[Rule Tuning] Update threat mappings for Windows rules (#1497)
* Windows Rules Att&ck Mapping review
* Bump updated_date and fix reference URLs
* Fix subtechnique
* Fix test errors
(cherry picked from commit 61afb1c1c0)
This commit is contained in:
Jonhnathan
committed by
github-actions[bot]
github-actions[bot]
parent
216d06ef30
commit
5b13666054
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/15"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,6 +39,11 @@ id = "T1114"
|
||||
name = "Email Collection"
|
||||
reference = "https://attack.mitre.org/techniques/T1114/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1114.002"
|
||||
name = "Remote Email Collection"
|
||||
reference = "https://attack.mitre.org/techniques/T1114/002/"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1005/"
|
||||
id = "T1005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/04"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/08"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -44,6 +44,11 @@ id = "T1560"
|
||||
name = "Archive Collected Data"
|
||||
reference = "https://attack.mitre.org/techniques/T1560/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1560.001"
|
||||
name = "Archive via Utility"
|
||||
reference = "https://attack.mitre.org/techniques/T1560/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0009"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/04"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/07"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -86,3 +86,26 @@ id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1567"
|
||||
name = "Exfiltration Over Web Service"
|
||||
reference = "https://attack.mitre.org/techniques/T1567/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1567.001"
|
||||
name = "Exfiltration to Code Repository"
|
||||
reference = "https://attack.mitre.org/techniques/T1567/001/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1567.002"
|
||||
name = "Exfiltration to Cloud Storage"
|
||||
reference = "https://attack.mitre.org/techniques/T1567/002/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0010"
|
||||
name = "Exfiltration"
|
||||
reference = "https://attack.mitre.org/tactics/TA0010/"
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/11"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,6 +33,11 @@ id = "T1071"
|
||||
name = "Application Layer Protocol"
|
||||
reference = "https://attack.mitre.org/techniques/T1071/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1071.004"
|
||||
name = "DNS"
|
||||
reference = "https://attack.mitre.org/techniques/T1071/004/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/28"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/30"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -57,3 +57,20 @@ id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1559"
|
||||
name = "Inter-Process Communication"
|
||||
reference = "https://attack.mitre.org/techniques/T1559/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1559.001"
|
||||
name = "Component Object Model"
|
||||
reference = "https://attack.mitre.org/techniques/T1559/001/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
+8
-13
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/25"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -20,7 +20,7 @@ references = [
|
||||
risk_score = 47
|
||||
rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -32,18 +32,13 @@ registry where registry.path : "HKLM\\SYSTEM\\ControlSet*\\Services\\PortProxy\\
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1562"
|
||||
name = "Impair Defenses"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1562.001"
|
||||
name = "Disable or Modify Tools"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
|
||||
id = "T1572"
|
||||
name = "Protocol Tunneling"
|
||||
reference = "https://attack.mitre.org/techniques/T1572/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
|
||||
+10
-11
@@ -1,13 +1,13 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/14"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This could be indicative of
|
||||
adversary lateral movement to interactively access restricted networks.
