From 580db2c13ed767d1591f23c8b97362090b0d6d5d Mon Sep 17 00:00:00 2001 From: Derek Ditch Date: Tue, 27 Oct 2020 13:34:16 -0500 Subject: [PATCH] Add timeline_id to detection rules (#95) * Adds timeline_id to all network rules - Uses the ID for the 'Generic Network Timeline' from Elastic * Adds timeline_id to all endpoint rules - Uses the ID for the 'Generic Endpoint Timeline' from Elastic * Adds timeline_id to all process-oriented rules - Uses the ID for the 'Generic Process Timeline' from Elastic * Ran tests and toml-lint * Bumped 'updated_date' --- rules/README.md | 2 +- ...sent_grant_attack_via_azure_registered_application.toml | 2 +- rules/linux/credential_access_tcpdump_activity.toml | 3 ++- ...se_evasion_attempt_to_disable_iptables_or_firewall.toml | 3 ++- .../defense_evasion_attempt_to_disable_syslog_service.toml | 3 ++- ...ion_base16_or_base32_encoding_or_decoding_activity.toml | 3 ++- ...fense_evasion_base64_encoding_or_decoding_activity.toml | 3 ++- ...ense_evasion_deletion_of_bash_command_line_history.toml | 3 ++- rules/linux/defense_evasion_disable_selinux_attempt.toml | 3 ++- rules/linux/defense_evasion_file_deletion_via_shred.toml | 3 ++- rules/linux/defense_evasion_file_mod_writable_dir.toml | 3 ++- .../defense_evasion_hex_encoding_or_decoding_activity.toml | 3 ++- rules/linux/defense_evasion_hidden_file_dir_tmp.toml | 3 ++- rules/linux/defense_evasion_kernel_module_removal.toml | 3 ++- rules/linux/discovery_kernel_module_enumeration.toml | 3 ++- rules/linux/discovery_virtual_machine_fingerprinting.toml | 3 ++- rules/linux/discovery_whoami_commmand.toml | 3 ++- rules/linux/execution_perl_tty_shell.toml | 3 ++- rules/linux/execution_python_tty_shell.toml | 3 ++- .../lateral_movement_telnet_network_activity_external.toml | 3 ++- .../lateral_movement_telnet_network_activity_internal.toml | 3 ++- rules/linux/linux_hping_activity.toml | 3 ++- rules/linux/linux_iodine_activity.toml | 3 ++- rules/linux/linux_mknod_activity.toml | 3 ++- rules/linux/linux_netcat_network_connection.toml | 3 ++- rules/linux/linux_nmap_activity.toml | 3 ++- rules/linux/linux_nping_activity.toml | 3 ++- rules/linux/linux_process_started_in_temp_directory.toml | 3 ++- rules/linux/linux_socat_activity.toml | 3 ++- rules/linux/linux_strace_activity.toml | 3 ++- rules/linux/persistence_kernel_module_activity.toml | 3 ++- rules/linux/persistence_shell_activity_by_web_server.toml | 3 ++- .../privilege_escalation_setgid_bit_set_via_chmod.toml | 3 ++- .../privilege_escalation_setuid_bit_set_via_chmod.toml | 3 ++- .../credential_access_compress_credentials_keychains.toml | 3 ++- rules/macos/credential_access_kerberosdump_kcc.toml | 3 ++- rules/macos/lateral_movement_remote_ssh_login_enabled.toml | 3 ++- rules/ml/ml_linux_anomalous_network_activity.toml | 2 +- rules/ml/ml_rare_process_by_host_windows.toml | 2 +- rules/ml/ml_windows_anomalous_network_activity.toml | 2 +- rules/ml/ml_windows_rare_user_type10_remote_login.toml | 2 +- .../network/command_and_control_cobalt_strike_beacon.toml | 3 ++- .../command_and_control_dns_directly_to_the_internet.toml | 5 +++-- ..._and_control_download_rar_powershell_from_internet.toml | 3 ++- rules/network/command_and_control_fin7_c2_behavior.toml | 3 ++- ...tp_file_transfer_protocol_activity_to_the_internet.toml | 3 ++- rules/network/command_and_control_halfbaked_beacon.toml | 7 ++++--- ...ernet_relay_chat_protocol_activity_to_the_internet.toml | 3 ++- .../command_and_control_nat_traversal_port_activity.toml | 3 ++- rules/network/command_and_control_port_26_activity.toml | 3 ++- ...and_and_control_port_8000_activity_to_the_internet.toml | 3 ++- ...ol_pptp_point_to_point_tunneling_protocol_activity.toml | 3 ++- ...nd_and_control_proxy_port_activity_to_the_internet.toml | 3 ++- ...trol_rdp_remote_desktop_protocol_from_the_internet.toml | 3 ++- .../network/command_and_control_smtp_to_the_internet.toml | 3 ++- ...d_control_sql_server_port_activity_to_the_internet.toml | 3 ++- ...and_and_control_ssh_secure_shell_from_the_internet.toml | 3 ++- ...mmand_and_control_ssh_secure_shell_to_the_internet.toml | 3 ++- .../network/command_and_control_telnet_port_activity.toml | 3 ++- .../command_and_control_tor_activity_to_the_internet.toml | 3 ++- ...ol_vnc_virtual_network_computing_from_the_internet.toml | 3 ++- ...trol_vnc_virtual_network_computing_to_the_internet.toml | 3 ++- ...scovery_post_exploitation_public_ip_reconnaissance.toml | 3 ++- ...access_rdp_remote_desktop_protocol_to_the_internet.toml | 3 ++- ...access_rpc_remote_procedure_call_from_the_internet.toml | 3 ++- ...l_access_rpc_remote_procedure_call_to_the_internet.toml | 3 ++- ..._smb_windows_file_sharing_activity_to_the_internet.toml | 3 ++- .../initial_access_unsecure_elasticsearch_node.toml | 3 ++- rules/promotions/elastic_endpoint.toml | 3 ++- rules/promotions/endpoint_adversary_behavior_detected.toml | 3 ++- rules/promotions/endpoint_cred_dumping_detected.toml | 3 ++- rules/promotions/endpoint_cred_dumping_prevented.toml | 3 ++- rules/promotions/endpoint_cred_manipulation_detected.toml | 3 ++- rules/promotions/endpoint_cred_manipulation_prevented.toml | 3 ++- rules/promotions/endpoint_exploit_detected.toml | 3 ++- rules/promotions/endpoint_exploit_prevented.toml | 3 ++- rules/promotions/endpoint_malware_detected.toml | 3 ++- rules/promotions/endpoint_malware_prevented.toml | 3 ++- rules/promotions/endpoint_permission_theft_detected.toml | 3 ++- rules/promotions/endpoint_permission_theft_prevented.toml | 3 ++- rules/promotions/endpoint_process_injection_detected.toml | 3 ++- rules/promotions/endpoint_process_injection_prevented.toml | 3 ++- rules/promotions/endpoint_ransomware_detected.toml | 3 ++- rules/promotions/endpoint_ransomware_prevented.toml | 3 ++- .../command_and_control_certutil_network_connection.toml | 3 ++- ...and_and_control_remote_file_copy_desktopimgdownldr.toml | 3 ++- .../command_and_control_remote_file_copy_mpcmdrun.toml | 3 ++- .../command_and_control_teamviewer_remote_file_copy.toml | 3 ++- .../credential_access_credential_dumping_msbuild.toml | 3 ++- ...credential_access_domain_backup_dpapi_private_keys.toml | 5 +++-- .../credential_access_iis_apppoolsa_pwd_appcmd.toml | 3 ++- .../credential_access_iis_connectionstrings_dumping.toml | 3 ++- .../credential_access_mimikatz_memssp_default_logs.toml | 3 ++- ...dding_the_hidden_file_attribute_with_via_attribexe.toml | 3 ++- .../defense_evasion_clearing_windows_event_logs.toml | 3 ++- rules/windows/defense_evasion_code_injection_conhost.toml | 3 ++- ...ense_evasion_delete_volume_usn_journal_with_fsutil.toml | 3 ++- ...ense_evasion_deleting_backup_catalogs_with_wbadmin.toml | 3 ++- ..._evasion_disable_windows_firewall_rules_with_netsh.toml | 3 ++- .../defense_evasion_dotnet_compiler_parent_process.toml | 3 ++- ...se_evasion_encoding_or_decoding_files_via_certutil.toml | 3 ++- ...se_evasion_execution_msbuild_started_by_office_app.toml | 3 ++- ...efense_evasion_execution_msbuild_started_by_script.toml | 3 ++- ...vasion_execution_msbuild_started_by_system_process.toml | 3 ++- .../defense_evasion_execution_msbuild_started_renamed.toml | 3 ++- ...e_evasion_execution_msbuild_started_unusal_process.toml | 3 ++- ...ense_evasion_execution_suspicious_explorer_winword.toml | 3 ++- ..._evasion_execution_via_trusted_developer_utilities.toml | 3 ++- .../windows/defense_evasion_iis_httplogging_disabled.toml | 3 ++- rules/windows/defense_evasion_injection_msbuild.toml | 3 ++- rules/windows/defense_evasion_installutil_beacon.toml | 3 ++- ...e_evasion_masquerading_as_elastic_endpoint_process.toml | 3 ++- .../defense_evasion_masquerading_renamed_autoit.toml | 3 ++- ...evasion_masquerading_suspicious_werfault_childproc.toml | 3 ++- rules/windows/defense_evasion_masquerading_werfault.toml | 3 ++- ...nse_evasion_misc_lolbin_connecting_to_the_internet.toml | 3 ++- .../defense_evasion_modification_of_boot_config.toml | 3 ++- rules/windows/defense_evasion_msbuild_beacon_sequence.toml | 3 ++- rules/windows/defense_evasion_mshta_beacon.toml | 3 ++- rules/windows/defense_evasion_msxsl_beacon.toml | 3 ++- ...nse_evasion_network_connection_from_windows_binary.toml | 3 ++- rules/windows/defense_evasion_reg_beacon.toml | 3 ++- rules/windows/defense_evasion_rundll32_no_arguments.toml | 3 ++- rules/windows/defense_evasion_rundll32_sequence.toml | 3 ++- rules/windows/defense_evasion_suspicious_scrobj_load.toml | 3 ++- rules/windows/defense_evasion_suspicious_wmi_script.toml | 3 ++- .../defense_evasion_suspicious_zoom_child_process.toml | 3 ++- ...vasion_system_critical_proc_abnormal_file_activity.toml | 3 ++- .../defense_evasion_unusual_system_vp_child_program.toml | 5 +++-- rules/windows/defense_evasion_via_filter_manager.toml | 3 ++- ...e_evasion_volume_shadow_copy_deletion_via_vssadmin.toml | 3 ++- ...fense_evasion_volume_shadow_copy_deletion_via_wmic.toml | 3 ++- rules/windows/discovery_net_command_system_account.toml | 3 ++- .../discovery_process_discovery_via_tasklist_command.toml | 3 ++- rules/windows/discovery_whoami_command_activity.toml | 3 ++- ...xecution_command_prompt_connecting_to_the_internet.toml | 3 ++- .../execution_command_shell_started_by_powershell.toml | 3 ++- .../execution_command_shell_started_by_svchost.toml | 3 ++- ...execution_command_shell_started_by_unusual_process.toml | 3 ++- rules/windows/execution_downloaded_shortcut_files.toml | 3 ++- rules/windows/execution_downloaded_url_file.toml | 3 ++- ...help_executable_program_connecting_to_the_internet.toml | 3 ++- rules/windows/execution_local_service_commands.toml | 3 ++- rules/windows/execution_ms_office_written_file.toml | 3 ++- .../execution_msbuild_making_network_connections.toml | 3 ++- .../execution_mshta_making_network_connections.toml | 3 ++- rules/windows/execution_msxsl_network.toml | 3 ++- rules/windows/execution_pdf_written_file.toml | 3 ++- .../windows/execution_psexec_lateral_movement_command.toml | 3 ++- ...register_server_program_connecting_to_the_internet.toml | 3 ++- rules/windows/execution_script_executing_powershell.toml | 3 ++- .../execution_suspicious_ms_office_child_process.toml | 3 ++- .../execution_suspicious_ms_outlook_child_process.toml | 3 ++- rules/windows/execution_suspicious_pdf_reader.toml | 3 ++- rules/windows/execution_suspicious_psexesvc.toml | 3 ++- rules/windows/execution_unusual_dns_service_children.toml | 3 ++- .../windows/execution_unusual_dns_service_file_writes.toml | 5 +++-- .../execution_unusual_network_connection_via_rundll32.toml | 3 ++- .../execution_unusual_process_network_connection.toml | 3 ++- rules/windows/execution_via_compiled_html_file.toml | 3 ++- rules/windows/execution_via_hidden_shell_conhost.toml | 3 ++- rules/windows/execution_via_net_com_assemblies.toml | 3 ++- .../execution_via_xp_cmdshell_mssql_stored_procedure.toml | 3 ++- rules/windows/execution_wpad_exploitation.toml | 3 ++- rules/windows/lateral_movement_cmd_service.toml | 5 +++-- .../lateral_movement_direct_outbound_smb_connection.toml | 3 ++- rules/windows/lateral_movement_dns_server_overflow.toml | 3 ++- rules/windows/persistence_adobe_hijack_persistence.toml | 3 ++- rules/windows/persistence_app_compat_shim.toml | 3 ++- .../windows/persistence_gpo_schtask_service_creation.toml | 3 ++- .../windows/persistence_local_scheduled_task_commands.toml | 3 ++- ...istence_priv_escalation_via_accessibility_features.toml | 3 ++- rules/windows/persistence_system_shells_via_services.toml | 3 ++- rules/windows/persistence_user_account_creation.toml | 3 ++- rules/windows/persistence_via_application_shimming.toml | 3 ++- ...tence_via_telemetrycontroller_scheduledtask_hijack.toml | 3 ++- ...persistence_via_update_orchestrator_service_hijack.toml | 3 ++- ...ge_escalation_printspooler_service_suspicious_file.toml | 3 ++- ...vilege_escalation_printspooler_suspicious_spl_file.toml | 3 ++- ...privilege_escalation_uac_bypass_diskcleanup_hijack.toml | 3 ++- .../privilege_escalation_uac_bypass_event_viewer.toml | 3 ++- rules/windows/privilege_escalation_uac_sdclt.toml | 3 ++- ...vilege_escalation_unusual_parentchild_relationship.toml | 5 +++-- 183 files changed, 368 insertions(+), 191 deletions(-) diff --git a/rules/README.md b/rules/README.md index 361f70bda..a1f9dac57 100644 --- a/rules/README.md +++ b/rules/README.md @@ -1,6 +1,6 @@ # rules/ -Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several [.toml](https://github.com/toml-lang/toml) files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. [`windows/execution_via_compiled_html_file.toml`](windows/execution_via_compiled_html_file.toml)) +Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several [.toml](https://github.com/toml-lang/toml) files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. [`windows/execution_via_compiled_html_file.toml`](windows/execution_via_compiled_html_file.toml)) | folder | description | |-------------------------------------|----------------------------------------------------------------------| diff --git a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 009278838..b350a7c8a 100644 --- a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -33,7 +33,7 @@ type = "query" query = ''' event.dataset:(azure.activitylogs or azure.auditlogs) and ( - azure.activitylogs.operation_name:"Consent to application" or + azure.activitylogs.operation_name:"Consent to application" or azure.auditlogs.operation_name:"Consent to application" ) and event.outcome:success diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml index 9ba0c5ea0..807997746 100644 --- a/rules/linux/credential_access_tcpdump_activity.toml +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 21 rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 05cb0e855..3a6476cab 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "125417b8-d3df-479f-8418-12d7e034fee3" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 4089156b0..5b44ec78e 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 189679d6a..d364eae2c 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml index eae5a4f06..a84760f71 100644 --- a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 21 rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index 212456b89..23013ae1b 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index be9047c80..596e8d264 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 45e455124..067c95e5f 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 8a23c4565..f0b31de0d 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -25,6 +25,7 @@ risk_score = 21 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml index 952416f2e..a46f1fe52 100644 --- a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 21 rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index a25e8e8f2..ff213330a 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 47 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 460a81f34..5695723ee 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 73 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index fabe9f49e..d8fcf09e6 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 47 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 278d665ee..b808cc8a1 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml index 28baa3257..36b1798fc 100644 --- a/rules/linux/discovery_whoami_commmand.toml +++ b/rules/linux/discovery_whoami_commmand.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -25,6 +25,7 @@ risk_score = 21 rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 28e89e310..4cc003ae5 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 532e8227d..68e1cedd2 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index f922a39fa..07555af14 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index eaabdb2e1..02176f19f 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml index e34048452..d5a7c1ef8 100644 --- a/rules/linux/linux_hping_activity.toml +++ b/rules/linux/linux_hping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 73 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml index dff43a24c..6476f7085 100644 --- a/rules/linux/linux_iodine_activity.toml +++ b/rules/linux/linux_iodine_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 73 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index 4362ce5c6..bce45a594 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -28,6 +28,7 @@ risk_score = 21 rule_id = "61c31c14-507f-4627-8c31-072556b89a9c" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml index 01232126c..7d9c09ace 100644 --- a/rules/linux/linux_netcat_network_connection.toml +++ b/rules/linux/linux_netcat_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -32,6 +32,7 @@ risk_score = 47 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml index e4f6dd10b..9cbdc9302 100644 --- a/rules/linux/linux_nmap_activity.toml +++ b/rules/linux/linux_nmap_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -28,6 +28,7 @@ risk_score = 21 rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml index aa181aec7..37ff7fb03 100644 --- a/rules/linux/linux_nping_activity.toml +++ b/rules/linux/linux_nping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 47 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml index 99fd57b03..54b7a3a87 100644 --- a/rules/linux/linux_process_started_in_temp_directory.toml +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 47 rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml index dba48404f..b87e508cd 100644 --- a/rules/linux/linux_socat_activity.toml +++ b/rules/linux/linux_socat_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 47 rule_id = "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml index 61b05cd15..30f84fdd8 100644 --- a/rules/linux/linux_strace_activity.toml +++ b/rules/linux/linux_strace_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 21 rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml index e4bc0941b..9954eaedd 100644 --- a/rules/linux/persistence_kernel_module_activity.toml +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -25,6 +25,7 @@ risk_score = 21 rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 27ebc571e..aeb526340 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 47 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml index a5fe2f27e..f4304bde6 100644 --- a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 21 rule_id = "3a86e085-094c-412d-97ff-2439731e59cb" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml index 7b3b49b00..f0a8944c5 100644 --- a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/macos/credential_access_compress_credentials_keychains.toml b/rules/macos/credential_access_compress_credentials_keychains.toml index d01db6e3e..62f087a66 100644 --- a/rules/macos/credential_access_compress_credentials_keychains.toml +++ b/rules/macos/credential_access_compress_credentials_keychains.