security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition (#3576)

Browse Source 
* [Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_msdt_suspicious_diagcab.toml

* Update defense_evasion_suspicious_msiexec_execution.toml

* Update discovery_security_software_wmic.toml

* Update rules_building_block/discovery_security_software_wmic.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Endgame tag

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 109e8a85a5)
This commit is contained in:
Jonhnathan
2024-04-08 08:57:33 -03:00
committed by github-actions[bot]
parent b4743f52de
commit 535175c33d
31 changed files with 75 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/collection_files_staged_in_recycle_bin_root.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/09"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ the root of the Recycle Bin in preparation for exfiltration or to evade defenses
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.file-*"]
language = "eql"
license = "Elastic License v2"
name = "File Staged in Root Folder of Recycle Bin"
rules_building_block/command_and_control_bitsadmin_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/21"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ Adversaries may abuse BITS to persist, download, execute, and even clean up afte
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Bitsadmin Activity"
rules_building_block/credential_access_win_private_key_access.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/10"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Attackers may try to access private keys, e.g. ssh, in order to gain further aut
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Attempted Private Key Access"
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/13"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Attackers may abuse cmd.exe commands to reassemble binary fragments into a malic
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Binary Content Copy via Cmd.exe"
rules_building_block/defense_evasion_cmstp_execution.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ execution of malicious code by supplying INF files that contain malicious comman
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Defense Evasion via CMSTP.exe"
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/25"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -14,7 +14,7 @@ Identifies the creation of an archive file with an unusual extension. Attackers
masquerading files using the file extension values used by image, audio, or document file types.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.file-*"]
language = "eql"
license = "Elastic License v2"
name = "Archive File with Unusual Extension"
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/26"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ references = [
]
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Execution via MS VisualStudio Pre/Post Build Events"
rules_building_block/defense_evasion_generic_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/16"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ files and directories on a host system, such as logs, browser history, or malwar
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "File or Directory Deletion Command"
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -13,14 +13,14 @@ Identifies indirect command execution via Program Compatibility Assistant (pcalu
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Indirect Command Execution via Forfiles/Pcalua"
risk_score = 21
rule_id = "98843d35-645e-4e66-9d6a-5049acd96ce1"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
rules_building_block/defense_evasion_injection_from_msoffice.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/25"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ with malicious macros.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Process Injection from Malicious Document"
rules_building_block/defense_evasion_installutil_command_activity.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -15,14 +15,14 @@ a trusted Windows utility.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "InstallUtil Activity"
risk_score = 21
rule_id = "90babaa8-5216-4568-992d-d4a01a105d98"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
rules_building_block/defense_evasion_invalid_codesign_imageload.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/27"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ signed binary.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.library-*"]
language = "eql"
license = "Elastic License v2"
name = "Image Loaded with Invalid Signature"
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/25"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ to evade detection by masquerading files using the file extension values used by
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.file-*"]
language = "eql"
license = "Elastic License v2"
name = "Executable File with Unusual Extension"
rules_building_block/defense_evasion_masquerading_vlc_dll.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/13"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -15,7 +15,7 @@ payload as legitimate applications to blend into the environment, or embedding i
applications to deceive machine learning algorithms by incorporating authentic and benign code.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.library-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Masquerading as VLC DLL"
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml
+4 -4
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/26"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -17,21 +17,21 @@ references = [
]
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Troubleshooting Pack Cabinet Execution"
risk_score = 21
rule_id = "808291d3-e918-4a3a-86cd-73052a0c9bdc"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
process where host.os.type == "windows" and event.action == "start" and
(process.name : "msdt.exe" or process.pe.original_file_name == "msdt.exe") and process.args : "/cab" and
(process.name : "msdt.exe" or ?process.pe.original_file_name == "msdt.exe") and process.args : "/cab" and
process.parent.name : (
"firefox.exe", "chrome.exe", "msedge.exe", "explorer.exe", "brave.exe", "whale.exe", "browser.exe",
"dragon.exe", "vivaldi.exe", "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe",
rules_building_block/defense_evasion_service_disabled_registry.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/11"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ modify security and monitoring services to avoid detection or delay response.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.registry-*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Service Disabled via Registry Modification"
rules_building_block/defense_evasion_service_path_registry.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/29"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ for persistence or privilege escalation.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.registry-*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Service Path Modification"