|
||||
Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to
|
||||
enable routing of network packets that would otherwise not reach their intended destination.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
|
||||
@@ -18,7 +18,7 @@ references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunn
|
||||
risk_score = 73
|
||||
rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -33,13 +33,12 @@ process where event.type in ("start", "process_started") and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1021"
|
||||
name = "Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/"
|
||||
|
||||
id = "T1572"
|
||||
name = "Protocol Tunneling"
|
||||
reference = "https://attack.mitre.org/techniques/T1572/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0008"
|
||||
name = "Lateral Movement"
|
||||
reference = "https://attack.mitre.org/tactics/TA0008/"
|
||||
id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/14"
|
||||
maturity = "production"
|
||||
updated_date = "2021/05/10"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -51,29 +51,29 @@ reference = "https://attack.mitre.org/techniques/T1071/"
|
||||
name = "Application Layer Protocol"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1071.001"
|
||||
reference = "https://attack.mitre.org/techniques/T1071/001/"
|
||||
name = "Web Protocols"
|
||||
reference = "https://attack.mitre.org/techniques/T1071/001/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1195"
|
||||
reference = "https://attack.mitre.org/techniques/T1195/"
|
||||
name = "Supply Chain Compromise"
|
||||
reference = "https://attack.mitre.org/techniques/T1195/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1195.002"
|
||||
reference = "https://attack.mitre.org/techniques/T1195/002/"
|
||||
name = "Compromise Software Supply Chain"
|
||||
reference = "https://attack.mitre.org/techniques/T1195/002/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0001"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
name = "Initial Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/02"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,6 +33,12 @@ reference = "https://attack.mitre.org/techniques/T1105/"
|
||||
name = "Ingress Tool Transfer"
|
||||
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1219"
|
||||
name = "Remote Access Software"
|
||||
reference = "https://attack.mitre.org/techniques/T1219/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,8 +33,13 @@ process where event.type in ("process_started", "start") and
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1070"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
name = "Indicator Removal on Host"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.001"
|
||||
name = "Clear Windows Event Logs"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/12"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Anabella Cristaldi"]
|
||||
@@ -33,6 +33,11 @@ id = "T1070"
|
||||
name = "Indicator Removal on Host"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.001"
|
||||
name = "Clear Windows Event Logs"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -36,9 +36,9 @@ id = "T1562"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
name = "Impair Defenses"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1562.001"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
name = "Disable or Modify Tools"
|
||||
id = "T1562.004"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/004/"
|
||||
name = "Disable or Modify System Firewall"
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2021/05/06"
|
||||
maturity = "production"
|
||||
updated_date = "2021/05/06"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
|
||||
[rule]
|
||||
@@ -43,6 +43,11 @@ id = "T1070"
|
||||
name = "Indicator Removal on Host"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.001"
|
||||
name = "Clear Windows Event Logs"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/21"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,9 +28,14 @@ process where event.type in ("start", "process_started") and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1055"
|
||||
name = "Process Injection"
|
||||
reference = "https://attack.mitre.org/techniques/T1055/"
|
||||
id = "T1027"
|
||||
name = "Obfuscated Files or Information"
|
||||
reference = "https://attack.mitre.org/techniques/T1027/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1027.004"
|
||||
name = "Compile After Delivery"
|
||||
reference = "https://attack.mitre.org/techniques/T1027/004/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/13"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -36,10 +36,9 @@ id = "T1562"
|
||||
name = "Impair Defenses"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1562.001"
|
||||
name = "Disable or Modify Tools"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
|
||||
id = "T1562.004"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/004/"
|
||||
name = "Disable or Modify System Firewall"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2021/07/07"
|
||||
maturity = "production"
|
||||
updated_date = "2021/07/07"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,13 +32,13 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
id = "T1562"
|
||||
name = "Impair Defenses"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
id = "T1562.001"
|
||||
name = "Disable or Modify Tools"
|
||||
id = "T1562.004"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/004/"
|
||||
name = "Disable or Modify System Firewall"
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/25"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -49,6 +49,11 @@ id = "T1127"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/"
|
||||
name = "Trusted Developer Utilities Proxy Execution"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1127.001"
|
||||
name = "MSBuild"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/25"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -36,6 +36,11 @@ id = "T1127"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/"
|
||||
name = "Trusted Developer Utilities Proxy Execution"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1127.001"
|
||||
name = "MSBuild"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/25"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -36,6 +36,11 @@ id = "T1127"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/"
|
||||
name = "Trusted Developer Utilities Proxy Execution"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1127.001"
|
||||
name = "MSBuild"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/25"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -36,6 +36,11 @@ id = "T1036"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
name = "Masquerading"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1036.003"
|
||||
name = "Rename System Utilities"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/003/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/19"
|
||||
maturity = "production"
|
||||
updated_date = "2021/07/20"
|
||||
updated_date = "2021/09/23"
|
||||
min_stack_version = "7.12.0"
|
||||
|
||||
[rule]
|
||||
@@ -46,3 +46,22 @@ reference = "https://attack.mitre.org/techniques/T1036/004/"