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ risk_score = 73 rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 007a525e8..701e01614 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 65188a5f0..1a6253007 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 14950e919..dbd695f4f 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -21,7 +21,7 @@ machine_learning_job_id = "linux_anomalous_network_activity_ecs" name = "Unusual Linux Network Activity" note = """### Investigating Unusual Network Activity ### Detection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation: -- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? +- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? - If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. - Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process. diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml index a64ed5bf0..6c773aa76 100644 --- a/rules/ml/ml_rare_process_by_host_windows.toml +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -27,7 +27,7 @@ note = """### Investigating an Unusual Windows Process ### Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. -- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. +- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """ diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index ed49668e0..99a5c4f82 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -22,7 +22,7 @@ machine_learning_job_id = "windows_anomalous_network_activity_ecs" name = "Unusual Windows Network Activity" note = """### Investigating Unusual Network Activity ### Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation: -- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? +- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? - If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. - Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml index edd481729..09d5d5baf 100644 --- a/rules/ml/ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/ml_windows_rare_user_type10_remote_login.toml @@ -25,7 +25,7 @@ machine_learning_job_id = "windows_rare_user_type10_remote_login" name = "Unusual Windows Remote User" note = """### Investigating an Unusual Windows User ### Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation: -- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? +- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? - Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 3eb249f28..8a415aab0 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -30,6 +30,7 @@ risk_score = 73 rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c" severity = "high" tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml index 0613fe29b..0a45eaf36 100644 --- a/rules/network/command_and_control_dns_directly_to_the_internet.toml +++ b/rules/network/command_and_control_dns_directly_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -33,10 +33,11 @@ risk_score = 47 rule_id = "6ea71ff0-9e95-475b-9506-2580d1ce6154" severity = "medium" tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' -event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) +event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb") ''' diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index d4d325a4b..e80e3d2e1 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -31,6 +31,7 @@ risk_score = 47 rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92" severity = "medium" tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 021be4b78..b99104701 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -28,6 +28,7 @@ risk_score = 73 rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3" severity = "high" tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml index c4c4cd31b..7575660ba 100644 --- a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -30,6 +30,7 @@ risk_score = 21 rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43" severity = "low" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index e9eee45d5..0d8c3dd8f 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -29,11 +29,12 @@ risk_score = 73 rule_id = "2e580225-2a58-48ef-938b-572933be06fe" severity = "high" tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' -event.category:(network OR network_traffic) AND network.protocol:http AND - network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND +event.category:(network OR network_traffic) AND network.protocol:http AND + network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443) ''' diff --git a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml index fe167b7b3..d8412264a 100644 --- a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -29,6 +29,7 @@ risk_score = 47 rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa" severity = "medium" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 9896bd62b..9bf3d6895 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -28,6 +28,7 @@ risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" severity = "low" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index d11ad0b92..31ce8cea3 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -29,6 +29,7 @@ risk_score = 21 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" severity = "low" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml index 201be85e8..3fd85278a 