = "Identifies that a login attempt has happened from a forbidden location." index = ["auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Auditd Login from Forbidden Location" references = [ "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412", diff --git a/rules/linux/initial_access_login_sessions.toml b/rules/linux/initial_access_login_sessions.toml index 21b868c4b..4016c276d 100644 --- a/rules/linux/initial_access_login_sessions.toml +++ b/rules/linux/initial_access_login_sessions.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = "Identifies that the maximum number login sessions has been reached for a user." index = ["auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Auditd Max Login Sessions" references = [ "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007", diff --git a/rules/linux/initial_access_login_time.toml b/rules/linux/initial_access_login_time.toml index 143a01bd6..7e2696c93 100644 --- a/rules/linux/initial_access_login_time.toml +++ b/rules/linux/initial_access_login_time.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = "Identifies that a login attempt occurred at a forbidden time." index = ["auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Auditd Login Attempt at Forbidden Time" references = [ "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666", diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 6393305d7..2e152039e 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Connection to External Network via Telnet" risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 6238d0741..620fc0f59 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Connection to Internal Network via Telnet" risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml index 456cc65eb..429d1a38b 100644 --- a/rules/linux/linux_hping_activity.toml +++ b/rules/linux/linux_hping_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Hping Process Activity" references = ["https://en.wikipedia.org/wiki/Hping"] risk_score = 73 diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml index f4a4639fe..9ba5ba032 100644 --- a/rules/linux/linux_iodine_activity.toml +++ b/rules/linux/linux_iodine_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential DNS Tunneling via Iodine" references = ["https://code.kryo.se/iodine/"] risk_score = 73 diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index 048758f4b..8ab0a9e5c 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Mknod Process Activity" references = [ "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/", diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml index 821a7d577..66b6bc774 100644 --- a/rules/linux/linux_netcat_network_connection.toml +++ b/rules/linux/linux_netcat_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/11/03" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Netcat Network Activity" references = [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml index e52019b8c..d6bdcab1a 100644 --- a/rules/linux/linux_nmap_activity.toml +++ b/rules/linux/linux_nmap_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Nmap Process Activity" references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 21 diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml index a1e6ac148..aec8fb736 100644 --- a/rules/linux/linux_nping_activity.toml +++ b/rules/linux/linux_nping_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Nping Process Activity" references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 47 diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml index 6e2aac593..f619b4c63 100644 --- a/rules/linux/linux_process_started_in_temp_directory.toml +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Process Execution - Temp" risk_score = 47 rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a" diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml index 71a024ac6..4cb73f1ba 100644 --- a/rules/linux/linux_socat_activity.toml +++ b/rules/linux/linux_socat_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Socat Process Activity" references = ["https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat"] risk_score = 47 diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml index 80afb10b0..ad7333bd5 100644 --- a/rules/linux/linux_strace_activity.toml +++ b/rules/linux/linux_strace_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Strace Process Activity" references = ["https://en.wikipedia.org/wiki/Strace"] risk_score = 21 diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 15f10dd84..a5aa08cf8 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of OpenSSH Binaries" references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"] risk_score = 47 diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index bfd990d73..42942c516 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/06" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ execute upon each user logon. Adversaries may abuse this method for persistence. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via KDE AutoStart Script or Desktop File Modification" references = [ "https://userbase.kde.org/System_Settings/Autostart", diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml index 1e7dcb1fc..ced0ec3ee 100644 --- a/rules/linux/persistence_kernel_module_activity.toml +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Kernel Module Modification" references = [ "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM", diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 28efd1873..221bc3bec 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = [ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Shell via Web Server" references = ["https://pentestlab.blog/tag/web-shell/"] risk_score = 47 diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index f3676097a..2b2c84c31 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ payloads by hijacking the dynamic linker used to load libraries. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Dynamic Linker Preload Shared Object" references = [ "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 9e98af23e..f8595b3b2 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Adversaries may acquire credentials from web browsers by reading files specific from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Access of Stored Browser Credentials" references = ["https://securelist.com/calisto-trojan-for-macos/86543/"] risk_score = 73 diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 009616ca0..5592924d5 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ websites, secure notes and certificates. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Access to Keychain Credentials Directories" references = [ "https://objective-see.com/blog/blog_0x25.html", @@ -57,3 +57,4 @@ reference = "https://attack.mitre.org/techniques/T1555/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 82a5e907e..a70a2b68d 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ lateral movement. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Dumping Account Hashes via Built-In Commands" references = [ "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index 51fc2ac58..84dbc6038 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ and website passwords, secure notes, certificates, and Kerberos. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" references = ["https://ss64.com/osx/security.html"] risk_score = 73 diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 5c7959c5a..d8d1841ff 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the use of the Kerberos credential cache (kcc) utility from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Kerberos Cached Credentials Dumping" references = [ "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 901b9f3c7..5e6de5b52 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/06" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Trusted parent processes accessing their respective applicat from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Keychain Password Retrieval via Command Line" references = [ "https://www.netmeister.org/blog/keychain-passwords.html", diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index b23906bbc..1dd3b7045 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate WebProxy Settings Modification"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "WebProxy Settings Modification" references = [ "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", diff --git a/rules/macos/credential_access_potential_ssh_bruteforce.toml b/rules/macos/credential_access_potential_ssh_bruteforce.toml index 7de09f523..6ea7cc875 100644 --- a/rules/macos/credential_access_potential_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_ssh_bruteforce.toml @@ -1,18 +1,18 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2020/11/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute -force attack to obtain unauthorized access to user accounts. +Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a +brute force attack to obtain unauthorized access to user accounts. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential SSH Brute Force Detected" references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"] risk_score = 47 @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] field = "host.id" value = 20 + diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 109e13f56..994a99d21 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ credentials. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Prompt for Credentials with OSASCRIPT" references = [ "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", @@ -48,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1056/002/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index d8166c7dd..7dc0ab8e1 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ keychain storage data from a system to acquire credentials. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SystemKey Access via Command Line" references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"] risk_score = 73 diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index b2a715b77..9d1d262aa 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/15" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Authorized SoftwareUpdate Settings Changes"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SoftwareUpdate Preferences Modification" references = ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"] risk_score = 47 diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 3a9d3fb1a..8fc3008ed 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ time. An adversary may disable this attribute to evade defenses. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Remove File Quarantine Attribute" references = [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 4a6b8bded..6eacbcd67 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ trusted software is run. Adversaries may attempt to disable Gatekeeper before ex from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Disable Gatekeeper" references = [ "https://support.apple.com/en-us/HT202491", diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index d125e9cc8..fae68587e 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ false_positives = ["Certain applications may install root certificates for the p from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Install Root Certificate" references = ["https://ss64.com/osx/security-cert.html"] risk_score = 47 diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index f2b64d941..053efdd88 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ restrictions. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Environment Variable via Launchctl" references = [ "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb", diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index bfcfba7ba..452ae6d73 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ microphone, address book, and calendar. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Privacy Control Bypass via TCCDB Modification" references = [ "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index e104f972a..a145e387c 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/11" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ privacy controls to access sensitive files. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Privacy Control Bypass via Localhost Secure Copy" references = [ "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/", diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index b5022cef6..268fe3771 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ browser. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Safari Settings via Defaults Command" references = ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"] risk_score = 47 diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 23fa1cf2d..16e134cef 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ AutoStart location to achieve sandbox evasion. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Microsoft Office Sandbox Evasion" references = [ "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index a06ef6bae..38ef18992 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ system, including all user data and files protected by Apple’s privacy framewo from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "TCC Bypass via Mounted APFS Snapshot Access" references = ["https://theevilbit.github.io/posts/cve_2020_9771/"] risk_score = 73 diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index ff25023b0..7d4fe892b 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies attempts to unload the Elastic Endpoint Security kerne from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Unload Elastic Endpoint Security Kernel Extension" risk_score = 73 rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index e25336cd8..364134791 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the execution of macOS built-in commands related to ac from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Enumeration of Users or Groups via Built-in Commands" risk_score = 21 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 5d2d74362..cbff61140 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ child_process Node.js module. Adversaries may abuse this technique to inherit pe from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via Electron Child Process Node.js Module" references = [ "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 5dd6f2ff0..87dde1bde 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ for exploitation. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Browser Child Process" references = [ "https://objective-see.com/blog/blog_0x43.html", diff --git a/rules/macos/execution_installer_spawned_network_event.toml b/rules/macos/execution_installer_spawned_network_event.toml index 51c8c3848..b291a6c59 100644 --- a/rules/macos/execution_installer_spawned_network_event.toml +++ b/rules/macos/execution_installer_spawned_network_event.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/23" maturity = "production" -updated_date = "2021/02/23" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "macOS Installer Spawns Network Event" references = ["https://redcanary.com/blog/clipping-silver-sparrows-wings"] risk_score = 47 @@ -79,3 +79,4 @@ reference = "https://attack.mitre.org/techniques/T1071/001/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index d81c79851..4636116f4 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -1,18 +1,19 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2020/12/23" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts -malicious JavaScript for Automation (JXA) code as an alternative to using osascript. +Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. +Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an +alternative to using osascript. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Automator Workflows Execution" references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 47 @@ -40,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 8bc3db0a1..6882fe89d 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -1,19 +1,18 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/07" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Detects execution via the Apple script interpreter (osascript) followed by a network connection from -the same process within a short time period. Adversaries may use malicious scripts for execution and command and -control. +Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process +within a short time period. Adversaries may use malicious scripts for execution and command and control. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Apple Script Execution followed by Network Connection" references = [ "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", @@ -64,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 6ab511048..8e784e975 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -1,18 +1,18 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/07" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use -the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. +Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the +doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Shell Execution via Apple Scripting" references = [ "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", @@ -43,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 5fe8f6d41..ff5e6a505 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ malicious macros. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious macOS MS Office Child Process" references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"] risk_score = 47 diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index fc395a6f9..c2a4bb411 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/12" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attempt unauthorized authentication techniques such as pass-the-ticket/hash and from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Kerberos Attack via Bifrost" references = ["https://github.com/its-a-feature/bifrost"] risk_score = 73 diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 16e12c4b2..e1cad6ddf 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ use valid accounts to interact with a remote network share using SMB. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Mount SMB Share via Command Line" references = ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"] risk_score = 21 diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 83b755ff8..1054f67db 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Detects use of the systemsetup command to enable remote SSH Login from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Remote SSH Login Enabled via systemsetup Command" references = [ "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index c04b40b90..272c11a46 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/25" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the execution of macOS built-in commands to connect to from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Virtual Private Network Connection Attempt" references = [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 868bbd575..31cc60b97 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attempt to evade user attention while maintaining persistence using a separate l from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Hidden Local User Account Creation" references = ["https://support.apple.com/en-us/HT203998"] risk_score = 47 diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 2aec84b0f..f67eea227 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Trusted applications persisting via LaunchAgent"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Launch Agent Creation or Modification and Immediate Loading" references = [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", @@ -45,6 +45,7 @@ name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index bd2f77cdb..b6b13172d 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ program while concealing its presence. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Creation of Hidden Login Item via Apple Script" risk_score = 47 rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index d0718b137..9a48875c1 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/07" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["Trusted applications persisting via LaunchDaemons"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "LaunchDaemon Creation or Modification and Immediate Loading" references = [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index c4e5f27bd..126b9c945 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ to persist and/or collect clear text credentials as they traverse the registered from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Authorization Plugin Modification" references = [ "https://developer.apple.com/documentation/security/authorization_plug-ins", diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index af7609ea5..fce77f91f 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ installing a new logon item, launch agent, or daemon that executes upon login. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Hidden Child Process of Launchd" references = [ "https://objective-see.com/blog/blog_0x61.html", diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 375dcbc31..33cd6f1da 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ DirectoryServices PlugIns folder and can be abused by adversaries to maintain pe from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via DirectoryService Plugin Modification" references = ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"] risk_score = 47 diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 2b44e9b29..5f3c00982 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ application instead of the intended one when invoked. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Docker Shortcut Modification" references = [ """ diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 414c4f700..cdf4702a1 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ writing a rule to execute commands when a defined event occurs, such as system s from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Emond Rules Creation or Modification" references = ["https://www.xorrior.com/emond-persistence/"] risk_score = 47 diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index bc883ce9a..d48776e76 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ authentication. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Emond Child Process" references = ["https://www.xorrior.com/emond-persistence/"] risk_score = 47 diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 62052f91c..f760c40ac 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ for persistence, as the root account is disabled by default. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Enable the Root Account" references = ["https://ss64.com/osx/dsenableroot.html"] risk_score = 47 diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index b3fa8a5fd..7f09fce05 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ launch agent or daemon which executes at login. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Creation of Hidden Launch Agent or Daemon" references = [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 6a42e079c..d3e8050fd 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -1,22 +1,25 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2020/12/18" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may -abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. +Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse +this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. """ false_positives = ["Trusted Finder Sync Plugins"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Finder Sync Plugin Registered and Enabled" references = [ - "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf", + """ + https://github.com/specterops/presentations/raw/master/Leo + Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + """, ] risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" @@ -55,3 +58,4 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index a2ee1da19..98724350c 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -1,18 +1,19 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2020/12/07" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its -window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. +window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a +malicious script. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Folder Action Script" references = ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"] risk_score = 47 @@ -52,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index c81d3030c..33ab3f644 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ capability to establish persistence in an environment by inserting code to be ex from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Login or Logout Hook" references = [ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 86d01d908..ffa4efea4 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ run a program during system boot or user login for persistence. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Login Hook" note = "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system." references = ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"] diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 28b58049d..8dfde9833 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Sublime application is started. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Sublime Plugin or Application Script Modification" references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 21 diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 21909f3f1..70f528ef7 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ tasks to execute malicious code or maintain persistence. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Periodic Tasks" references = [ "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index 83ef049fd..5351f1fb9 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Trusted applications for managing calendars and reminders."] from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Calendar File Modification" references = [ "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 00cf2ad52..2d620fcd6 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ init.coffee file that will be executed upon the Atom application opening. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Atom Init Script Modification" references = [ "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index cc745a614..e0d64a96f 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/27" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ privileges. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Apple Scripting Execution with Administrator Privileges" references = ["https://discussions.apple.com/thread/2266150"] risk_score = 47 diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index a810cde3c..2668ff790 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ not be run by itself, as this is a sign of execution with explicit logon credent from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Execution with Explicit Credentials via Scripting" references = [ "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 929abb69a..97f9cad83 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Trusted system or Adobe Acrobat Related processes."] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Child Process of Adobe Acrobat Reader Update Service" references = [ "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/", diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 182674e8c..0f5514d0b 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ escalation activity. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Admin Group Account Addition" references = ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"] risk_score = 47 diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 87399c5f8..759156414 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ privileges by exploiting privileged file write or move related vulnerabilities. from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Privilege Escalation via Root Crontab File Modification" references = [ "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", diff --git a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 1a84cc473..e00eaf7e5 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2020/12/15" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to -obtain unauthorized access to user accounts. +Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain +unauthorized access to user accounts. """ false_positives = [ """ @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempts to Brute Force a Microsoft 365 User Account" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." risk_score = 73 diff --git a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 1e83ac28b..95c525cbe 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/01" maturity = "production" -updated_date = "2020/12/15" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Password Spraying of Microsoft 365 User Accounts" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." risk_score = 73 diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 4b53ebc2c..531c17f62 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange DLP Policy Removed" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index beaf581eb..5ceec6c56 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Policy Deletion" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index e8c5666d7..72d619601 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Rule Modification" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 09b0643ae..cb1ab8e6c 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Attachment Rule Disabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 5cbfe769c..a154afe29 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Creation" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index d504712cc..eb090e627 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Modification" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 95eafc5a2..d08455f66 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Policy Deletion" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 86237efb5..1b374938b 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Rule Modification" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 7a4cac33f..a31bb3ad5 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Link Policy Disabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml index d05a7aec3..53d340185 100644 --- a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml index 6fe2b6ac7..b7be6ae99 100644 --- a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Teams Custom Application Interaction Allowed" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"] diff --git a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml index 4a4ef5219..53c78b895 100644 --- a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Exchange Management Group Role Assignment" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml index 0478e3229..e870da0e4 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Teams External Access Enabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"] diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml index b9fa25921..d319c93da 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft 365 Teams Guest Access Enabled" note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/ml/ml_cloudtrail_error_message_spike.toml b/rules/ml/ml_cloudtrail_error_message_spike.toml index 034eb6e89..1d8bce75e 100644 --- a/rules/ml/ml_cloudtrail_error_message_spike.toml +++ b/rules/ml/ml_cloudtrail_error_message_spike.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "high_distinct_count_error_message" name = "Spike in AWS Error Messages" note = """### Investigating Spikes in CloudTrail Errors ### diff --git a/rules/ml/ml_cloudtrail_rare_error_code.toml b/rules/ml/ml_cloudtrail_rare_error_code.toml index e7ae7efad..519eb51eb 100644 --- a/rules/ml/ml_cloudtrail_rare_error_code.toml +++ b/rules/ml/ml_cloudtrail_rare_error_code.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_error_code" name = "Rare AWS Error Code" note = """### Investigating Unusual CloudTrail Error Activity ### diff --git a/rules/ml/ml_cloudtrail_rare_method_by_city.toml b/rules/ml/ml_cloudtrail_rare_method_by_city.toml index 58ba0ee1c..5f0dafe15 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_city.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_city" name = "Unusual City For an AWS Command" note = """### Investigating an Unusual CloudTrail Event ### diff --git a/rules/ml/ml_cloudtrail_rare_method_by_country.toml b/rules/ml/ml_cloudtrail_rare_method_by_country.toml index f41303327..febcfd51b 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_country.