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1204"
|
||||
name = "User Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1204/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1204.002"
|
||||
name = "Malicious File"
|
||||
reference = "https://attack.mitre.org/techniques/T1204/002/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/25"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,7 +34,10 @@ framework = "MITRE ATT&CK"
|
||||
id = "T1140"
|
||||
name = "Deobfuscate/Decode Files or Information"
|
||||
reference = "https://attack.mitre.org/techniques/T1140/"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1112"
|
||||
name = "Modify Registry"
|
||||
reference = "https://attack.mitre.org/techniques/T1112/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/04/14"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,9 +33,14 @@ process where event.type in ("start", "process_started") and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1070"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
name = "Indicator Removal on Host"
|
||||
id = "T1562"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
name = "Impair Defenses"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1562.002"
|
||||
name = "Disable Windows Event Logging"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/002/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/01"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,6 +34,11 @@ id = "T1036"
|
||||
name = "Masquerading"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1036.003"
|
||||
name = "Rename System Utilities"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/003/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/09"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -36,6 +36,11 @@ id = "T1036"
|
||||
name = "Masquerading"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1036.005"
|
||||
name = "Match Legitimate Name or Location"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/005/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/02"
|
||||
maturity = "development"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -37,6 +37,11 @@ id = "T1127"
|
||||
name = "Trusted Developer Utilities Proxy Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1127.001"
|
||||
name = "MSBuild"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/08"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,6 +35,11 @@ id = "T1127"
|
||||
name = "Trusted Developer Utilities Proxy Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1127.001"
|
||||
name = "MSBuild"
|
||||
reference = "https://attack.mitre.org/techniques/T1127/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/04"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,6 +39,11 @@ id = "T1070"
|
||||
name = "Indicator Removal on Host"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.004"
|
||||
name = "File Deletion"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/004/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/04"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/09"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,6 +33,10 @@ framework = "MITRE ATT&CK"
|
||||
id = "T1564"
|
||||
name = "Hide Artifacts"
|
||||
reference = "https://attack.mitre.org/techniques/T1564/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1564.004"
|
||||
name = "NTFS File Attributes"
|
||||
reference = "https://attack.mitre.org/techniques/T1564/004/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,9 +30,13 @@ process where event.type in ("start", "process_started") and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1222"
|
||||
reference = "https://attack.mitre.org/techniques/T1222/"
|
||||
name = "File and Directory Permissions Modification"
|
||||
id = "T1562"
|
||||
name = "Impair Defenses"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1562.001"
|
||||
name = "Disable or Modify Tools"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/19"
|
||||
maturity = "production"
|
||||
updated_date = "2021/09/13"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -107,6 +107,12 @@ name = "Domain Trust Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1482/"
|
||||
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1018"
|
||||
name = "Remote System Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1018/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/04"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -44,6 +44,11 @@ id = "T1069"
|
||||
name = "Permission Groups Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1069/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1069.002"
|
||||
name = "Domain Groups"
|
||||
reference = "https://attack.mitre.org/techniques/T1069/002/"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1087"
|
||||
name = "Account Discovery"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,9 +32,9 @@ process where event.type in ("start", "process_started") and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1087"
|
||||
reference = "https://attack.mitre.org/techniques/T1087/"
|
||||
name = "Account Discovery"
|
||||
id = "T1033"
|
||||
reference = "https://attack.mitre.org/techniques/T1033/"
|
||||
name = "System Owner/User Discovery"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/19"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,6 +35,11 @@ id = "T1518"
|
||||
name = "Software Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1518/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1518.001"
|
||||
name = "Security Software Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1518/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/09/02"
|
||||
maturity = "development"
|
||||
query_schema_validation = false
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -41,6 +41,11 @@ id = "T1204"
|
||||
name = "User Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1204/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1204.002"
|
||||
name = "Malicious File"
|
||||
reference = "https://attack.mitre.org/techniques/T1204/002/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/19"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -65,3 +65,28 @@ id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1518"
|
||||
name = "Software Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1518/"
|
||||
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1087"
|
||||
name = "Account Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1087/"
|
||||
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1018"
|
||||
name = "Remote System Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1018/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
|
||||
+17
-5
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/05/26"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -36,22 +36,34 @@ sequence by process.entity_id
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1204"
|
||||
name = "User Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1204/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1204.002"
|
||||
name = "Malicious File"
|
||||
reference = "https://attack.mitre.org/techniques/T1204/002/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1218"