100644 --- a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml +++ b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -28,6 +28,7 @@ risk_score = 21 rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf" severity = "low" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml index 259a6e3ff..b807b258e 100644 --- a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml +++ b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 21 rule_id = "d2053495-8fe7-4168-b3df-dad844046be3" severity = "low" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 4736038be..50cd40c83 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -31,6 +31,7 @@ risk_score = 47 rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3" severity = "medium" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index fbdd459bd..78092dd6a 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -30,6 +30,7 @@ risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml index 410aa10fd..88a8364cf 100644 --- a/rules/network/command_and_control_smtp_to_the_internet.toml +++ b/rules/network/command_and_control_smtp_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 21 rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4" severity = "low" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml index 9fada6c0e..380a2618d 100644 --- a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 47 rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd" severity = "medium" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml index 8ce96d4ca..1452cacb8 100644 --- a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -30,6 +30,7 @@ risk_score = 47 rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17" severity = "medium" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml index fcdb8ed01..9129d9198 100644 --- a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -29,6 +29,7 @@ risk_score = 21 rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4" severity = "low" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index cdb62f8c1..ae68f697a 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -29,6 +29,7 @@ risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml index 48ab6049b..5d8d2f338 100644 --- a/rules/network/command_and_control_tor_activity_to_the_internet.toml +++ b/rules/network/command_and_control_tor_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 47 rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540" severity = "medium" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index ade01435d..070220565 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -28,6 +28,7 @@ risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index d7ec53387..d584b5541 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -28,6 +28,7 @@ risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" severity = "medium" tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml index cbb9d91b6..ef31beb98 100644 --- a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml +++ b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -30,6 +30,7 @@ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" tags = ["Elastic", "Network", "Threat Detection", "Discovery"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml index 59d54e3cd..d881a060e 100644 --- a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml +++ b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -29,6 +29,7 @@ risk_score = 21 rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5" severity = "low" tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index a1810002a..58e87a90c 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" severity = "high" tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index ff7001335..4874135d1 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 87ac27121..f925ba104 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "high" tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 547935ba2..f4782dbce 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/11" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -29,6 +29,7 @@ risk_score = 47 rule_id = "31295df3-277b-4c56-a1fb-84e31b4222a9" severity = "medium" tags = ["Elastic", "Network", "Threat Detection", "Initial Access"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index ee00f0e67..09f9ec802 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/08" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" rule_name_override = "message" severity = "medium" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" timestamp_override = "event.ingested" type = "query" diff --git a/rules/promotions/endpoint_adversary_behavior_detected.toml b/rules/promotions/endpoint_adversary_behavior_detected.toml index a29dd194b..1b01d4a51 100644 --- a/rules/promotions/endpoint_adversary_behavior_detected.toml +++ b/rules/promotions/endpoint_adversary_behavior_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_dumping_detected.toml b/rules/promotions/endpoint_cred_dumping_detected.toml index 1ed7f9b1b..2f452e113 100644 --- a/rules/promotions/endpoint_cred_dumping_detected.toml +++ b/rules/promotions/endpoint_cred_dumping_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_dumping_prevented.toml b/rules/promotions/endpoint_cred_dumping_prevented.toml index 21063735b..6311d562d 100644 --- a/rules/promotions/endpoint_cred_dumping_prevented.toml +++ b/rules/promotions/endpoint_cred_dumping_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_manipulation_detected.toml b/rules/promotions/endpoint_cred_manipulation_detected.toml index dcc743a38..86222d32c 100644 --- a/rules/promotions/endpoint_cred_manipulation_detected.toml +++ b/rules/promotions/endpoint_cred_manipulation_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_manipulation_prevented.toml b/rules/promotions/endpoint_cred_manipulation_prevented.toml index 2339b1255..b16373544 100644 --- a/rules/promotions/endpoint_cred_manipulation_prevented.toml +++ b/rules/promotions/endpoint_cred_manipulation_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_exploit_detected.toml