diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 735b8952d..7c6e09480 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ network connections and bypass host-based firewall restrictions. """ false_positives = ["Processes such as MS Office using IEproxy to render HTML content."] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.library-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Potential Command and Control via Internet Explorer" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 7d6f60742..092dbd69d 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint"] maturity = "production" -updated_date = "2023/12/07" +updated_date = "2024/04/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -67,7 +67,7 @@ providers = [ author = ["Elastic"] description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination." from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network-*", "logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via PowerShell" diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index d5bbbf1d3..26e228aa9 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/08" +updated_date = "2024/04/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei from a remote destination. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via Script Interpreter" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 792df43f5..31b2b5283 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/08" +updated_date = "2024/04/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -40,7 +40,7 @@ credential management. This technique is sometimes used for credential dumping. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Trusted Developer Utility" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index ccc8d7332..87b368d79 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies InstallUtil.exe making outbound network connections. This may indicat often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index d08698545..10825bd5f 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ masquerading attempt to evade suspicious child process behavior detections. """ false_positives = ["Legit Application Crash with rare Werfault commandline value"] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Potential Windows Error Manager Masquerading" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index cab1de29c..23325449d 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ validation. Adversaries may use these binaries to 'live off the land' and execut application allowlists and signature validation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Signed Binary" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 09ccbc112..526bde67f 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -38,7 +38,7 @@ Identifies MsBuild.exe making outbound network connections. This may indicate ad leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "MsBuild Making Network Connections" diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 21860cad3..114d561f4 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies Mshta.exe making outbound network connections. This may indicate adve leveraged by adversaries to execute malicious scripts and evade detection. """ from = "now-20m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 18bf42555..0835894f9 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies msxsl.exe making a network connection. This may indicate adversarial by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via MsXsl" diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 7d4a7960c..b7a6daca8 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Activity from a Windows System Binary" diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 29517e1a0..105d94c93 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/26" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ of these files can occur during an intrusion, or as part of a post-intrusion pro footprint. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Termination followed by Deletion" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 0ca1356ce..789fd5132 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies WMIC allowlist bypass techniques by alerting on suspicious execution libraries it may be indicative of an allowlist bypass. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 0b0aa0555..c5d82124d 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies unusual instances of dllhost.exe making outbound network connections. and Control activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via DllHost" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index e5abae20c..17ce9288d 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies unusual instances of rundll32.exe making outbound network connections and Control activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Connection via RunDLL32" diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 0e6330814..dfa44ae72 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies network activity from unexpected system applications. This may indica applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Network Connection" diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index 3ce0d8d8f..013c926ff 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/08" +updated_date = "2024/04/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -13,7 +13,7 @@ Detects files creation and modification on the host system from the the Windows Adversaries may enable and use WSL for Linux to avoid detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Host Files System Changes via Windows Subsystem for Linux" diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index b22dd490a..18fbaab7b 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/31" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies processes loading Active Directory related modules followed by a netw Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Potential Enumeration via Active Directory Web Service" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index af26e82c7..0d8848c10 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -44,7 +44,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Command Prompt Network Connection" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 0a46595a3..569d4f4e1 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ malicious code in a CHM file and deliver it to a victim for execution. CHM conte program (hh.exe). """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Compiled HTML File" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index eff7cf447..25359d1de 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies an executable created by a Microsoft Office application and subsequen launched via scripts inside documents or during exploitation of Microsoft Office applications. """ from = "now-120m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e92bc8e3f..bb2bbb41f 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies a suspicious file that was written by a PDF reader application and su often launched via exploitation of PDF applications. """ from = "now-120m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] interval = "60m" language = "eql" license = "Elastic License v2" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 172f7f59a..b8850975d 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "PsExec Network Connection" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index a3653c706..da54d2e10 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -44,7 +44,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Registration Utility" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index cd4566e5d..e7a2ccfbb 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/26" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ within a short time period. This may indicate lateral movement or remote discove """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index cef0db532..a3ebf3b31 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the execution of a browser process to open an HTML file with high ent data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Suspicious HTML File Creation" diff --git a/rules/windows/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml index 92cea7a38..fd95d0db4 100644 --- a/rules/windows/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/12" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ possibly those on disconnected or air-gapped networks, by copying malware to rem Autorun features when the media is inserted into a system and executes. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Execution from a Removable Media with Network Connection" diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 3af796830..e8e45cc7b 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/12" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the execution of the built-in Windows Installer, msiexec.exe, to inst msiexec.exe to launch local or network accessible MSI files. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote File Execution via MSIEXEC" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index cd54053b4..578905ab6 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies use of the built-in Windows script interpreters (cscript.exe or wscri via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Windows Script Interpreter Executing Process via WMI" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index ad3cc9bcb..e757c7ffb 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/12" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM i This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Remote XSL Script Execution via COM" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 5edb6c2c7..1ac54fbac 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies use of sc.exe to create, modify, or start services on remote hosts. T lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Service Command Lateral Movement" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index e6bbe1720..2fbca0f11 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ launched via the HTA Application COM Object. This behavior may indicate an attac laterally while attempting to evade detection. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement via MSHTA" diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index fa906c6c4..96af58d40 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ via the MMC20 Application COM Object. This behavior may indicate an attacker abu laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with MMC" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 7bad7d127..b6dca9f73 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may application to stealthily move laterally. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index c073a4392..1ff1b29f6 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/22" +updated_date = "2024/04/08" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ connections are established by the kernel. Processes making 445/tcp connections suspicious user-level processes moving laterally. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Direct Outbound SMB Connection" diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 9d841f664..d2abebdb9 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ indicative of an active RDP shadowing session. An adversary may abuse the RDP Sh other users active RDP sessions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Shadowing Activity" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index d245bb01e..88d746d28 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the creation or change of a Windows executable file over network shar other files between systems in a compromised environment. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*", "logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Potential Lateral Tool Transfer via SMB Share" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index adef76f3e..03cf02f73 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/01/03" +updated_date = "2024/04/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies the execution of a file that was created by the virtual system proces via network file shares. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Remote Execution via File Shares" diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 093255836..1fc13abf8 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming Execution via WinRM Remote Shell" diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index bbf5c7f98..b1ff8aaef 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "WMI Incoming Lateral Movement" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 5a8f900ba..abdb422d0 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Incoming Execution via PowerShell Remoting" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index c76653e20..dd56f8c1e 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies potential behavior of SharpRDP, which is a tool that can be used to p against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Potential SharpRDP Behavior" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index a9b41eae5..aedaa22b5 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/03/08" +updated_date = "2024/04/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies remote execution of Windows services over remote procedure call (RPC) movement, but will be noisy if commonly done by administrators. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Remotely Started Services via RPC" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index c423bc79e..3234e9731 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -4,13 +4,13 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] description = "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement." from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] +index = ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Remote Scheduled Task Creation" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 56fe9f619..d553e5e1f 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/03/08" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ an adversary to establish persistence. """ false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Scheduled Task Created by a Windows Script" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 49de81629..e3c7edc80 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2023/10/13" +updated_date = "2024/04/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies files written or modified in the startup folder by unsigned processes to maintain persistence in an environment. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Startup Folder Persistence via Unsigned Process" diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 0e2e35bd1..4ce6d2b03 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "development" -updated_date = "2023/06/22" +updated_date = "2024/04/08" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ the local network or upstream DNS traffic can inject malicious JavaScript to the system compromise. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "WPAD Service Exploit"