diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 8a810b550..bfebdb55c 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ the root of the Recycle Bin in preparation for exfiltration or to evade defenses """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "File Staged in Root Folder of Recycle Bin" diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index fde61de81..cfc5929a8 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/21" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ Adversaries may abuse BITS to persist, download, execute, and even clean up afte """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Bitsadmin Activity" diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index 76d54a6b8..42b71291c 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/10" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Attackers may try to access private keys, e.g. ssh, in order to gain further aut """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Attempted Private Key Access" diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index fa20d4a8d..399b4d52f 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Attackers may abuse cmd.exe commands to reassemble binary fragments into a malic """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Binary Content Copy via Cmd.exe" diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index 648515015..a3bc97b36 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ execution of malicious code by supplying INF files that contain malicious comman """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via CMSTP.exe" diff --git a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml index 23ab605f3..77c7aae2f 100644 --- a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml +++ b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/25" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -14,7 +14,7 @@ Identifies the creation of an archive file with an unusual extension. Attackers masquerading files using the file extension values used by image, audio, or document file types. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Archive File with Unusual Extension" diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index 6805bb71a..2233ab0f3 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/26" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ references = [ ] from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Execution via MS VisualStudio Pre/Post Build Events" diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index 90358c511..548a7d4d0 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/16" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ files and directories on a host system, such as logs, browser history, or malwar """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "File or Directory Deletion Command" diff --git a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml index a39a84ab9..360c17149 100644 --- a/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml +++ b/rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -13,14 +13,14 @@ Identifies indirect command execution via Program Compatibility Assistant (pcalu """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Indirect Command Execution via Forfiles/Pcalua" risk_score = 21 rule_id = "98843d35-645e-4e66-9d6a-5049acd96ce1" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml index 75c4d039f..92008c11f 100644 --- a/rules_building_block/defense_evasion_injection_from_msoffice.toml +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/25" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ with malicious macros. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Potential Process Injection from Malicious Document" diff --git a/rules_building_block/defense_evasion_installutil_command_activity.toml b/rules_building_block/defense_evasion_installutil_command_activity.toml index 789a1e1c7..cca9b3bca 100644 --- a/rules_building_block/defense_evasion_installutil_command_activity.toml +++ b/rules_building_block/defense_evasion_installutil_command_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -15,14 +15,14 @@ a trusted Windows utility. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "InstallUtil Activity" risk_score = 21 rule_id = "90babaa8-5216-4568-992d-d4a01a105d98" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml index b80aa386a..1ab179118 100644 --- a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml +++ b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/27" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ signed binary. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Image Loaded with Invalid Signature" diff --git a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml index 34c52ba7c..0e92d42ba 100644 --- a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml +++ b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/25" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ to evade detection by masquerading files using the file extension values used by """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Executable File with Unusual Extension" diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index 8205d9879..719e094cd 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ payload as legitimate applications to blend into the environment, or embedding i applications to deceive machine learning algorithms by incorporating authentic and benign code. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Potential Masquerading as VLC DLL" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index f273286ee..870180263 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/26" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -17,21 +17,21 @@ references = [ ] from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Troubleshooting Pack Cabinet Execution" risk_score = 21 rule_id = "808291d3-e918-4a3a-86cd-73052a0c9bdc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" query = ''' process where host.os.type == "windows" and event.action == "start" and - (process.name : "msdt.exe" or process.pe.original_file_name == "msdt.exe") and process.args : "/cab" and + (process.name : "msdt.exe" or ?process.pe.original_file_name == "msdt.exe") and process.args : "/cab" and process.parent.name : ( "firefox.exe", "chrome.exe", "msedge.exe", "explorer.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index cdeda901c..f822fdc3a 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/11" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ modify security and monitoring services to avoid detection or delay response. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Service Disabled via Registry Modification" diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 84b841511..3dbc25b09 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ for persistence or privilege escalation. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Service Path Modification" diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 695dcf1d1..c26ac369c 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/11" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ persistence or privilege escalation. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Service Path Modification via sc.exe" diff --git a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml index a0e071a57..6625b9806 100644 --- a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml +++ b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/26" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -18,14 +18,14 @@ references = [ ] from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via MSIEXEC" risk_score = 21 rule_id = "708c9d92-22a3-4fe0-b6b9-1f861c55502d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -51,11 +51,11 @@ process where host.os.type == "windows" and event.action == "start" and (process.parent.name : ("powershell.exe", "cmd.exe") and length(process.parent.command_line) >= 200))) or (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and - process.working_directory : "?:\\" and process.parent.name : ("cmd.exe", "powershell.exe")) + ?process.working_directory : "?:\\" and process.parent.name : ("cmd.exe", "powershell.exe")) ) and /* noisy pattern */ - not (process.parent.executable : "?:\\Users\\*\\AppData\\Local\\Temp\\*" and process.parent.args_count >= 2 and + not (process.parent.executable : "?:\\Users\\*\\AppData\\Local\\Temp\\*" and ?process.parent.args_count >= 2 and process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\*\\*.msi") and not process.args : ("?:\\Program Files (x86)\\*", "?:\\Program Files\\*") diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index bf630f783..2337423bd 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -13,14 +13,14 @@ Identifies unusual processes running from the WBEM path, uncommon outside WMI-re """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution on WBEM Path" risk_score = 21 rule_id = "1f460f12-a3cf-4105-9ebb-f788cc63f365" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index c9ed63807..305f6b593 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ Identifies the execution of discovery commands to enumerate system information, Command Shell. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"] +index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "System Information Discovery via Windows Command Shell" diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index 06080aad7..2b0ab58fa 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/14" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ This rule identifies the execution of commands that enumerates account or group built-in applications to get a listing of local system or domain accounts and groups. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Windows Account or Group Discovery" diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index 69bef326d..d56783275 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/14" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ This rule identifies the execution of commands that can be used to enumerate run enumerate processes to identify installed applications and security solutions. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Discovery Using Built-in Tools" @@ -27,7 +27,8 @@ tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index 423a95148..7811c935f 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -14,7 +14,7 @@ Identifies the use of Windows Management Instrumentation Command (WMIC) to disco such as AntiVirus or Host Firewall details. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" @@ -72,7 +72,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and -(process.name : "wmic.exe" or process.pe.original_file_name : "wmic.exe") and +(process.name : "wmic.exe" or ?process.pe.original_file_name : "wmic.exe") and process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" ''' diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 97efd2762..e558d25c5 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/21" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ Detects the usage of commonly used system service discovery techniques, which at after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "System Service Discovery through built-in Windows Utilities" diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 778783721..7f57882ce 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/12" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ Detects the usage of commonly used system time discovery techniques, which attac phase after compromising a system. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "System Time Discovery" diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 16ce86012..318357b4d 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/21" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ This rule identifies the execution of commands that can be used to enumerate net attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Windows System Network Connections Discovery" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 61bfa2d8c..0cd59156c 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/21" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ Detects the execution of commands used to discover information about the system, compromising a system to gain situational awareness. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Windows System Information Discovery" diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index 2df42a152..ee7b2e8f6 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/01/12" +updated_date = "2024/04/05" bypass_bbr_timing = true [rule] @@ -15,7 +15,7 @@ This rule identifies the execution of unsigned executables via service control m to execute malware or escalate privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*"] language = "kuery" license = "Elastic License v2" name = "Execution of an Unsigned Service" diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml index d4771fec3..6f65b1aca 100644 --- a/rules_building_block/execution_wmi_wbemtest.toml +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,14 +14,14 @@ local or remote endpoints. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "WMI WBEMTEST Utility Execution" risk_score = 21 rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index 404196f88..0ccabf7ce 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/09" +updated_date = "2024/04/05" [rule] author = ["Elastic"] @@ -14,14 +14,14 @@ execution could be indicative of adversary lateral movement. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "At.exe Command Lateral Movement" risk_score = 21 rule_id = "b483365c-98a8-40c0-92d8-0458ca25058a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default"