b/rules/promotions/endpoint_exploit_detected.toml index acd7f5707..4e6d884f5 100644 --- a/rules/promotions/endpoint_exploit_detected.toml +++ b/rules/promotions/endpoint_exploit_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_exploit_prevented.toml b/rules/promotions/endpoint_exploit_prevented.toml index 0fe022ebc..168db7f16 100644 --- a/rules/promotions/endpoint_exploit_prevented.toml +++ b/rules/promotions/endpoint_exploit_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_malware_detected.toml b/rules/promotions/endpoint_malware_detected.toml index baff21372..4602841fe 100644 --- a/rules/promotions/endpoint_malware_detected.toml +++ b/rules/promotions/endpoint_malware_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_malware_prevented.toml b/rules/promotions/endpoint_malware_prevented.toml index a6302e98b..d772be96b 100644 --- a/rules/promotions/endpoint_malware_prevented.toml +++ b/rules/promotions/endpoint_malware_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_permission_theft_detected.toml b/rules/promotions/endpoint_permission_theft_detected.toml index 47312e777..477b6c5a5 100644 --- a/rules/promotions/endpoint_permission_theft_detected.toml +++ b/rules/promotions/endpoint_permission_theft_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_permission_theft_prevented.toml b/rules/promotions/endpoint_permission_theft_prevented.toml index c2e85dc04..eb34c50b6 100644 --- a/rules/promotions/endpoint_permission_theft_prevented.toml +++ b/rules/promotions/endpoint_permission_theft_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_process_injection_detected.toml b/rules/promotions/endpoint_process_injection_detected.toml index 12e4414b5..964f09b9d 100644 --- a/rules/promotions/endpoint_process_injection_detected.toml +++ b/rules/promotions/endpoint_process_injection_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_process_injection_prevented.toml b/rules/promotions/endpoint_process_injection_prevented.toml index 916bd5795..2157d69e4 100644 --- a/rules/promotions/endpoint_process_injection_prevented.toml +++ b/rules/promotions/endpoint_process_injection_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_ransomware_detected.toml b/rules/promotions/endpoint_ransomware_detected.toml index 217f281d4..d409895c4 100644 --- a/rules/promotions/endpoint_ransomware_detected.toml +++ b/rules/promotions/endpoint_ransomware_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/promotions/endpoint_ransomware_prevented.toml b/rules/promotions/endpoint_ransomware_prevented.toml index 005badd58..79208cedb 100644 --- a/rules/promotions/endpoint_ransomware_prevented.toml +++ b/rules/promotions/endpoint_ransomware_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high" tags = ["Elastic", "Endpoint Security"] +timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717" type = "query" query = ''' diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 8f041cd17..89a11c063 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 34fef4d19..5c1d5ac75 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 2d808b5bb..90f731983 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 47 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index c08e5e1c5..78978ea93 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 55e7a6659..9e5cccfef 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index a907f2aaa..c84fb3217 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -24,10 +24,11 @@ risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' -event.category:file and not event.type:deletion and +event.category:file and not event.type:deletion and file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk) ''' diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 9789018b4..aa2c20a34 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ risk_score = 73 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 09d937554..b8b2619f7 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -25,6 +25,7 @@ risk_score = 73 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index a7bf07fc1..bb753bdfc 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index b177cde38..e22b9b4aa 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index c6c813fb7..d6714de67 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml index 700e8207b..f177aa31d 100644 --- a/rules/windows/defense_evasion_code_injection_conhost.toml +++ b/rules/windows/defense_evasion_code_injection_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "28896382-7d4f-4d50-9b72-67091901fd26" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 5e06f8f8a..651f94957 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index 9d7f623b7..33fb43739 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index be511b266..b345525aa 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 73cd40bca..41b386462 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index fe8d9a9b3..5ab03f4a4 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 54f96922e..30e0a552c 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 3d556736d..73f0cb10b 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index d0f02e76c..0a65717cb 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 1e6347e40..4ebb7dfe7 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 2dadf7a1b..c8c25fb31 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 7b1dbdd65..7d03597f7 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml index 605df5aed..b8617f2d8 100644 --- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 6021fad3c..644c2c611 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 228e2cf4a..3a00b1dcd 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 42569e87c..6b8aa5a83 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 87c35c1ac..ac55f021f 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index f5d4cb5be..746c3b5ba 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index b68ff66f7..f8a0ef4c5 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 