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_country" name = "Unusual Country For an AWS Command" note = """### Investigating an Unusual CloudTrail Event ### diff --git a/rules/ml/ml_cloudtrail_rare_method_by_user.toml b/rules/ml/ml_cloudtrail_rare_method_by_user.toml index 07932103b..d46edbdc1 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-60m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_username" name = "Unusual AWS Command for a User" note = """### Investigating an Unusual CloudTrail Event ### diff --git a/rules/ml/ml_linux_anomalous_compiler_activity.toml b/rules/ml/ml_linux_anomalous_compiler_activity.toml index 8232423d5..b2a246be1 100644 --- a/rules/ml/ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/ml_linux_anomalous_compiler_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_user_compiler" name = "Anomalous Linux Compiler Activity" risk_score = 21 diff --git a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml index 6422f870b..9f84e59b7 100644 --- a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml +++ b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2021/03/03" [rule] anomaly_threshold = 25 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_kernel_module_arguments" name = "Anomalous Kernel Module Activity" references = ["references"] @@ -27,8 +27,6 @@ rule_id = "37b0816d-af40-40b4-885f-bb162b3c88a9" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -41,6 +39,7 @@ name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/ml/ml_linux_anomalous_metadata_process.toml b/rules/ml/ml_linux_anomalous_metadata_process.toml index c1f7c0872..c75e4bdf5 100644 --- a/rules/ml/ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/ml_linux_anomalous_metadata_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_metadata_process" name = "Unusual Linux Process Calling the Metadata Service" risk_score = 21 diff --git a/rules/ml/ml_linux_anomalous_metadata_user.toml b/rules/ml/ml_linux_anomalous_metadata_user.toml index 2a23bf0e1..cc7a11dac 100644 --- a/rules/ml/ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/ml_linux_anomalous_metadata_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_metadata_user" name = "Unusual Linux User Calling the Metadata Service" risk_score = 21 diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 3128560cb..259b71c31 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -15,7 +15,7 @@ applications. """ from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_network_activity_ecs" name = "Unusual Linux Network Activity" note = """### Investigating Unusual Network Activity ### diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 9143768cc..cfad4e39d 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -14,7 +14,7 @@ unauthorized access or threat actor activity. false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_network_port_activity_ecs" name = "Unusual Linux Network Port Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_linux_anomalous_network_service.toml b/rules/ml/ml_linux_anomalous_network_service.toml index c571550ff..db8f67fce 100644 --- a/rules/ml/ml_linux_anomalous_network_service.toml +++ b/rules/ml/ml_linux_anomalous_network_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -13,7 +13,7 @@ or persistence mechanisms. false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_network_service" name = "Unusual Linux Network Service" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_linux_anomalous_network_url_activity.toml b/rules/ml/ml_linux_anomalous_network_url_activity.toml index 1668bf336..af83c72b8 100644 --- a/rules/ml/ml_linux_anomalous_network_url_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_url_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -21,7 +21,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_network_url_activity_ecs" name = "Unusual Linux Web Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_linux_anomalous_process_all_hosts.toml b/rules/ml/ml_linux_anomalous_process_all_hosts.toml index 3abcce5aa..3f880823e 100644 --- a/rules/ml/ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_linux_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_process_all_hosts_ecs" name = "Anomalous Process For a Linux Population" note = """### Investigating an Unusual Linux Process ### diff --git a/rules/ml/ml_linux_anomalous_sudo_activity.toml b/rules/ml/ml_linux_anomalous_sudo_activity.toml index 01d70d744..012cd8994 100644 --- a/rules/ml/ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/ml_linux_anomalous_sudo_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_rare_sudo_user" name = "Unusual Sudo Activity" risk_score = 21 diff --git a/rules/ml/ml_linux_anomalous_user_name.toml b/rules/ml/ml_linux_anomalous_user_name.toml index aeb59abdd..0d2fd1b3c 100644 --- a/rules/ml/ml_linux_anomalous_user_name.toml +++ b/rules/ml/ml_linux_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_user_name_ecs" name = "Unusual Linux Username" note = """### Investigating an Unusual Linux User ### diff --git a/rules/ml/ml_linux_system_information_discovery.toml b/rules/ml/ml_linux_system_information_discovery.toml index 5277234f2..1d3b8d301 100644 --- a/rules/ml/ml_linux_system_information_discovery.toml +++ b/rules/ml/ml_linux_system_information_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_system_information_discovery" name = "Unusual Linux System Information Discovery Activity" risk_score = 21 diff --git a/rules/ml/ml_linux_system_network_configuration_discovery.toml b/rules/ml/ml_linux_system_network_configuration_discovery.toml index 4f0299a77..2894a1f24 100644 --- a/rules/ml/ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/ml_linux_system_network_configuration_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 25 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_network_configuration_discovery" name = "Unusual Linux System Network Configuration Discovery" risk_score = 21 diff --git a/rules/ml/ml_linux_system_network_connection_discovery.toml b/rules/ml/ml_linux_system_network_connection_discovery.toml index f1f5cc3ab..40adf6323 100644 --- a/rules/ml/ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/ml_linux_system_network_connection_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 25 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_network_connection_discovery" name = "Unusual Linux Network Connection Discovery" risk_score = 21 diff --git a/rules/ml/ml_linux_system_process_discovery.toml b/rules/ml/ml_linux_system_process_discovery.toml index 8d2f02aa5..d72c928e7 100644 --- a/rules/ml/ml_linux_system_process_discovery.toml +++ b/rules/ml/ml_linux_system_process_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_system_process_discovery" name = "Unusual Linux Process Discovery Activity" risk_score = 21 diff --git a/rules/ml/ml_linux_system_user_discovery.toml b/rules/ml/ml_linux_system_user_discovery.toml index cd390b1a3..19b1e9e91 100644 --- a/rules/ml/ml_linux_system_user_discovery.toml +++ b/rules/ml/ml_linux_system_user_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "linux_system_user_discovery" name = "Unusual Linux System Owner or User Discovery Activity" risk_score = 21 diff --git a/rules/ml/ml_packetbeat_dns_tunneling.toml b/rules/ml/ml_packetbeat_dns_tunneling.toml index 9b83bd3ad..be739fadb 100644 --- a/rules/ml/ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/ml_packetbeat_dns_tunneling.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_dns_tunneling" name = "DNS Tunneling" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_packetbeat_rare_dns_question.toml b/rules/ml/ml_packetbeat_rare_dns_question.toml index 41c4ba296..1c168b91d 100644 --- a/rules/ml/ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/ml_packetbeat_rare_dns_question.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -23,7 +23,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_dns_question" name = "Unusual DNS Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 03057b251..3ff8f3b65 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -23,7 +23,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_server_domain" name = "Unusual Network Destination Domain Name" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_packetbeat_rare_urls.toml b/rules/ml/ml_packetbeat_rare_urls.toml index 6ec587602..b4f7fd605 100644 --- a/rules/ml/ml_packetbeat_rare_urls.toml +++ b/rules/ml/ml_packetbeat_rare_urls.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -26,7 +26,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_urls" name = "Unusual Web Request" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_packetbeat_rare_user_agent.toml b/rules/ml/ml_packetbeat_rare_user_agent.toml index 39cea0bfb..81a0a463d 100644 --- a/rules/ml/ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/ml_packetbeat_rare_user_agent.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_user_agent" name = "Unusual Web User Agent" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_rare_process_by_host_linux.toml b/rules/ml/ml_rare_process_by_host_linux.toml index 92debf6ec..c2d0d6955 100644 --- a/rules/ml/ml_rare_process_by_host_linux.toml +++ b/rules/ml/ml_rare_process_by_host_linux.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_process_by_host_linux_ecs" name = "Unusual Process For a Linux Host" note = """### Investigating an Unusual Linux Process ### diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml index 7b9625cb4..d34815d0e 100644 --- a/rules/ml/ml_rare_process_by_host_windows.toml +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "rare_process_by_host_windows_ecs" name = "Unusual Process For a Windows Host" note = """### Investigating an Unusual Windows Process ### diff --git a/rules/ml/ml_suspicious_login_activity.toml b/rules/ml/ml_suspicious_login_activity.toml index e11074604..f35e95e06 100644 --- a/rules/ml/ml_suspicious_login_activity.toml +++ b/rules/ml/ml_suspicious_login_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -15,7 +15,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "suspicious_login_activity_ecs" name = "Unusual Login Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_metadata_process.toml b/rules/ml/ml_windows_anomalous_metadata_process.toml index 53417a7bb..47ffc4c0b 100644 --- a/rules/ml/ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/ml_windows_anomalous_metadata_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_rare_metadata_process" name = "Unusual Windows Process Calling the Metadata Service" risk_score = 21 diff --git a/rules/ml/ml_windows_anomalous_metadata_user.toml b/rules/ml/ml_windows_anomalous_metadata_user.toml index e95aa4001..7bf1ac580 100644 --- a/rules/ml/ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/ml_windows_anomalous_metadata_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 75 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_rare_metadata_user" name = "Unusual Windows User Calling the Metadata Service" risk_score = 21 diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 7c1b5633d..562e800c5 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -16,7 +16,7 @@ network applications. false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_network_activity_ecs" name = "Unusual Windows Network Activity" note = """### Investigating Unusual Network Activity ### diff --git a/rules/ml/ml_windows_anomalous_path_activity.toml b/rules/ml/ml_windows_anomalous_path_activity.toml index ee03eb45a..45837776f 100644 --- a/rules/ml/ml_windows_anomalous_path_activity.toml +++ b/rules/ml/ml_windows_anomalous_path_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -21,7 +21,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_path_activity_ecs" name = "Unusual Windows Path Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_process_all_hosts.toml b/rules/ml/ml_windows_anomalous_process_all_hosts.toml index 25072ef53..67b04d13a 100644 --- a/rules/ml/ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_windows_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_process_all_hosts_ecs" name = "Anomalous Process For a Windows Population" note = """### Investigating an Unusual Windows Process ### diff --git a/rules/ml/ml_windows_anomalous_process_creation.toml b/rules/ml/ml_windows_anomalous_process_creation.toml index 58340fe88..5b6cfb945 100644 --- a/rules/ml/ml_windows_anomalous_process_creation.toml +++ b/rules/ml/ml_windows_anomalous_process_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -22,7 +22,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_process_creation" name = "Anomalous Windows Process Creation" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_script.toml b/rules/ml/ml_windows_anomalous_script.toml index 6217eb4ba..0764a3bed 100644 --- a/rules/ml/ml_windows_anomalous_script.toml +++ b/rules/ml/ml_windows_anomalous_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_script" name = "Suspicious Powershell Script" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_service.toml b/rules/ml/ml_windows_anomalous_service.toml index 2d601168b..eef0e87ca 100644 --- a/rules/ml/ml_windows_anomalous_service.toml +++ b/rules/ml/ml_windows_anomalous_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_service" name = "Unusual Windows Service" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_anomalous_user_name.toml b/rules/ml/ml_windows_anomalous_user_name.toml index d92f8e686..8f9e00b2a 100644 --- a/rules/ml/ml_windows_anomalous_user_name.toml +++ b/rules/ml/ml_windows_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -24,7 +24,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_user_name_ecs" name = "Unusual Windows Username" note = """### Investigating an Unusual Windows User ### diff --git a/rules/ml/ml_windows_rare_user_runas_event.toml b/rules/ml/ml_windows_rare_user_runas_event.toml index 5f72e30ea..ace03f9b6 100644 --- a/rules/ml/ml_windows_rare_user_runas_event.toml +++ b/rules/ml/ml_windows_rare_user_runas_event.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_rare_user_runas_event" name = "Unusual Windows User Privilege Elevation Activity" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml index c360737e5..7b9496862 100644 --- a/rules/ml/ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/ml_windows_rare_user_type10_remote_login.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] anomaly_threshold = 50 @@ -19,7 +19,7 @@ false_positives = [ ] from = "now-45m" interval = "15m" -license = "Elastic License" +license = "Elastic License v2" machine_learning_job_id = "windows_rare_user_type10_remote_login" name = "Unusual Windows Remote User" note = """### Investigating an Unusual Windows User ### diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 5ac3a029e..098c5b163 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Cobalt Strike Command and Control Beacon" note = "This activity has been observed in FIN7 campaigns." references = [ diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 7521638a5..78564ea30 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/05" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ Reference section for additional information on module configuration. """ index = ["filebeat-*", "packetbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Default Cobalt Strike Team Server Certificate" note = "While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly." references = [ diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml index da3c6527b..15f4355ac 100644 --- a/rules/network/command_and_control_dns_directly_to_the_internet.toml +++ b/rules/network/command_and_control_dns_directly_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ ] index = ["filebeat-*", "packetbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "DNS Activity to the Internet" references = [ "https://www.us-cert.gov/ncas/alerts/TA15-240A", diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 2036e1f54..651f96362 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" note = "This activity has been observed in FIN7 campaigns." references = [ diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 93a8be9c1..997140ac3 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Possible FIN7 DGA Command and Control Behavior" note = "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`." references = [ diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml index a8f599fd9..15b18227a 100644 --- a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "FTP (File Transfer Protocol) Activity to the Internet" risk_score = 21 rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43" diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 582a6c300..ff1d311b0 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Halfbaked Command and Control Beacon" note = "This activity has been observed in FIN7 campaigns." references = [ diff --git a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml index 57d5d36f1..c41a8c35b 100644 --- a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "IRC (Internet Relay Chat) Protocol Activity to the Internet" risk_score = 47 rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa" diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 72bf51ec5..329ec5091 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "IPSEC NAT Traversal Port Activity" risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index be3cf6d4d..e0c426a7a 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SMTP on Port 26/TCP" references = [ "https://unit42.paloaltonetworks.com/unit42-badpatch/", diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml index 1511eb394..1074e3b7b 100644 --- a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml +++ b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "TCP Port 8000 Activity to the Internet" risk_score = 21 rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf" diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml index 397691fac..3ffacde82 100644 --- a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml +++ b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "PPTP (Point to Point Tunneling Protocol) Activity" risk_score = 21 rule_id = "d2053495-8fe7-4168-b3df-dad844046be3" diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 868514420..68cadc759 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Proxy Port Activity to the Internet" risk_score = 47 rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3" diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 8be8972b6..862783dfe 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "RDP (Remote Desktop Protocol) from the Internet" risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml index a9cccfa03..d0371e4d9 100644 --- a/rules/network/command_and_control_smtp_to_the_internet.toml +++ b/rules/network/command_and_control_smtp_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SMTP to the Internet" risk_score = 21 rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4" diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml index 519e60f9a..5e0ef1047 100644 --- a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SQL Traffic to the Internet" risk_score = 47 rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd" diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml index 00b44fd59..6af72db8d 100644 --- a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SSH (Secure Shell) from the Internet" risk_score = 47 rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17" diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml index d46b6d4f5..386ef584f 100644 --- a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SSH (Secure Shell) to the Internet" risk_score = 21 rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4" diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index 0dd4b0bc8..c8450ea9a 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Telnet Port Activity" risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml index f6e481d8e..71d212adb 100644 --- a/rules/network/command_and_control_tor_activity_to_the_internet.toml +++ b/rules/network/command_and_control_tor_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Tor Activity to the Internet" risk_score = 47 rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 6864a1c8f..a52dd0dfc 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "VNC (Virtual Network Computing) from the Internet" risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 9d353f595..14bbac8e0 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "VNC (Virtual Network Computing) to the Internet" risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" diff --git a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml index 982fe1863..04a51e82b 100644 --- a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml +++ b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Public IP Reconnaissance Activity" note = "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert." references = [ diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml index 380ff23b6..37ed5bfb0 100644 --- a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml +++ b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "RDP (Remote Desktop Protocol) to the Internet" risk_score = 21 rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 97e78c5ac..977de584c 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ back-door vector. from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "RPC (Remote Procedure Call) from the Internet" risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 48095a8cc..58dc07cc3 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ back-door vector. from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "RPC (Remote Procedure Call) to the Internet" risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index c3bb513fd..578e7c930 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ threat actors as an initial access or back-door vector or for data exfiltration. from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SMB (Windows File Sharing) Activity to the Internet" risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index dec1290f9..67add3a73 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/11" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["packetbeat-*"] language = "lucene" -license = "Elastic License" +license = "Elastic License v2" name = "Inbound Connection to an Unsecure Elasticsearch Node" note = "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation." references = [ diff --git a/rules/okta/attempt_to_deactivate_okta_network_zone.toml b/rules/okta/attempt_to_deactivate_okta_network_zone.toml index 3f340e3ad..675fffccc 100644 --- a/rules/okta/attempt_to_deactivate_okta_network_zone.toml +++ b/rules/okta/attempt_to_deactivate_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate an Okta Network Zone" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/attempt_to_delete_okta_network_zone.toml b/rules/okta/attempt_to_delete_okta_network_zone.toml index f23a34471..1eb72f549 100644 --- a/rules/okta/attempt_to_delete_okta_network_zone.toml +++ b/rules/okta/attempt_to_delete_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Delete an Okta Network Zone" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml index a92f495ca..6335d9f64 100644 --- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ policies configured for an organization in order to obtain unauthorized access t """ index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempted Bypass of Okta MFA" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index dcb1ea6d4..d54eba71b 100644 --- a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ ensures that a user account is locked out after 10 failed authentication attempt from = "now-180m" index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempts to Brute Force an Okta User Account" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml index 0d74b8f18..bf60d812e 100644 --- a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Okta Brute Force or Password Spraying Attack" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 6bf94a6d5..bc60eab60 100644 --- a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2020/10/26" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-60m" index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "High Number of Okta User Password Reset or Unlock Attempts" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml index dbb036655..ad3b9155d 100644 --- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Revoke Okta API Token" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml index b96161cb5..5760c1db2 100644 --- a/rules/okta/impact_possible_okta_dos_attack.toml +++ b/rules/okta/impact_possible_okta_dos_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ organization's business operations by performing a DoS attack against its Okta s """ index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Possible Okta DoS Attack" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 7fdb055fb..2915d5d30 100644 --- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ help security teams identify when an adversary is attempting to gain access to t false_positives = ["A user may report suspicious activity on their Okta account in error."] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Activity Reported by Okta User" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_deactivate_okta_application.toml b/rules/okta/okta_attempt_to_deactivate_okta_application.toml index 7a0e35e32..f2696c835 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_application.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate an Okta Application" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml index 37a76d8f8..75e8d5852 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml index 7077082fb..5df33d4c4 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy Rule" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_delete_okta_application.toml b/rules/okta/okta_attempt_to_delete_okta_application.toml index 4cbc57015..767e62790 100644 --- a/rules/okta/okta_attempt_to_delete_okta_application.toml +++ b/rules/okta/okta_attempt_to_delete_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Delete an Okta Application" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml index 16d343e80..1a56d4a84 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Delete an Okta Policy" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml index c40b33153..a955aaaab 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Delete an Okta Policy Rule" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_okta_application.toml b/rules/okta/okta_attempt_to_modify_okta_application.toml index e7d70d0d6..5833179a0 100644 --- a/rules/okta/okta_attempt_to_modify_okta_application.toml +++ b/rules/okta/okta_attempt_to_modify_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Modify an Okta Application" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml index dcc290ac6..fe6b29d28 100644 --- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Modify an Okta Network Zone" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml index ec4de2633..73f654a8c 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Modify an Okta Policy" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml index b021a3017..f619a99a5 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Modify an Okta Policy Rule" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 21e0b1175..d4f089170 100644 --- a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification or Removal of an Okta Application Sign-On Policy" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml index c1def11a9..6338b5f78 100644 --- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ based attacks against their organization, such as brute force and password spray """ index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Threat Detected by Okta ThreatInsight" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 1438589a6..d11f1905d 100644 --- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Administrator Privileges Assigned to an Okta Group" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml index 7ab0cbd18..3c08c1030 100644 --- a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Administrator Role Assigned to an Okta User" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml index 0281e48dd..8443ad327 100644 --- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Create Okta API Token" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index fcb965d07..84c101c2c 100644 --- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Deactivate MFA for an Okta User Account" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index d3f397ea6..3ec7624a4 100644 --- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["filebeat-*", "logs-okta*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Attempt to Reset MFA Factors for an Okta User Account" note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." references = [ diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index d70082281..bf13c9fdd 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ enabled = true from = "now-10m" index = ["logs-endpoint.alerts-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" max_signals = 10000 name = "Endpoint Security" risk_score = 47 diff --git a/rules/promotions/endpoint_adversary_behavior_detected.toml b/rules/promotions/endpoint_adversary_behavior_detected.toml index 02bdfd479..c2d832b31 100644 --- a/rules/promotions/endpoint_adversary_behavior_detected.toml +++ b/rules/promotions/endpoint_adversary_behavior_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Adversary Behavior - Detected - Endpoint Security" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" diff --git a/rules/promotions/endpoint_cred_dumping_detected.toml b/rules/promotions/endpoint_cred_dumping_detected.toml index 387846c01..68ecdc556 100644 --- a/rules/promotions/endpoint_cred_dumping_detected.toml +++ b/rules/promotions/endpoint_cred_dumping_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Dumping - Detected - Endpoint Security" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" diff --git a/rules/promotions/endpoint_cred_dumping_prevented.toml b/rules/promotions/endpoint_cred_dumping_prevented.toml index 2e88be52c..174df2a6b 100644 --- a/rules/promotions/endpoint_cred_dumping_prevented.toml +++ b/rules/promotions/endpoint_cred_dumping_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Dumping - Prevented - Endpoint Security" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" diff --git a/rules/promotions/endpoint_cred_manipulation_detected.toml b/rules/promotions/endpoint_cred_manipulation_detected.toml index 45cd5d2f6..727012d8e 100644 --- a/rules/promotions/endpoint_cred_manipulation_detected.toml +++ b/rules/promotions/endpoint_cred_manipulation_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Manipulation - Detected - Endpoint Security" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" diff --git a/rules/promotions/endpoint_cred_manipulation_prevented.toml b/rules/promotions/endpoint_cred_manipulation_prevented.toml index a2fbe0f02..f0d789eb7 100644 --- a/rules/promotions/endpoint_cred_manipulation_prevented.toml +++ b/rules/promotions/endpoint_cred_manipulation_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Manipulation - Prevented - Endpoint Security" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" diff --git a/rules/promotions/endpoint_exploit_detected.toml b/rules/promotions/endpoint_exploit_detected.toml index 4a8fb3521..ace67380b 100644 --- a/rules/promotions/endpoint_exploit_detected.toml +++ b/rules/promotions/endpoint_exploit_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Exploit - Detected - Endpoint Security" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" diff --git a/rules/promotions/endpoint_exploit_prevented.toml b/rules/promotions/endpoint_exploit_prevented.toml index 8db8a7636..ccf409460 100644 --- a/rules/promotions/endpoint_exploit_prevented.toml +++ b/rules/promotions/endpoint_exploit_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Exploit - Prevented - Endpoint Security" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" diff --git a/rules/promotions/endpoint_malware_detected.toml b/rules/promotions/endpoint_malware_detected.toml index 09aa8feec..c770d69da 100644 --- a/rules/promotions/endpoint_malware_detected.toml +++ b/rules/promotions/endpoint_malware_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Malware - Detected - Endpoint Security" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" diff --git a/rules/promotions/endpoint_malware_prevented.toml b/rules/promotions/endpoint_malware_prevented.toml index f879b6b5f..e2d35d625 100644 --- a/rules/promotions/endpoint_malware_prevented.toml +++ b/rules/promotions/endpoint_malware_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Malware - Prevented - Endpoint Security" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" diff --git a/rules/promotions/endpoint_permission_theft_detected.toml b/rules/promotions/endpoint_permission_theft_detected.toml index 6e0de9d69..cf4c81103 100644 --- a/rules/promotions/endpoint_permission_theft_detected.toml +++ b/rules/promotions/endpoint_permission_theft_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Permission Theft - Detected - Endpoint Security" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" diff --git a/rules/promotions/endpoint_permission_theft_prevented.toml b/rules/promotions/endpoint_permission_theft_prevented.toml index ddbd069f5..21a64775b 100644 --- a/rules/promotions/endpoint_permission_theft_prevented.toml +++ b/rules/promotions/endpoint_permission_theft_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Permission Theft - Prevented - Endpoint Security" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" diff --git a/rules/promotions/endpoint_process_injection_detected.toml b/rules/promotions/endpoint_process_injection_detected.toml index df8336bbc..f8128ed28 100644 --- a/rules/promotions/endpoint_process_injection_detected.toml +++ b/rules/promotions/endpoint_process_injection_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Injection - Detected - Endpoint Security" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" diff --git a/rules/promotions/endpoint_process_injection_prevented.toml b/rules/promotions/endpoint_process_injection_prevented.toml index 5d13e9090..5b17ce160 100644 --- a/rules/promotions/endpoint_process_injection_prevented.toml +++ b/rules/promotions/endpoint_process_injection_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Injection - Prevented - Endpoint Security" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" diff --git a/rules/promotions/endpoint_ransomware_detected.toml b/rules/promotions/endpoint_ransomware_detected.toml index 22d2f0889..d540b1724 100644 --- a/rules/promotions/endpoint_ransomware_detected.toml +++ b/rules/promotions/endpoint_ransomware_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Ransomware - Detected - Endpoint Security" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" diff --git a/rules/promotions/endpoint_ransomware_prevented.toml b/rules/promotions/endpoint_ransomware_prevented.toml index 6210f58d1..a07a3ced1 100644 --- a/rules/promotions/endpoint_ransomware_prevented.toml +++ b/rules/promotions/endpoint_ransomware_prevented.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Ransomware - Prevented - Endpoint Security" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 85d506294..f4ff2b827 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ immediately begin investigating external alerts in the app. """ index = ["apm-*-transaction*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" max_signals = 10000 name = "External Alerts" risk_score = 47 @@ -56,3 +56,4 @@ operator = "equals" value = "99" severity = "critical" + diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index b10370eed..129e4d503 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Exporting Exchange Mailbox via PowerShell" references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", diff --git a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml index bdf129a62..cbd8c7b36 100644 --- a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index cfd60d2e0..608262f9a 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ preparation for exfiltration. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Encrypting Files with WinRar or 7z" references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"] risk_score = 47 diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 089f2adf1..544bacac5 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ malware, from a remote URL. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Certutil" risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 6e4281d3e..d56d8ba2f 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ targeted since they have most likely been used before a compromise and allow adv from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Connection to Commonly Abused Web Services" risk_score = 21 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32" diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 97979c244..50fe93796 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ may indicate command and control activity utilizing the DNS protocol. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"] risk_score = 47 diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 92c809c31..4fefd546b 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ encryption algorithm to conceal command and control traffic. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Connection to Commonly Abused Free SSL Certificate Providers" risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index f0c6f09b9..d1806372a 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/28" maturity = "production" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ network connections and bypass host-based firewall restrictions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" @@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index bf6ac0b61..e9ca91c5c 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ download arbitrary files as an alternative to certutil. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Download via Desktopimgdownldr Utility" references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"] risk_score = 47 diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 9c5e6ba7d..8afb348a9 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the Windows Defender configuration utility (MpCmdRun.e from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Download via MpCmdRun" note = """### Investigating Remote File Download via MpCmdRun Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.""" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 8bdbcc217..e358dd279 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies powershell.exe being used to download an executable fi from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Download via PowerShell" risk_score = 47 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d" diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 4eab5104c..448760db0 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ from a remote destination. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Download via Script Interpreter" risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 70c6e35f9..c614c9b75 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ post-exploitation command and control activity of the SUNBURST backdoor. from = "now-9m" index = ["logs-endpoint.events.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "SUNBURST Command and Control Activity" note = "The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized." references = [ diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 8cf7ad6fb..2818daa44 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies an executable or script file remotely downloaded via a from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Copy via TeamViewer" references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] risk_score = 47 diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 4d0abd65d..c40a857db 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Credential Access via Windows Utilities" references = ["https://lolbas-project.github.io/"] risk_score = 73 diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 776efb983..176bea0e3 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Those files contain sensitive information including hashed domain and/or local c from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "NTDS or SAM Database File Copied" references = ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 2dd7f3d73..a18267b80 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["The Build Engine is commonly used by Windows developers but from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Loading Windows Credential Libraries" risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index fc014206f..f61880cb9 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" note = "### Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys." references = [ diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index d1448eaab..3493fb89e 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies attempts to export a registry hive which may contain c from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Credential Acquisition via Registry Hive Dumping" references = [ "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index a177c1002..1f8aaaafe 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ with IIS web server access via a web shell can decrypt and dump the IIS AppPool from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Service Account Password Dumped" references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 70aebe65e..330b69b8a 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ password using aspnet_regiis command. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Connection Strings Decryption" references = [ diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 847e75a46..e28ab9e96 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Kerberos Traffic from Unusual Process" risk_score = 47 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782" diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index c523655ad..30fa3cb5d 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ indicate a credential access attempt via trusted system utilities such as Task M from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "LSASS Memory Dump Creation" references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"] risk_score = 73 diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index ec8170b11..ce77d850a 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies the password log file from the default Mimikatz memssp from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Mimikatz Memssp Log File Detected" risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index a225252ed..9fe9360d5 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "development" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ PowerShell command. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Mimikatz Powershell Module Activity Detected" note = "This rule identifies an adversary attempt to collect, decrypt, and/or use cached credentials. Alerts from this rule should be prioritized because an adversary has an initial foothold onto an endpoint." references = ["https://attack.mitre.org/software/S0002/"] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index daa927cda..a415fe95c 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ memory. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of WDigest Security Provider" references = [ "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 07add6f58..fb0bf754e 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ saved usernames and passwords. This may also be performed in preparation of late from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 0ad252323..82d55a753 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Adversaries can add the 'hidden' attribute to files to hide them from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Adding Hidden File Attribute via Attrib" risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 085d9f465..14ccc4b41 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attackers in an attempt to evade detection or destroy forensic evidence on a sys from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Clearing Windows Event Logs" risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index a4e8b1e16..dca314625 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -12,7 +12,7 @@ or destroy forensic evidence on a system. from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Event Logs Cleared" risk_score = 21 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml index 45e81eb35..f8adadd47 100644 --- a/rules/windows/defense_evasion_code_injection_conhost.toml +++ b/rules/windows/defense_evasion_code_injection_conhost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious Conhost child process which may be an ind from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Process from Conhost" references = [ "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/", @@ -41,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index e2caba391..514cb6301 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/01" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Certain applications may install root certificates for the p from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Creation or Modification of Root Certificate" references = [ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index d8d7d89a1..07d15a1c7 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ malicious executable, making it appear the file was from a trusted, legitimate s """ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" risk_score = 21 rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 6c64d84f2..3011335a8 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ started manually. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Defender Disabled via Registry Modification" note = "Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized" references = ["https://thedfirreport.com/2020/12/13/defender-control/"] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 8a681868f..d4b565639 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ of files created during post-exploitation activities. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Delete Volume USN Journal with Fsutil" risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index 1c7f14772..670caec24 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ system recovery. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Deleting Backup Catalogs with Wbadmin" risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 4e8f061f3..ac3a6cd84 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ disable the firewall during troubleshooting or to enable network mobility. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Disable Windows Firewall Rules via Netsh" risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 36d1d0cb9..70c059951 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies suspicious .NET code execution. connections." from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious .NET Code Compilation" risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 90d9e751b..d3b9d3214 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ the Windows Firewall. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote Desktop Enabled in Windows Firewall" risk_score = 47 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7" diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index e8bd7e9d3..7c04d8acf 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ control or exfiltration. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Encoding or Decoding Files via CertUtil" risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index be33e5f5b..d0fe068c2 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ as a defense evasion technique to blend-in malicious activity with legitimate Wi from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "ImageLoad via Windows Update Auto Update Client" references = ["https://dtm.uk/wuauclt/"] risk_score = 47 diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index efbd26bb6..30476367f 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Started by an Office Application" references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] risk_score = 73 diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 2dc280274..6df9777f3 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["The Build Engine is commonly used by Windows developers but from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index d65499998..39a738587 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["The Build Engine is commonly used by Windows developers but from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 67a1a89cf..176fb374b 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["The Build Engine is commonly used by Windows developers but from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Using an Alternate Name" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 635f8a783..f4ec8530e 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] risk_score = 21 diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index a727159d0..e8f56a588 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ defenses via side loading a malicious DLL within the memory space of one of thos from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential DLL SideLoading via Trusted Microsoft Programs" risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml index 627b8d36a..6f5ac984b 100644 --- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["These programs may be used by Windows developers but use by from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Trusted Developer Application Usage" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 743f0f86f..41b77f901 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ benign file type but is actually executable code. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" risk_score = 47 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index ac7052a2e..d89034c46 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ defense evasion by avoiding the storing of malicious content directly on disk. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Encoded Executable Stored in the Registry" risk_score = 47 rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 6b86742a3..72b731867 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ access via a webshell or other mechanism can disable HTTP Logging as an effectiv from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" max_signals = 33 name = "IIS HTTP Logging Disabled" risk_score = 73 diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index d3786ac1c..f5864bd39 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ used to evade detection or elevate privileges. false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index f6054c95f..404b9d7fb 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ often leveraged by adversaries to execute code and evade detection. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" risk_score = 21 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 171552b71..08a8952cc 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ injection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 931a07a95..70d3e06e2 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executable to avoid detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Renamed AutoIt Scripts Interpreter" risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 63a9461fd..2fb9f6b79 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Custom Windows Error Reporting Debugger"] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious WerFault Child Process" references = [ "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 55a7184c6..613d44853 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ detections whitelisting those folders. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Program Files Directory Masquerading" risk_score = 47 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index d3ad8e5f0..69f5cfcc4 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = ["Legit Application Crash with rare Werfault commandline value from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Windows Error Manager Masquerading" references = [ "https://twitter.com/SBousseaden/status/1235533224337641473", diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index e3998e6d1..43e6c0ec1 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ application allowlists and signature validation. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Signed Binary" risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index e154a91a1..1325c1dce 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attacker as a destructive technique. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Modification of Boot Configuration" risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index 017ef04c4..7271c033b 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ leveraged by adversaries to execute code and evade detection. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "MsBuild Network Connection Sequence" risk_score = 21 rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 7bcb73239..c0e81c0e8 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ leveraged by adversaries to execute code and evade detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "MsBuild Making Network Connections" risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 67bfc9df4..5191203df 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ leveraged by adversaries to execute malicious scripts and evade detection. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Mshta Making Network Connections" risk_score = 21 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" diff --git a/rules/windows/defense_evasion_mshta_making_network_connections.toml b/rules/windows/defense_evasion_mshta_making_network_connections.toml index f11bc5049..7d6f22583 100644 --- a/rules/windows/defense_evasion_mshta_making_network_connections.toml +++ b/rules/windows/defense_evasion_mshta_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "development" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ by adversaries to execute malicious scripts and evade detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Mshta" references = ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"] risk_score = 47 diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 733ddfd17..809d23168 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ leveraged by adversaries to execute malicious scripts and evade detection. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "MsXsl Making Network Connections" risk_score = 21 rule_id = "870d1753-1078-403e-92d4-735f142edcca" diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 610332803..390b71e90 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ by adversaries to execute malicious scripts and evade detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via MsXsl" risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 7f10d9b03..68410361c 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ applications are often leveraged by adversaries to execute code and evade detect from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Network Activity from a Windows System Binary" risk_score = 21 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" diff --git a/rules/windows/defense_evasion_port_forwarding_added_registry.toml b/rules/windows/defense_evasion_port_forwarding_added_registry.toml index 976d76fa8..31adda780 100644 --- a/rules/windows/defense_evasion_port_forwarding_added_registry.toml +++ b/rules/windows/defense_evasion_port_forwarding_added_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ segmentation restrictions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Port Forwarding Rule Addition" references = [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 3d53839ab..28f8d5a50 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ an evasion attempt to execute malicious code in a stealthy way. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Process Herpaderping Attempt" references = ["https://github.com/jxy-s/herpaderping"] risk_score = 73 diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index b6fd1d61e..f0f500cbf 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -1,19 +1,20 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2020/11/04" +updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native -files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the -adversary's footprint. +Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other +non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal +of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's +footprint. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Process Termination followed by Deletion" risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" @@ -43,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_reg_beacon.toml b/rules/windows/defense_evasion_reg_beacon.toml index c690524fd..6e5455c66 100644 --- a/rules/windows/defense_evasion_reg_beacon.toml +++ b/rules/windows/defense_evasion_reg_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ may indicate adversarial activity as these tools are often leveraged by adversar from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Registration Tool Making Network Connections" risk_score = 21 rule_id = "6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 44931dfb3..03b8de715 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ RunDLL32 could indicate malicious activity. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Child Processes of RunDLL32" risk_score = 21 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index eacc64b22..c03a49299 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ exists for backwards compatibility. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Scheduled Tasks AT Command Enabled" references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] risk_score = 47 diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 12b49b1b3..fd77e917f 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ file overwrite and rename operations. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Secure File Deletion via SDelete Utility" note = "Verify process details such as command line and hash to confirm this activity legitimacy." risk_score = 21 @@ -44,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 39d09e298..504860c0c 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ validation checks or inject code into critical processes. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "SIP Provider Modification" references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] risk_score = 47 diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 01c308808..5a30b0e1a 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ technique to manipulate relevant security services. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "SolarWinds Process Disabling Services via Registry" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", diff --git a/rules/windows/defense_evasion_stop_process_service_threshold.toml b/rules/windows/defense_evasion_stop_process_service_threshold.toml index 95c2a25e4..c418af375 100644 --- a/rules/windows/defense_evasion_stop_process_service_threshold.toml +++ b/rules/windows/defense_evasion_stop_process_service_threshold.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/03" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ short time period. This may indicate a defense evasion attempt. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "High Number of Process and/or Service Terminations" risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 44780788b..fb81f1f0e 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ code execution. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Managed Code Hosting Process" references = ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"] risk_score = 73 diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 71e8db4d5..7cd238793 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executed in the target process. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Suspicious Script Object Execution" risk_score = 21 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 82e258ba7..3bbf5cd31 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/21" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ libraries it may be indicative of a whitelist bypass. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" risk_score = 21 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 868d0c39f..ffc34d1e1 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ such as command line, network connections, file writes and associated file signa from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Zoom Child Process" risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 390683b82..53260a35a 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ indicate activity related to remote code execution or other forms of exploitatio from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Executable File Creation by a System Critical Process" risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 3c9f36c79..aadb1b201 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ and sometimes done by adversaries to hide malware. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual File Creation - Alternate Data Stream" risk_score = 47 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index dadb97c65..395e9f422 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ by adversaries to hide malware. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" risk_score = 47 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 5510f1ed4..016fa1840 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ and Control activity. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Network Connection via RunDLL32" risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 5c4aa21e2..09edb13be 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ applications are often leveraged by adversaries to execute code and evade detect from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Process Network Connection" risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index ec52a08b5..96287c948 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious child process of the Windows virtual syst from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 0e849b06d..78b910bd7 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ defenses. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Evasion via Filter Manager" risk_score = 21 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index ff63f5261..f3cb2359d 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ other destructive attacks. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Volume Shadow Copy Deletion via WMIC" risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 47d7f0f03..175b2c837 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "AdFind Command Activity" note = "`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment." references = [ diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 96a3e6300..5954fc031 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ tools. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Enumeration of Administrator Accounts" risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" diff --git a/rules/windows/discovery_file_dir_discovery.toml b/rules/windows/discovery_file_dir_discovery.toml index 13db60d5a..632c5f128 100644 --- a/rules/windows/discovery_file_dir_discovery.toml +++ b/rules/windows/discovery_file_dir_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "File and Directory Discovery" risk_score = 21 rule_id = "7b08314d-47a0-4b71-ae4e-16544176924f" diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index f48d9c9d8..84692095d 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ adversary has achieved privilege escalation. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Net command via SYSTEM account" risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 2a2620c62..4cacffbd8 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies attempts to enumerate hosts in a network using the bui from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Network Enumeration" risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 9e190c891..11ef33c04 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ and components connected to a computer system. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Peripheral Device Discovery" risk_score = 21 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4" diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml index 394835d76..06d24ad81 100644 --- a/rules/windows/discovery_process_discovery_via_tasklist_command.toml +++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Discovery via Tasklist" risk_score = 21 rule_id = "cc16f774-59f9-462d-8b98-d27ccd4519ec" diff --git a/rules/windows/discovery_query_registry_via_reg.toml b/rules/windows/discovery_query_registry_via_reg.toml index 7b7589dab..ea0c346eb 100644 --- a/rules/windows/discovery_query_registry_via_reg.toml +++ b/rules/windows/discovery_query_registry_via_reg.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activities. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Query Registry via reg.exe" risk_score = 21 rule_id = "68113fdc-3105-4cdd-85bb-e643c416ef0b" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index d95e8508b..472f5eb41 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Discovery of remote system information using built-in commands, w from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote System Discovery Commands" risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 937d73850..4751cd77f 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ such as AntiVirus or Host Firewall details. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Security Software Discovery using WMIC" risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 3ebb86e21..57e791c38 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Whoami Process Activity" risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index c785f3b57..7ad4ca556 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Command Execution via SolarWinds Process" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 9c4b901ad..462f05ab7 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious SolarWinds Child Process" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 003b6bd8e..a09519be5 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ run a COM object created in registry to evade defensive counter measures. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution of COM object via Xwizard" references = [ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 13ca18065..6a8ee3e43 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Command Prompt Network Connection" risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index b9e0ddfae..06f585e84 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious parent child process relationship with cm from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "PowerShell spawning Cmd" risk_score = 21 rule_id = "0f616aee-8161-4120-857e-742366f5eeb3" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 299db830d..c3b14e670 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious parent child process relationship with cm from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Svchost spawning Cmd" risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 4b801df1a..b7e49dd95 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies a suspicious parent child process relationship with cm from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index a6a4d812c..c98241fd6 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies command shell activity started via RunDLL32, which is from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Command Shell Activity Started via RunDLL32" risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index cd7dff492..aa93bc130 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ phishing campaigns. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "6b1fd8e8-cefe-444c-bc4d-feaa2c497347" diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index ea00370ec..3a3bb43af 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ phishing campaigns. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Downloaded URL Files" risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 4b2863676..a02c6b710 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Provider Service (WMIPrvSE). from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" diff --git a/rules/windows/execution_from_unusual_directory.toml b/rules/windows/execution_from_unusual_directory.toml index 89531b7b7..5cafcdf6a 100644 --- a/rules/windows/execution_from_unusual_directory.toml +++ b/rules/windows/execution_from_unusual_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ malware in trusted paths. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Process Execution from an Unusual Directory" risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index c7ea9d016..b52d51400 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ malware in trusted paths. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" note = "This is related to the Process Execution from an Unusual Directory rule" risk_score = 47 diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index d566fab5f..791901d16 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ program (hh.exe). from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Compiled HTML File" risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 56a6591f4..e9c270b16 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ launched via scripts inside documents or during exploitation of MS Office applic from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution of File Written or Modified by Microsoft Office" risk_score = 21 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e298228db..7bb139462 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ often launched via exploitation of PDF applications. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution of File Written or Modified by PDF Reader" risk_score = 21 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 21397ef87..8f4a8d23c 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "PsExec Network Connection" risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 3e764952a..890eb0e30 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Network Connection via Registration Utility" risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 880452c02..ab530c2c3 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate scheduled tasks may be created during installatio from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 03a86f4ab..8d5fade1a 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ paths. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via local SxS Shared Module" note = "The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory." references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index fbe358e1c..2622dfcf6 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ be indicative of adversary lateral movement. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 2adf32ac8..ed939eafa 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ be used to execute code and evade traditional parent/child processes spawned fro from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious WMI Image Load from MS Office" references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 5c864f71c..7d9c7f24a 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/30" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ exploitation of PDF applications or social engineering. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious PDF Reader Child Process" risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index f69c3d72a..853169f54 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ with powershell.exe, some attackers do this to operate more stealthily. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious PowerShell Engine ImageLoad" risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" @@ -92,3 +92,4 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index c861bc4d4..0f2dcfa8d 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ evade detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Process Execution via Renamed PsExec Executable" risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" diff --git a/rules/windows/execution_suspicious_short_program_name.toml b/rules/windows/execution_suspicious_short_program_name.toml index b8918dd52..c00e0d5fa 100644 --- a/rules/windows/execution_suspicious_short_program_name.toml +++ b/rules/windows/execution_suspicious_short_program_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executing temporary utilities. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Execution - Short Program Name" risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 05e9e6338..8b910b6c4 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Process Activity via Compiled HTML File" risk_score = 21 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 890cabeda..3f7835e81 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ indicative of code injection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Conhost Spawned By Suspicious Parent Process" references = [ "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html", diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index a39cd1c88..4d5e08ffb 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ utility. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via Regsvcs/Regasm" risk_score = 21 rule_id = "47f09343-8d1f-4bb5-8bb0-00c9d18f5010" diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index e152208a5..e6112a83c 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ using xp_cmdshell, which is disabled by default, thus, it's important to review from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml index 8b61566e2..96808be38 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ other destructive attacks. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Volume Shadow Copy Deletion via VssAdmin" risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 5c702351f..35fdb1ade 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executing a PowerShell script, may be indicative of malicious activity. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Script Executing PowerShell" risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index bedb9d1ea..52a27b712 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/27" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ via Windows Management Instrumentation (WMI). This may be indicative of maliciou from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 412d90aff..6a35c3a2b 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ macros. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious MS Office Child Process" risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 38ae7afa6..b53698119 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ phishing activity. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 807167f1f..77f2183a3 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Child Process of dns.exe" note = """### Investigating Unusual Child Process Detection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 539d98ecc..6c1f4be76 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ may indicate activity related to remote code execution or other forms of exploit from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual File Modification by dns.exe" note = """### Investigating Unusual File Write Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index ae9ef65bf..219374b21 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/29" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executables from a trusted parent process. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Explorer Child Process" risk_score = 47 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index e0c8962c2..5610adb23 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ lateral movement but will be noisy if commonly done by admins. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index a9f338187..64f07d08e 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ laterally while attempting to evading detection. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming DCOM Lateral Movement via MSHTA" references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] risk_score = 73 diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 5292f3af9..b567b90e9 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ laterally. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with MMC" references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"] risk_score = 73 diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index c57204513..3eb65b70c 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ application to stealthily move laterally. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"] risk_score = 47 diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 78e50ca81..9c1f93790 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ suspicious user-level processes moving laterally. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Direct Outbound SMB Connection" risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index 453a2da8c..0d6ac7593 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["packetbeat-*", "filebeat-*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Abnormally Large DNS Response" note = """### Investigating Large DNS Responses Detection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation: diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 628282b72..db86141f4 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/10" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ other files between systems in a compromised environment. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Lateral Tool Transfer" risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index da7ce966d..695b45c24 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ indicate a lateral movement attempt. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution via TSClient Mountpoint" references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] risk_score = 73 diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 8a277253f..af7208993 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ via network file shares. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote Execution via File Shares" references = ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"] risk_score = 47 diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 036ba7b01..ee718d6c1 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming Execution via WinRM Remote Shell" risk_score = 47 rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 5e03c626f..307172d06 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ adversary lateral movement, but could be noisy if administrators use WMI to remo from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "WMI Incoming Lateral Movement" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" diff --git a/rules/windows/lateral_movement_local_service_commands.toml b/rules/windows/lateral_movement_local_service_commands.toml index 0e8192323..479114f92 100644 --- a/rules/windows/lateral_movement_local_service_commands.toml +++ b/rules/windows/lateral_movement_local_service_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ lateral movement but will be noisy if commonly done by admins. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Local Service Commands" risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index dbbb545ad..b157cdded 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ preparation for data exfiltration. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" risk_score = 21 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 7ad245f88..9d879701b 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Incoming Execution via PowerShell Remoting" references = [ "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1", diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 81c571aed..a11734c9f 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ adversary lateral movement preparation. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "RDP Enabled via Registry" risk_score = 47 rule_id = "58aa72ca-d968-4f34-b9f7-bea51d75eb50" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 1d1952dcb..fc0d2d52e 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ against a remote target via Remote Desktop Protocol (RDP) for the purposes of la from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential SharpRDP Behavior" references = [ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", diff --git a/rules/windows/lateral_movement_rdp_tunnel_plink.toml b/rules/windows/lateral_movement_rdp_tunnel_plink.toml index 3a6346770..b996aca91 100644 --- a/rules/windows/lateral_movement_rdp_tunnel_plink.toml +++ b/rules/windows/lateral_movement_rdp_tunnel_plink.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ adversary lateral movement to interactively access restricted networks. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"] risk_score = 73 @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 25cd8c96b..97a6f4001 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activity. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" risk_score = 47 rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 05a31c30d..4325402e3 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ movement, but will be noisy if commonly done by administrators." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remotely Started Services via RPC" risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index f6aa1d9b9..32e13cb84 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies remote scheduled task creations on a target host. This from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Remote Scheduled Task Creation" note = "Decode the base64 encoded tasks actions registry value to investigate the task configured action." risk_score = 47 diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index cdcc60e1e..ae279a4b6 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ presence of RDP lateral movement capability. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious RDP ActiveX Client Loaded" references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] risk_score = 47 diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index fbff93298..290eebc77 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ laterally by dropping a malicious script or executable that will be executed aft from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Lateral Movement via Startup Folder" references = ["https://www.mdsec.co.uk/2017/06/rdpinception/"] risk_score = 73 diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index c0557b512..cb8be6eef 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Detects writing executable files that will be automatically launc from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Adobe Hijack Persistence" risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 193b3c6c7..eb0b12294 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ abused by attackers to stealthily gain persistence and arbitrary code execution from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Installation of Custom Shim Databases" risk_score = 21 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 2b8b07a92..339d23c3f 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ process using the common API functions to create processes. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 1a84aadf8..d321a1ba6 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ process using the common library, user32.dll. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Registry Persistence via AppInit DLL" risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index a8201cd6b..1654f3cdb 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ the net users command. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Creation of a Hidden Local User Account" references = [ "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index d0bd9b3bb..7fc0220a0 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ different process to be executed. This functionality can be abused by an adversa from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Image File Execution Options Injection" references = [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index a8b972f87..4e5d9f86a 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ malicious payload remotely on all or a subset of the domain joined machines. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Creation or Modification of a new GPO Scheduled Task or Service" risk_score = 21 rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index 7894a3441..e6182cd21 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["Legitimate scheduled tasks may be created during installatio from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Local Scheduled Task Commands" risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index a5e7a6d43..156714965 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/01/28" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Legitimate scheduled tasks may be created during installatio from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Scheduled Task Created by a Windows Script" note = "Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action." risk_score = 47 diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 916e7dc37..ab3a97039 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/16" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Detects attempts to establish persistence on an endpoint by abusi from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Microsoft Office AddIns" references = ["https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/"] risk_score = 73 diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 486f73500..82b520b30 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["A legitimate VBA for Outlook is usually configured interacti from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Microsoft Outlook VBA" references = [ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index d58852601..a86167ad4 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ system. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Modification of Accessibility Binaries" references = ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"] risk_score = 73 diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index a6940a2ea..de1ea984a 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ an indication of an adversary's attempt to persist in a stealthy manner. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Uncommon Registry Persistence Change" references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"] risk_score = 47 diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 8419907d7..499165b90 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attackers will modify run keys within the registry or leverage startup folder it from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Startup or Run Key Registry Modification" risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 807d5e4c4..69a428737 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ command line usage. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Execution of Persistent Suspicious Program" risk_score = 47 rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 16666e812..81f47da29 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ modification of an existing service. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 7f7fb59cd..41f55226b 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ technique to maintain persistence. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Shortcut File Written or Modified for Persistence" risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index b05ae0896..d416512f2 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ to maintain persistence in an environment. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Startup Folder Persistence via Unsigned Process" risk_score = 41 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 4c7abad8f..79788e9a0 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = "Identifies script engines creating files in the startup folder, o from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistent Scripts in the Startup Directory" risk_score = 47 rule_id = "f7c4dc5a-a58d-491d-9f14-9b66507121c0" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 6274f54f8..f1e9f75da 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ executing malicious content triggered by hijacked references to COM objects. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Component Object Model Hijacking" references = [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index d43fccce2..43c40b1a0 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ be used to configure persistence and evade monitoring by avoiding the usage of t from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Image Load (taskschd.dll) from MS Office" references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 3812005cf..32a9100a0 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ false_positives = ["Legitimate scheduled tasks running third party software."] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" risk_score = 47 rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 6e6e216f7..10a21b465 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ stealthily persist or escalate privileges through abnormal service creation. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious ImagePath Service Creation" risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 0862339ce..80d46e94d 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ testers may run a shell as a service to gain SYSTEM permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "System Shells via Services" risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 7663bfecd..8d42e255b 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ provider. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Persistence via Time Provider Modification" references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 14ca9546c..472da4db6 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/09" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic", "Skoetting"] @@ -13,7 +13,7 @@ any action in Active Directory and on domain-joined systems. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Added to Privileged Group in Active Directory" references = [ "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index d956d3ee4..f36092464 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ domain. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "User Account Creation" risk_score = 21 rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 2869b4b4c..d6cdb7733 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "development" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Skoetting"] @@ -18,7 +18,7 @@ false_positives = [ ] index = ["winlogbeat-*", "logs-windows*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Creation of a local user account" risk_score = 21 rule_id = "38e17753-f581-4644-84da-0d60a8318694" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 0a12cf275..ecb6a9cc8 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ code execution in legitimate Windows processes. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 1f3ccb259..993ce2337 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ registry key. An adversary may use this method to hide from system utilities suc from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Hidden Run Key Detected" references = [ "https://github.com/outflanknl/SharpHide", diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 950c1b785..76c2e9418 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ abuse this to establish persistence in an environment. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Installation of Security Support Provider" risk_score = 47 rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index d96ae084f..a52a3c661 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ integrity level of system. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" references = [ "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306", diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 4942a9c88..47319b540 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ level of SYSTEM. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via Update Orchestrator Service Hijack" references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 @@ -55,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 43ab196a4..cb1777e6c 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ event and execute arbitrary code when that event occurs, providing persistence o from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Persistence via WMI Event Subscription" risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 6a14965bd..aab4f74da 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ administrator-level access to the system. This rule identifies registry value ch from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Disabling User Account Control via Registry Modification" references = [ "https://www.greyhathacker.net/?p=796", diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 630cd9d0c..d2af1bc0a 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ executed by SYSTEM when the authentication packages are loaded. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 703d1d3f4..6021fa1af 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ utilizing a framework such Metasploit's meterpreter getsystem command. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Privilege Escalation via Named Pipe Impersonation" references = [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 22b59b812..3bfe6d913 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ privileges via privileged file write vulnerabilities. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious DLL Loaded for Persistence or Privilege Escalation" references = [ "https://itm4n.github.io/windows-dll-hijacking-clarified/", diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 2da7cc36c..3b9356915 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/02/11" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ persistence, if permissions allow writing a fully-qualified pathname for that DL from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Potential Port Monitor or Print Processor Registration Abuse" references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"] risk_score = 47 diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index b581aa081..651609a1c 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ SYSTEM. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious Print Spooler Point and Print DLL" references = [ "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 9df0efdc3..2ca944b1f 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ system is patched. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious PrintSpooler Service Executable File Creation" references = [ "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index a854347a3..f7e24a8d2 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ CVE-2020-1048 and CVE-2020-1337. . from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Suspicious PrintSpooler SPL File Created" note = "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched." references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 49883e9f3..dce0037bf 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ primitive that is often combined with other vulnerabilities to elevate privilege from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Privilege Escalation via Windir Environment Variable" references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"] risk_score = 73 diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 22f530bd5..dceba59e9 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code w from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface" references = ["https://github.com/hfiref0x/UACME"] risk_score = 73 @@ -47,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index dc4cbc25c..da36a8f37 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ program. Attackers may attempt to bypass UAC to stealthily execute code with ele from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer" references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"] risk_score = 47 @@ -49,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 460f814cc..6094055d0 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ to bypass UAC to stealthily execute code with elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass via ICMLuaUtil Elevated COM Interface" risk_score = 73 rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 9f413d3b4..009e477f8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ stealthily execute code with elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index fc60a01f4..ee8a98597 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ stealthily execute code with elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface" references = ["https://github.com/hfiref0x/UACME"] risk_score = 73 diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index ab5f18b14..f6cd58724 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/17" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" -license = "Elastic License" +license = "Elastic License v2" name = "Bypass UAC via Event Viewer" risk_score = 21 rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index abb0c1941..0da5f10d2 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/26" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Attackers may bypass UAC to stealthily execute code with elevated permissions. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass Attempt via Windows Directory Masquerading" references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"] risk_score = 73 diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 9683c5641..8967eb4b7 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "UAC Bypass via Windows Firewall Snap-In Hijack" references = ["https://github.com/AzAgarampur/byeintegrity-uac"] risk_score = 47 diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index a1ede6ae6..7d531a654 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ elevated permissions. from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Bypass UAC via Sdclt" risk_score = 73 rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 1bdbf8fbb..f6494c246 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activity on a system. from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Parent-Child Relationship" references = [ "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png", diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 0b9168e5a..b358c4d5c 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2021/02/16" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = ["Changes to Windows services or a rarely executed child proce from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "Unusual Service Host Child Process - Childless Service" risk_score = 47 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 06e645586..159baba5c 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/02/08" +updated_date = "2021/03/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ system compromise. from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" -license = "Elastic License" +license = "Elastic License v2" name = "WPAD Service Exploit" risk_score = 73 rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3" @@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/tests/__init__.py b/tests/__init__.py index 4c602303f..360d78839 100644 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Detection Rules tests.""" import glob diff --git a/tests/kuery/__init__.py b/tests/kuery/__init__.py index 12d34f0e9..850838abc 100644 --- a/tests/kuery/__init__.py +++ b/tests/kuery/__init__.py @@ -1,5 +1,6 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """KQL unit tests.""" diff --git a/tests/kuery/test_dsl.py b/tests/kuery/test_dsl.py index 7a7a4851c..4af3217eb 100644 --- a/tests/kuery/test_dsl.py +++ b/tests/kuery/test_dsl.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import kql diff --git a/tests/kuery/test_eql2kql.py b/tests/kuery/test_eql2kql.py index c2c5eb560..6757f908a 100644 --- a/tests/kuery/test_eql2kql.py +++ b/tests/kuery/test_eql2kql.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import kql diff --git a/tests/kuery/test_evaluator.py b/tests/kuery/test_evaluator.py index a5bef9aa5..94ae0c0be 100644 --- a/tests/kuery/test_evaluator.py +++ b/tests/kuery/test_evaluator.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest diff --git a/tests/kuery/test_kql2eql.py b/tests/kuery/test_kql2eql.py index 94ab81e1c..6aaccb8e6 100644 --- a/tests/kuery/test_kql2eql.py +++ b/tests/kuery/test_kql2eql.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import eql diff --git a/tests/kuery/test_lint.py b/tests/kuery/test_lint.py index a4e43ebd7..7f0e97bd1 100644 --- a/tests/kuery/test_lint.py +++ b/tests/kuery/test_lint.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import kql diff --git a/tests/kuery/test_parser.py b/tests/kuery/test_parser.py index a7de4f548..f17ee0ad8 100644 --- a/tests/kuery/test_parser.py +++ b/tests/kuery/test_parser.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import unittest import kql diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 9049fef8e..c5d38c04c 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test that all rules have valid metadata and syntax.""" import json diff --git a/tests/test_mappings.py b/tests/test_mappings.py index e319b7ff9..860ed567d 100644 --- a/tests/test_mappings.py +++ b/tests/test_mappings.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test that all rules appropriately match against expected data sets.""" import copy diff --git a/tests/test_packages.py b/tests/test_packages.py index 608d04f7b..ab9b6b07a 100644 --- a/tests/test_packages.py +++ b/tests/test_packages.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test that the packages are built correctly.""" import unittest @@ -21,7 +22,7 @@ class TestPackages(unittest.TestCase): "author": ["Elastic"], "description": "test description", "language": "kuery", - "license": "Elastic License", + "license": "Elastic License v2", "name": "test rule", "query": "process.name:test.query", "risk_score": 21, diff --git a/tests/test_schemas.py b/tests/test_schemas.py index 3dbc060c0..a81de4d02 100644 --- a/tests/test_schemas.py +++ b/tests/test_schemas.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test stack versioned schemas.""" import unittest @@ -46,7 +47,7 @@ class TestSchemas(unittest.TestCase): } ] } - cls.v79_kql = dict(cls.v78_kql, author=["Elastic"], license="Elastic License") + cls.v79_kql = dict(cls.v78_kql, author=["Elastic"], license="Elastic License v2") cls.v711_kql = copy.deepcopy(cls.v79_kql) cls.v711_kql["threat"][0]["technique"][0]["subtechnique"] = [{ "id": "T1059.001", @@ -69,7 +70,7 @@ class TestSchemas(unittest.TestCase): "author": ["Elastic"], "description": "test description", "language": "kuery", - "license": "Elastic License", + "license": "Elastic License v2", "name": "test rule", "query": "process.name:test.query", "risk_score": 21, @@ -134,7 +135,7 @@ class TestSchemas(unittest.TestCase): "description": "test description", "index": ["filebeat-*"], "language": "eql", - "license": "Elastic License", + "license": "Elastic License v2", "name": "test rule", "risk_score": 21, "rule_id": str(uuid.uuid4()), diff --git a/tests/test_toml_formatter.py b/tests/test_toml_formatter.py index 4a3350a51..4400a2134 100644 --- a/tests/test_toml_formatter.py +++ b/tests/test_toml_formatter.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. import copy import json diff --git a/tests/test_utils.py b/tests/test_utils.py index eceeaaa3b..1d86e01db 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -1,6 +1,7 @@ # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License; -# you may not use this file except in compliance with the Elastic License. +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. """Test util time functions.""" import random