|
||||
name = "Signed Binary Proxy Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1218.001"
|
||||
name = "Compiled HTML File"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/001/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1218.001"
|
||||
name = "Compiled HTML File"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/15"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/08"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -38,6 +38,11 @@ id = "T1053"
|
||||
name = "Scheduled Task/Job"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.005"
|
||||
name = "Scheduled Task"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/005/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -38,26 +38,38 @@ process where event.type in ("start", "process_started") and
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1204"
|
||||
name = "User Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1204/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1204.002"
|
||||
name = "Malicious File"
|
||||
reference = "https://attack.mitre.org/techniques/T1204/002/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1218"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/"
|
||||
name = "Signed Binary Proxy Execution"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1218.001"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/001/"
|
||||
name = "Compiled HTML File"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1218.001"
|
||||
name = "Compiled HTML File"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
|
||||
+8
-13
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -17,7 +17,7 @@ name = "Deleting Backup Catalogs with Wbadmin"
|
||||
risk_score = 21
|
||||
rule_id = "581add16-df76-42bb-af8e-c979bfb39a59"
|
||||
severity = "low"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -31,18 +31,13 @@ process where event.type in ("start", "process_started") and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1070"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
name = "Indicator Removal on Host"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.004"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/004/"
|
||||
name = "File Deletion"
|
||||
|
||||
id = "T1490"
|
||||
name = "Inhibit System Recovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1490/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
name = "Defense Evasion"
|
||||
id = "TA0040"
|
||||
name = "Impact"
|
||||
reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
|
||||
+8
-13
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/16"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -17,7 +17,7 @@ name = "Modification of Boot Configuration"
|
||||
risk_score = 21
|
||||
rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff"
|
||||
severity = "low"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -32,18 +32,13 @@ process where event.type in ("start", "process_started") and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1070"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
name = "Indicator Removal on Host"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.004"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/004/"
|
||||
name = "File Deletion"
|
||||
|
||||
id = "T1490"
|
||||
name = "Inhibit System Recovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1490/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
name = "Defense Evasion"
|
||||
id = "TA0040"
|
||||
name = "Impact"
|
||||
reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
|
||||
+9
-14
@@ -1,13 +1,13 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/03"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a
|
||||
short time period. This may indicate a defense evasion attempt.
|
||||
short time period.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
@@ -17,7 +17,7 @@ name = "High Number of Process and/or Service Terminations"
|
||||
risk_score = 47
|
||||
rule_id = "035889c4-2686-4583-a7df-67f89c292f2c"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"]
|
||||
type = "threshold"
|
||||
|
||||
query = '''
|
||||
@@ -29,20 +29,15 @@ event.category:process and event.type:start and process.name:(net.exe or sc.exe
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1562"
|
||||
name = "Impair Defenses"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1562.001"
|
||||
name = "Disable or Modify Tools"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
|
||||
id = "T1489"
|
||||
name = "Service Stop"
|
||||
reference = "https://attack.mitre.org/techniques/T1489/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
id = "TA0040"
|
||||
name = "Impact"
|
||||
reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
|
||||
[rule.threshold]
|
||||
field = ["host.id"]
|
||||
+8
-13
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -17,7 +17,7 @@ name = "Volume Shadow Copy Deletion via WMIC"
|
||||
risk_score = 73
|
||||
rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -31,18 +31,13 @@ process where event.type in ("start", "process_started") and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1070"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
name = "Indicator Removal on Host"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.004"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/004/"
|
||||
name = "File Deletion"
|
||||
|
||||
id = "T1490"
|
||||
name = "Inhibit System Recovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1490/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
name = "Defense Evasion"
|
||||
id = "TA0040"
|
||||
name = "Impact"
|
||||
reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/03"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -41,9 +41,32 @@ id = "T1021"
|
||||
name = "Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1021.003"
|
||||
name = "Distributed Component Object Model"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/003/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0008"
|
||||
name = "Lateral Movement"
|
||||
reference = "https://attack.mitre.org/tactics/TA0008/"
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1218"
|
||||
name = "Signed Binary Proxy Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1218.005"
|
||||
name = "Mshta"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/005/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/06"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -40,6 +40,11 @@ id = "T1021"
|
||||
name = "Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1021.003"
|
||||
name = "Distributed Component Object Model"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/003/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0008"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/06"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -41,6 +41,11 @@ id = "T1021"
|
||||
name = "Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1021.003"
|
||||
name = "Distributed Component Object Model"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/003/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0008"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,9 +33,14 @@ sequence by process.entity_id