951fdb67e..35a4de5ff 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 77c83b46a..03ee94896 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index c288a6450..b9b1e6e8d 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index b17cc5311..be7edea76 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 13d097b21..295a4c781 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index baec09084..5ac0481af 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "870d1753-1078-403e-92d4-735f142edcca" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 108caeddc..c407f81de 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_reg_beacon.toml b/rules/windows/defense_evasion_reg_beacon.toml index 0d6b9891b..728e3e807 100644 --- a/rules/windows/defense_evasion_reg_beacon.toml +++ b/rules/windows/defense_evasion_reg_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 4f68bb815..41920da0e 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_rundll32_sequence.toml b/rules/windows/defense_evasion_rundll32_sequence.toml index 17834c682..c9858a9c4 100644 --- a/rules/windows/defense_evasion_rundll32_sequence.toml +++ b/rules/windows/defense_evasion_rundll32_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "2b347f66-6739-4ae3-bd94-195036dde8b3" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index cb882a14b..f78976851 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 7614adb71..91ead1a52 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index d929a4735..08a9b876d 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index acaebdb52..ac36b6c46 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 1dda469f2..a021a6e7f 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,11 +16,12 @@ risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' event.category:process and event.type:(start or process_started) and - process.parent.pid:4 and + process.parent.pid:4 and not process.executable:(Registry or MemCompression or "C:\Windows\System32\smss.exe") ''' diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 4870c7722..3a9dbbe95 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ risk_score = 21 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml index a054acc8b..99da8df32 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index 0b5548ff9..7eb471e3b 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 7a84a4187..7511c1653 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml index 9f3256327..416787f17 100644 --- a/rules/windows/discovery_process_discovery_via_tasklist_command.toml +++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 21 rule_id = "cc16f774-59f9-462d-8b98-d27ccd4519ec" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 66747769f..6bb77dbe7 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index c8a955b44..ed777d393 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -25,6 +25,7 @@ risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index 2225d2235..1418347fc 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ risk_score = 21 rule_id = "0f616aee-8161-4120-857e-742366f5eeb3" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index edde884a8..da923ea7d 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 4539439e4..8163261d5 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 476d79e3e..c41dea85e 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "development" query_schema_validation = false -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "6b1fd8e8-cefe-444c-bc4d-feaa2c497347" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 011f0d96f..56eda768e 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "development" query_schema_validation = false -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index b8dfdd9cb..4e94869f3 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_local_service_commands.toml b/rules/windows/execution_local_service_commands.toml index 4be9a6e54..4dd967b12 100644 --- a/rules/windows/execution_local_service_commands.toml +++ b/rules/windows/execution_local_service_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 862a218ea..b56bdbb64 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/execution_msbuild_making_network_connections.toml b/rules/windows/execution_msbuild_making_network_connections.toml index 19ab781ca..1281cc371 100644 --- a/rules/windows/execution_msbuild_making_network_connections.toml +++ b/rules/windows/execution_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_mshta_making_network_connections.toml b/rules/windows/execution_mshta_making_network_connections.toml index 4a01dc643..d4b5b17fc 100644 --- a/rules/windows/execution_mshta_making_network_connections.toml +++ b/rules/windows/execution_mshta_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "a4ec1382-4557-452b-89ba-e413b22ed4b8" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_msxsl_network.toml b/rules/windows/execution_msxsl_network.toml index f2fbf655c..f485049a1 100644 --- a/rules/windows/execution_msxsl_network.toml +++ b/rules/windows/execution_msxsl_network.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 4b1e72027..6daeaebf5 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 8dbc0fe85..89b08cbd0 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -25,6 +25,7 @@ risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index a5431d58c..147df8bcb 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -25,6 +25,7 @@ risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_script_executing_powershell.toml b/rules/windows/execution_script_executing_powershell.toml index d2d690057..771473d8c 100644 --- a/rules/windows/execution_script_executing_powershell.toml +++ b/rules/windows/execution_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_suspicious_ms_office_child_process.toml b/rules/windows/execution_suspicious_ms_office_child_process.toml index 47eb98b26..b1b6d848f 100644 --- a/rules/windows/execution_suspicious_ms_office_child_process.toml +++ b/rules/windows/execution_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_suspicious_ms_outlook_child_process.toml b/rules/windows/execution_suspicious_ms_outlook_child_process.toml index 504d862f9..4e74d6818 100644 --- a/rules/windows/execution_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/execution_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 4c51e6a1a..dfa9d720e 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 4431e548e..023cf1721 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_unusual_dns_service_children.toml b/rules/windows/execution_unusual_dns_service_children.toml index 95de08add..a360f971d 100644 --- a/rules/windows/execution_unusual_dns_service_children.toml +++ b/rules/windows/execution_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -36,6 +36,7 @@ risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_unusual_dns_service_file_writes.toml b/rules/windows/execution_unusual_dns_service_file_writes.toml index 1745366c3..0653c408b 100644 --- a/rules/windows/execution_unusual_dns_service_file_writes.toml +++ b/rules/windows/execution_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ license = "Elastic License" name = "Unusual File Modification by dns.exe" note = """### Investigating Unusual File Write Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: -- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. +- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. - Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.""" references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", @@ -26,6 +26,7 @@ risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml index 40607d1d0..7e8bac2df 100644 --- a/rules/windows/execution_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_unusual_process_network_connection.toml b/rules/windows/execution_unusual_process_network_connection.toml index c123b0455..bc91ea3d1 100644 --- a/rules/windows/execution_unusual_process_network_connection.toml +++ b/rules/windows/execution_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index ea7c55033..16c55968e 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 21 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 26c6c4d2e..7614399b1 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index a2a9422c8..5c563b467 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "47f09343-8d1f-4bb5-8bb0-00c9d18f5010" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index 572ed4e14..5c4f7047f 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/execution_wpad_exploitation.toml b/rules/windows/execution_wpad_exploitation.toml index d68e56a7b..18c7b28ee 100644 --- a/rules/windows/execution_wpad_exploitation.toml +++ b/rules/windows/execution_wpad_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 407cfff66..50d28f25b 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' @@ -27,7 +28,7 @@ sequence by process.entity_id with maxspan=1m /* uncomment once in winlogbeat */ (process.name == "sc.exe" /* or process.pe.original_file_name == "sc.exe" */ ) and /* case insensitive */ - wildcard(process.args, "\\\\*") and wildcard(process.args, "binPath=*", "binpath=*") and + wildcard(process.args, "\\\\*") and wildcard(process.args, "binPath=*", "binpath=*") and (process.args : "create" or process.args : "config" or process.args : "failure" or diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index b81678385..7c6eb449a 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index 4372405b9..f8ca05803 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -36,6 +36,7 @@ risk_score = 47 rule_id = "11013227-0301-4a8c-b150-4db924484475" severity = "medium" tags = ["Elastic", "Network", "Threat Detection", "Lateral Movement"] +timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" type = "query" query = ''' diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 7636ef70a..31173d532 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -16,6 +16,7 @@ risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 4c4317c2f..f205c5b3f 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 66e222c45..1989faa90 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index 9670fa4f7..f6cae1987 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 2f1152fac..67d3c260b 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index fe9ad970a..213e0d835 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index e9be4c4ba..4cc8fadf0 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index f0c13ad0a..601f21d3f 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 0e8df23ec..0007d42c0 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index dfdc6b700..7e438580a 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index d3a0561c2..ed465e47d 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ risk_score = 74 rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 612872a46..c0c4c5a48 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ risk_score = 74 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 80d2ff9a6..1444fb42f 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 77ccea3e8..d8018ee53 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index 427e7dae1..f454eab9c 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index d19dc7672..954edf270 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/26" +updated_date = "2020/10/27" [rule] author = ["Elastic"] @@ -19,12 +19,13 @@ risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" type = "query" query = ''' event.category:process and event.type:(start or process_started) and process.parent.executable:* and -(process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or +(process.parent.name:autochk.exe and not process.name:(chkdsk.exe or doskey.exe or WerFault.exe) or process.parent.name:smss.exe and not process.name:(autochk.exe or smss.exe or csrss.exe or wininit.exe or winlogon.exe or WerFault.exe) or process.name:autochk.exe and not process.parent.name:smss.exe or process.name:(fontdrvhost.exe or dwm.exe) and not process.parent.name:(wininit.exe or winlogon.exe) or