diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 72e7ded9f..831ef17a6 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -39,6 +39,11 @@ id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] + id = "T1114.002" + name = "Remote Email Collection" + reference = "https://attack.mitre.org/techniques/T1114/002/" + [[rule.threat.technique]] reference = "https://attack.mitre.org/techniques/T1005/" id = "T1005" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 94a2b9758..2beedc917 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -44,6 +44,11 @@ id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] + id = "T1560.001" + name = "Archive via Utility" + reference = "https://attack.mitre.org/techniques/T1560/001/" + [rule.threat.tactic] id = "TA0009" diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 4a66a1dc4..214458cca 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2021/04/07" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -86,3 +86,26 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + + [[rule.threat.technique.subtechnique]] + id = "T1567.001" + name = "Exfiltration to Code Repository" + reference = "https://attack.mitre.org/techniques/T1567/001/" + + [[rule.threat.technique.subtechnique]] + id = "T1567.002" + name = "Exfiltration to Cloud Storage" + reference = "https://attack.mitre.org/techniques/T1567/002/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" \ No newline at end of file diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index cfd0222c9..29aa6f679 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -33,6 +33,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] + id = "T1071.004" + name = "DNS" + reference = "https://attack.mitre.org/techniques/T1071/004/" + [rule.threat.tactic] id = "TA0011" diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 75791d76f..55067b482 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/28" maturity = "production" -updated_date = "2021/03/30" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -57,3 +57,20 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + + [[rule.threat.technique.subtechnique]] + id = "T1559.001" + name = "Component Object Model" + reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml similarity index 66% rename from rules/windows/defense_evasion_port_forwarding_added_registry.toml rename to rules/windows/command_and_control_port_forwarding_added_registry.toml index 31adda780..7482660cf 100644 --- a/rules/windows/defense_evasion_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ references = [ risk_score = 47 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] timestamp_override = "event.ingested" type = "eql" @@ -32,18 +32,13 @@ registry where registry.path : "HKLM\\SYSTEM\\ControlSet*\\Services\\PortProxy\\ [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/lateral_movement_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml similarity index 66% rename from rules/windows/lateral_movement_rdp_tunnel_plink.toml rename to rules/windows/command_and_control_rdp_tunnel_plink.toml index b996aca91..e86c1661a 100644 --- a/rules/windows/lateral_movement_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] description = """ -Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This could be indicative of -adversary lateral movement to interactively access restricted networks. +Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to +enable routing of network packets that would otherwise not reach their intended destination. """ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] @@ -18,7 +18,7 @@ references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunn risk_score = 73 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] timestamp_override = "event.ingested" type = "eql" @@ -33,13 +33,12 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 057125674..cbef4eb72 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -51,29 +51,29 @@ reference = "https://attack.mitre.org/techniques/T1071/" name = "Application Layer Protocol" [[rule.threat.technique.subtechnique]] id = "T1071.001" -reference = "https://attack.mitre.org/techniques/T1071/001/" name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" [rule.threat.tactic] id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1195" -reference = "https://attack.mitre.org/techniques/T1195/" name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" [[rule.threat.technique.subtechnique]] id = "T1195.002" -reference = "https://attack.mitre.org/techniques/T1195/002/" name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" [rule.threat.tactic] id = "TA0001" -reference = "https://attack.mitre.org/tactics/TA0001/" name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 03ca9ec4a..8d2aac34d 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -33,6 +33,12 @@ reference = "https://attack.mitre.org/techniques/T1105/" name = "Ingress Tool Transfer" +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Software" +reference = "https://attack.mitre.org/techniques/T1219/" + + [rule.threat.tactic] id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 7e8411f64..ac205758a 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -33,8 +33,13 @@ process where event.type in ("process_started", "start") and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" -reference = "https://attack.mitre.org/techniques/T1070/" name = "Indicator Removal on Host" +reference = "https://attack.mitre.org/techniques/T1070/" + + [[rule.threat.technique.subtechnique]] + id = "T1070.001" + name = "Clear Windows Event Logs" + reference = "https://attack.mitre.org/techniques/T1070/001/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index dca314625..1cfb6afa1 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -33,6 +33,11 @@ id = "T1070" name = "Indicator Removal on Host" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] + id = "T1070.001" + name = "Clear Windows Event Logs" + reference = "https://attack.mitre.org/techniques/T1070/001/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index a7701ff6b..724ca2787 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -36,9 +36,9 @@ id = "T1562" reference = "https://attack.mitre.org/techniques/T1562/" name = "Impair Defenses" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -reference = "https://attack.mitre.org/techniques/T1562/001/" -name = "Disable or Modify Tools" +id = "T1562.004" +reference = "https://attack.mitre.org/techniques/T1562/004/" +name = "Disable or Modify System Firewall" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index a24fbe63e..0b541f732 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/05/06" maturity = "production" -updated_date = "2021/05/06" +updated_date = "2021/09/23" [rule] @@ -43,6 +43,11 @@ id = "T1070" name = "Indicator Removal on Host" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] + id = "T1070.001" + name = "Clear Windows Event Logs" + reference = "https://attack.mitre.org/techniques/T1070/001/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 70c059951..2da90e989 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -28,9 +28,14 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + + [[rule.threat.technique.subtechnique]] + id = "T1027.004" + name = "Compile After Delivery" + reference = "https://attack.mitre.org/techniques/T1027/004/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index d3b9d3214..84c45ac33 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -36,10 +36,9 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +id = "T1562.004" +reference = "https://attack.mitre.org/techniques/T1562/004/" +name = "Disable or Modify System Firewall" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 47bd73bc3..fae38340b 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/07" maturity = "production" -updated_date = "2021/07/07" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -32,13 +32,13 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1562/" id = "T1562" name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -reference = "https://attack.mitre.org/techniques/T1562/001/" -id = "T1562.001" -name = "Disable or Modify Tools" +id = "T1562.004" +reference = "https://attack.mitre.org/techniques/T1562/004/" +name = "Disable or Modify System Firewall" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index eea9a7326..a163d2275 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -49,6 +49,11 @@ id = "T1127" reference = "https://attack.mitre.org/techniques/T1127/" name = "Trusted Developer Utilities Proxy Execution" + [[rule.threat.technique.subtechnique]] + id = "T1127.001" + name = "MSBuild" + reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index baa420af1..ab188c4ae 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -36,6 +36,11 @@ id = "T1127" reference = "https://attack.mitre.org/techniques/T1127/" name = "Trusted Developer Utilities Proxy Execution" + [[rule.threat.technique.subtechnique]] + id = "T1127.001" + name = "MSBuild" + reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 2883f200a..5148e8e42 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -36,6 +36,11 @@ id = "T1127" reference = "https://attack.mitre.org/techniques/T1127/" name = "Trusted Developer Utilities Proxy Execution" + [[rule.threat.technique.subtechnique]] + id = "T1127.001" + name = "MSBuild" + reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index db9c9401c..eb754658c 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -36,6 +36,11 @@ id = "T1036" reference = "https://attack.mitre.org/techniques/T1036/" name = "Masquerading" + [[rule.threat.technique.subtechnique]] + id = "T1036.003" + name = "Rename System Utilities" + reference = "https://attack.mitre.org/techniques/T1036/003/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 7dbd54ab1..ad2f8e8e1 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2021/09/23" min_stack_version = "7.12.0" [rule] @@ -46,3 +46,22 @@ reference = "https://attack.mitre.org/techniques/T1036/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index d89034c46..a5bc26f45 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -34,7 +34,10 @@ framework = "MITRE ATT&CK" id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 852c3de67..49b6527dd 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/04/14" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -33,9 +33,14 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1070" -reference = "https://attack.mitre.org/techniques/T1070/" -name = "Indicator Removal on Host" +id = "T1562" +reference = "https://attack.mitre.org/techniques/T1562/" +name = "Impair Defenses" + + [[rule.threat.technique.subtechnique]] + id = "T1562.002" + name = "Disable Windows Event Logging" + reference = "https://attack.mitre.org/techniques/T1562/002/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 70d3e06e2..a8c489d87 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -34,6 +34,11 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] + id = "T1036.003" + name = "Rename System Utilities" + reference = "https://attack.mitre.org/techniques/T1036/003/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 0e7dedfe6..8c65d299a 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/03/09" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -36,6 +36,11 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] + id = "T1036.005" + name = "Match Legitimate Name or Location" + reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index 7271c033b..68e1d2892 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -37,6 +37,11 @@ id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] + id = "T1127.001" + name = "MSBuild" + reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 3871e6196..1b6bc53ba 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -35,6 +35,11 @@ id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] + id = "T1127.001" + name = "MSBuild" + reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index f0f500cbf..7665c2078 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -39,6 +39,11 @@ id = "T1070" name = "Indicator Removal on Host" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] + id = "T1070.004" + name = "File Deletion" + reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index fd29a5c7d..f3b1e337a 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/03/09" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -33,6 +33,10 @@ framework = "MITRE ATT&CK" id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.004" +name = "NTFS File Attributes" +reference = "https://attack.mitre.org/techniques/T1564/004/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 1d9da83a5..2bd4afd1f 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -30,9 +30,13 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1222" -reference = "https://attack.mitre.org/techniques/T1222/" -name = "File and Directory Permissions Modification" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 6ec53e6c0..9ac52ed80 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/09/13" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -107,6 +107,12 @@ name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 5954fc031..e7681176a 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -44,6 +44,11 @@ id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] + id = "T1069.002" + name = "Domain Groups" + reference = "https://attack.mitre.org/techniques/T1069/002/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 883b36894..d46deb290 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -32,9 +32,9 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1087" -reference = "https://attack.mitre.org/techniques/T1087/" -name = "Account Discovery" +id = "T1033" +reference = "https://attack.mitre.org/techniques/T1033/" +name = "System Owner/User Discovery" [rule.threat.tactic] diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 4751cd77f..ca589488c 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -35,6 +35,11 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] + id = "T1518.001" + name = "Security Software Discovery" + reference = "https://attack.mitre.org/techniques/T1518/001/" + [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index aa93bc130..819406f15 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -41,6 +41,11 @@ id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index a02c6b710..a4ba90c92 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -65,3 +65,28 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + + +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 12e330c2a..19d68e83a 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -36,22 +36,34 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "Signed Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" -[[rule.threat.technique.subtechnique]] -id = "T1218.001" -name = "Compiled HTML File" -reference = "https://attack.mitre.org/techniques/T1218/001/" + [[rule.threat.technique.subtechnique]] + id = "T1218.001" + name = "Compiled HTML File" + reference = "https://attack.mitre.org/techniques/T1218/001/" [rule.threat.tactic] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 986566f70..50d43bece 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -38,6 +38,11 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] + id = "T1053.005" + name = "Scheduled Task" + reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index bc3fef4ab..d8979ea94 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -38,26 +38,38 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + + [[rule.threat.technique.subtechnique]] + id = "T1204.002" + name = "Malicious File" + reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" -reference = "https://attack.mitre.org/techniques/T1218/" name = "Signed Binary Proxy Execution" -[[rule.threat.technique.subtechnique]] -id = "T1218.001" -reference = "https://attack.mitre.org/techniques/T1218/001/" -name = "Compiled HTML File" +reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] + id = "T1218.001" + name = "Compiled HTML File" + reference = "https://attack.mitre.org/techniques/T1218/001/" [rule.threat.tactic] id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml similarity index 66% rename from rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml rename to rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 8a3008ef2..938a153c8 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Deleting Backup Catalogs with Wbadmin" risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"] timestamp_override = "event.ingested" type = "eql" @@ -31,18 +31,13 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1070" -reference = "https://attack.mitre.org/techniques/T1070/" -name = "Indicator Removal on Host" -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -reference = "https://attack.mitre.org/techniques/T1070/004/" -name = "File Deletion" - +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" [rule.threat.tactic] -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" -name = "Defense Evasion" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml similarity index 69% rename from rules/windows/defense_evasion_modification_of_boot_config.toml rename to rules/windows/impact_modification_of_boot_config.toml index 762185521..e4184142c 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Modification of Boot Configuration" risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"] timestamp_override = "event.ingested" type = "eql" @@ -32,18 +32,13 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1070" -reference = "https://attack.mitre.org/techniques/T1070/" -name = "Indicator Removal on Host" -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -reference = "https://attack.mitre.org/techniques/T1070/004/" -name = "File Deletion" - +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" [rule.threat.tactic] -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" -name = "Defense Evasion" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/windows/defense_evasion_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml similarity index 64% rename from rules/windows/defense_evasion_stop_process_service_threshold.toml rename to rules/windows/impact_stop_process_service_threshold.toml index d046b148c..7f3eeb55a 100644 --- a/rules/windows/defense_evasion_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/12/03" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] description = """ This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a -short time period. This may indicate a defense evasion attempt. +short time period. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] @@ -17,7 +17,7 @@ name = "High Number of Process and/or Service Terminations" risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"] type = "threshold" query = ''' @@ -29,20 +29,15 @@ event.category:process and event.type:start and process.name:(net.exe or sc.exe [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.threshold] field = ["host.id"] diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml similarity index 66% rename from rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml rename to rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 700bda582..d8eb0e4d5 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Volume Shadow Copy Deletion via WMIC" risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"] timestamp_override = "event.ingested" type = "eql" @@ -31,18 +31,13 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1070" -reference = "https://attack.mitre.org/techniques/T1070/" -name = "Indicator Removal on Host" -[[rule.threat.technique.subtechnique]] -id = "T1070.004" -reference = "https://attack.mitre.org/techniques/T1070/004/" -name = "File Deletion" - +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" [rule.threat.tactic] -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" -name = "Defense Evasion" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 64f07d08e..4d3c9165c 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -41,9 +41,32 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] + id = "T1021.003" + name = "Distributed Component Object Model" + reference = "https://attack.mitre.org/techniques/T1021/003/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "Signed Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index b567b90e9..9794e4105 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -40,6 +40,11 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] + id = "T1021.003" + name = "Distributed Component Object Model" + reference = "https://attack.mitre.org/techniques/T1021/003/" + [rule.threat.tactic] id = "TA0008" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 3eb65b70c..5f49a431c 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -41,6 +41,11 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] + id = "T1021.003" + name = "Distributed Component Object Model" + reference = "https://attack.mitre.org/techniques/T1021/003/" + [rule.threat.tactic] id = "TA0008" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 9c1f93790..6f3945096 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -33,9 +33,14 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" +name = "Remote Services" +id = "T1021" +reference = "https://attack.mitre.org/techniques/T1021/" + + [[rule.threat.technique.subtechnique]] + name = "SMB/Windows Admin Shares" + id = "T1021.002" + reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index a11734c9f..09ccde3bc 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -36,6 +36,11 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] + id = "T1021.001" + name = "Remote Desktop Protocol" + reference = "https://attack.mitre.org/techniques/T1021/001/" + [rule.threat.tactic] id = "TA0008" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index fc0d2d52e..678dbf603 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -52,6 +52,11 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] + id = "T1021.001" + name = "Remote Desktop Protocol" + reference = "https://attack.mitre.org/techniques/T1021/001/" + [rule.threat.tactic] id = "TA0008" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index a9141b67a..e6f97f705 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/09/13" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -83,6 +83,11 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] + id = "T1053.005" + name = "Scheduled Task" + reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 5ee1b9583..7a0bd1e1f 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -38,6 +38,11 @@ id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] + id = "T1136.001" + name = "Local Account" + reference = "https://attack.mitre.org/techniques/T1136/001/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index f52f5bab6..34c0a99a2 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -37,6 +37,11 @@ id = "T1053" reference = "https://attack.mitre.org/techniques/T1053/" name = "Scheduled Task/Job" + [[rule.threat.technique.subtechnique]] + id = "T1053.005" + name = "Scheduled Task" + reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 3f32cb405..4ce89cc62 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/15" maturity = "production" -updated_date = "2021/03/15" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -32,6 +32,11 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] + id = "T1053.005" + name = "Scheduled Task" + reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 97b2ef7ed..b16dcbf2e 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -38,6 +38,11 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] + id = "T1053.005" + name = "Scheduled Task" + reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml similarity index 72% rename from rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml rename to rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index ac9ab73c8..c3bcfb462 100644 --- a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = [ risk_score = 47 rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] timestamp_override = "event.ingested" type = "eql" @@ -35,18 +35,18 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1114" -name = "Email Collection" -reference = "https://attack.mitre.org/techniques/T1114/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" -[[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1005/" -id = "T1005" -name = "Data from Local System" + [[rule.threat.technique.subtechnique]] + id = "T1098.002" + name = "Exchange Email Delegate Permissions" + reference = "https://attack.mitre.org/techniques/T1098/002/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index de1ea984a..49ec79efd 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -88,6 +88,17 @@ registry where [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + + [[rule.threat.technique.subtechnique]] + id = "T1547.001" + name = "Registry Run Keys / Startup Folder" + reference = "https://attack.mitre.org/techniques/T1547/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 32a9100a0..1a972a765 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -63,6 +63,11 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] + id = "T1053.005" + name = "Scheduled Task" + reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 9cca24913..ebf7c2fb8 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/09" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic", "Skoetting"] @@ -41,14 +41,9 @@ iam where event.action == "added-member-to-group" and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1136" -reference = "https://attack.mitre.org/techniques/T1136/" -name = "Create Account" -[[rule.threat.technique.subtechnique]] -id = "T1136.001" -reference = "https://attack.mitre.org/techniques/T1136/001/" -name = "Local Account" - +id = "T1098" +reference = "https://attack.mitre.org/techniques/T1098/" +name = "Account Manipulation" [rule.threat.tactic] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 23de1578a..fda3e2312 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -36,6 +36,11 @@ id = "T1136" reference = "https://attack.mitre.org/techniques/T1136/" name = "Create Account" + [[rule.threat.technique.subtechnique]] + id = "T1136.001" + name = "Local Account" + reference = "https://attack.mitre.org/techniques/T1136/001/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index e5314d677..e6969573c 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "development" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Skoetting"] @@ -39,6 +39,11 @@ id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] + id = "T1136.001" + name = "Local Account" + reference = "https://attack.mitre.org/techniques/T1136/001/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index ae5f2ea20..49efdc32a 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -43,6 +43,11 @@ id = "T1053" reference = "https://attack.mitre.org/techniques/T1053/" name = "Scheduled Task/Job" + [[rule.threat.technique.subtechnique]] + id = "T1053.005" + name = "Scheduled Task" + reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index cb1777e6c..1926dc7e4 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/09/23" [rule] author = ["Elastic"] @@ -37,6 +37,11 @@ id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] + id = "T1546.003" + name = "Windows Management Instrumentation Event Subscription" + reference = "https://attack.mitre.org/techniques/T1546/003/" + [rule.threat.tactic] id = "TA0003"