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1210"
|
||||
name = "Exploitation of Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1210/"
|
||||
name = "Remote Services"
|
||||
id = "T1021"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
name = "SMB/Windows Admin Shares"
|
||||
id = "T1021.002"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/002/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/25"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -36,6 +36,11 @@ id = "T1021"
|
||||
name = "Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1021.001"
|
||||
name = "Remote Desktop Protocol"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0008"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/11"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -52,6 +52,11 @@ id = "T1021"
|
||||
name = "Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1021.001"
|
||||
name = "Remote Desktop Protocol"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0008"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/20"
|
||||
maturity = "production"
|
||||
updated_date = "2021/09/13"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -83,6 +83,11 @@ id = "T1053"
|
||||
name = "Scheduled Task/Job"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.005"
|
||||
name = "Scheduled Task"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/005/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/08"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -38,6 +38,11 @@ id = "T1136"
|
||||
name = "Create Account"
|
||||
reference = "https://attack.mitre.org/techniques/T1136/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1136.001"
|
||||
name = "Local Account"
|
||||
reference = "https://attack.mitre.org/techniques/T1136/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/13"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -37,6 +37,11 @@ id = "T1053"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
name = "Scheduled Task/Job"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.005"
|
||||
name = "Scheduled Task"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/005/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2021/03/15"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/15"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,6 +32,11 @@ id = "T1053"
|
||||
name = "Scheduled Task/Job"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.005"
|
||||
name = "Scheduled Task"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/005/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/29"
|
||||
maturity = "production"
|
||||
updated_date = "2021/05/10"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -38,6 +38,11 @@ id = "T1053"
|
||||
name = "Scheduled Task/Job"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.005"
|
||||
name = "Scheduled Task"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/005/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
|
||||
+12
-12
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/15"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -22,7 +22,7 @@ references = [
|
||||
risk_score = 47
|
||||
rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection"]
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -35,18 +35,18 @@ process where event.type in ("start", "process_started") and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1114"
|
||||
name = "Email Collection"
|
||||
reference = "https://attack.mitre.org/techniques/T1114/"
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1005/"
|
||||
id = "T1005"
|
||||
name = "Data from Local System"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.002"
|
||||
name = "Exchange Email Delegate Permissions"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/002/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0009"
|
||||
name = "Collection"
|
||||
reference = "https://attack.mitre.org/tactics/TA0009/"
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -88,6 +88,17 @@ registry where
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1547"
|
||||
name = "Boot or Logon Autostart Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1547/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1547.001"
|
||||
name = "Registry Run Keys / Startup Folder"
|
||||
reference = "https://attack.mitre.org/techniques/T1547/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/19"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -63,6 +63,11 @@ id = "T1053"
|
||||
name = "Scheduled Task/Job"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.005"
|
||||
name = "Scheduled Task"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/005/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/09"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Skoetting"]
|
||||
@@ -41,14 +41,9 @@ iam where event.action == "added-member-to-group" and
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1136"
|
||||
reference = "https://attack.mitre.org/techniques/T1136/"
|
||||
name = "Create Account"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1136.001"
|
||||
reference = "https://attack.mitre.org/techniques/T1136/001/"
|
||||
name = "Local Account"
|
||||
|
||||
id = "T1098"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
name = "Account Manipulation"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -36,6 +36,11 @@ id = "T1136"
|
||||
reference = "https://attack.mitre.org/techniques/T1136/"
|
||||
name = "Create Account"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1136.001"
|
||||
name = "Local Account"
|
||||
reference = "https://attack.mitre.org/techniques/T1136/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/04"
|
||||
maturity = "development"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Skoetting"]
|
||||
@@ -39,6 +39,11 @@ id = "T1136"
|
||||
name = "Create Account"
|
||||
reference = "https://attack.mitre.org/techniques/T1136/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1136.001"
|
||||
name = "Local Account"
|
||||
reference = "https://attack.mitre.org/techniques/T1136/001/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/17"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/14"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -43,6 +43,11 @@ id = "T1053"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
name = "Scheduled Task/Job"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.005"
|
||||
name = "Scheduled Task"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/005/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
|
||||
+6
-1
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/04"
|
||||
maturity = "production"
|
||||
updated_date = "2021/03/03"
|
||||
updated_date = "2021/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -37,6 +37,11 @@ id = "T1546"
|
||||
name = "Event Triggered Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1546/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1546.003"
|
||||
name = "Windows Management Instrumentation Event Subscription"
|
||||
reference = "https://attack.mitre.org/techniques/T1546/003/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
|
||||
Reference in New Issue
Block a user