rules_building_block/defense_evasion_services_exe_path.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/11"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ persistence or privilege escalation.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.process-*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Service Path Modification via sc.exe"
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml
+5 -5
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/26"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -18,14 +18,14 @@ references = [
]
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Execution via MSIEXEC"
risk_score = 21
rule_id = "708c9d92-22a3-4fe0-b6b9-1f861c55502d"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
@@ -51,11 +51,11 @@ process where host.os.type == "windows" and event.action == "start" and
(process.parent.name : ("powershell.exe", "cmd.exe") and length(process.parent.command_line) >= 200))) or
(process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and
process.working_directory : "?:\\" and process.parent.name : ("cmd.exe", "powershell.exe"))
?process.working_directory : "?:\\" and process.parent.name : ("cmd.exe", "powershell.exe"))
) and
/* noisy pattern */
not (process.parent.executable : "?:\\Users\\*\\AppData\\Local\\Temp\\*" and process.parent.args_count >= 2 and
not (process.parent.executable : "?:\\Users\\*\\AppData\\Local\\Temp\\*" and ?process.parent.args_count >= 2 and
process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\*\\*.msi") and
not process.args : ("?:\\Program Files (x86)\\*", "?:\\Program Files\\*")
rules_building_block/defense_evasion_unusual_process_path_wbem.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/23"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -13,14 +13,14 @@ Identifies unusual processes running from the WBEM path, uncommon outside WMI-re
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Unusual Process Execution on WBEM Path"
risk_score = 21
rule_id = "1f460f12-a3cf-4105-9ebb-f788cc63f365"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -15,7 +15,7 @@ Identifies the execution of discovery commands to enumerate system information,
Command Shell.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"]
index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "System Information Discovery via Windows Command Shell"
rules_building_block/discovery_generic_account_groups.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/14"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -15,7 +15,7 @@ This rule identifies the execution of commands that enumerates account or group
built-in applications to get a listing of local system or domain accounts and groups.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Windows Account or Group Discovery"
rules_building_block/discovery_generic_process_discovery.toml
+4 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/14"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -15,7 +15,7 @@ This rule identifies the execution of commands that can be used to enumerate run
enumerate processes to identify installed applications and security solutions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Process Discovery Using Built-in Tools"
@@ -27,7 +27,8 @@ tags = ["Domain: Endpoint",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend"
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
rules_building_block/discovery_security_software_wmic.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -14,7 +14,7 @@ Identifies the use of Windows Management Instrumentation Command (WMIC) to disco
such as AntiVirus or Host Firewall details.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
language = "eql"
license = "Elastic License v2"
name = "Security Software Discovery using WMIC"
@@ -72,7 +72,7 @@ type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
(process.name : "wmic.exe" or process.pe.original_file_name : "wmic.exe") and
(process.name : "wmic.exe" or ?process.pe.original_file_name : "wmic.exe") and
process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get"
'''
rules_building_block/discovery_system_service_discovery.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -15,7 +15,7 @@ Detects the usage of commonly used system service discovery techniques, which at
after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
language = "eql"
license = "Elastic License v2"
name = "System Service Discovery through built-in Windows Utilities"
rules_building_block/discovery_system_time_discovery.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/12"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -15,7 +15,7 @@ Detects the usage of commonly used system time discovery techniques, which attac
phase after compromising a system.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
language = "eql"
license = "Elastic License v2"
name = "System Time Discovery"
rules_building_block/discovery_win_network_connections.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -15,7 +15,7 @@ This rule identifies the execution of commands that can be used to enumerate net
attempt to get a listing of network connections to or from a compromised system to identify targets within an environment.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Windows System Network Connections Discovery"
rules_building_block/discovery_windows_system_information_discovery.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -15,7 +15,7 @@ Detects the execution of commands used to discover information about the system,
compromising a system to gain situational awareness.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Windows System Information Discovery"
rules_building_block/execution_unsigned_service_executable.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/01/12"
updated_date = "2024/04/05"
bypass_bbr_timing = true
[rule]
@@ -15,7 +15,7 @@ This rule identifies the execution of unsigned executables via service control m
to execute malware or escalate privileges.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*"]
language = "kuery"
license = "Elastic License v2"
name = "Execution of an Unsigned Service"
rules_building_block/execution_wmi_wbemtest.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,14 +14,14 @@ local or remote endpoints.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
language = "eql"
license = "Elastic License v2"
name = "WMI WBEMTEST Utility Execution"
risk_score = 21
rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
rules_building_block/lateral_movement_at.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/09"
updated_date = "2024/04/05"
[rule]
author = ["Elastic"]
@@ -14,14 +14,14 @@ execution could be indicative of adversary lateral movement.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
language = "eql"
license = "Elastic License v2"
name = "At.exe Command Lateral Movement"
risk_score = 21
rule_id = "b483365c-98a8-40c0-92d8-0458ca25058a"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"