diff --git a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml index e30928ef5..07898d580 100644 --- a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/01/04" +updated_date = "2021/02/11" [rule] author = ["Elastic", "Willem D'Haese"] @@ -26,6 +26,7 @@ risk_score = 73 rule_id = "37994bca-0611-4500-ab67-5588afe73b77" severity = "high" tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index ad3df15cb..f1c2408ad 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 47 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb" severity = "medium" tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 6d68f43d1..7018a7450 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/12/20" maturity = "production" -updated_date = "2020/12/20" +updated_date = "2021/02/11" [rule] author = ["Elastic"] description = """ -Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as -Antivirus or Host Firewall details. +Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus +or Host Firewall details. """ from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*"] @@ -18,6 +18,7 @@ risk_score = 47 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655" severity = "medium" tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -68,3 +69,4 @@ reference = "https://attack.mitre.org/techniques/T1518/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index 50100eaae..a976c90d9 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -1,14 +1,11 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2021/01/12" +updated_date = "2021/02/11" [rule] author = ["Elastic"] -description = """ -Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and -Linux. -""" +description = "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux." from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" @@ -19,8 +16,10 @@ risk_score = 73 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e" severity = "high" tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"] +timestamp_override = "event.ingested" type = "query" query = ''' event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6* ''' + diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index ee83f32d0..47a901e43 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "development" -updated_date = "2021/01/13" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae" severity = "medium" tags = ["Elastic", "Host", "Linux", "macOS", "Windows", "Threat Detection", "Execution"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 71160cc8b..48b8e2496 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2020/01/07" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" severity = "high" tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 4379df642..4dc89b606 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -18,6 +18,7 @@ risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" severity = "medium" tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index e91cb04d2..239e46e6a 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2020/12/21" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -9,7 +9,9 @@ description = """ Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges. """ -false_positives = ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."] +false_positives = [ + "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.", +] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" @@ -25,6 +27,7 @@ risk_score = 47 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0" severity = "medium" tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Credential Access", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -46,6 +49,7 @@ event.category:file and event.type:change and ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -53,6 +57,7 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -69,3 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml b/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml index f6a75a146..55cd06719 100644 --- a/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml +++ b/rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/15" maturity = "production" -updated_date = "2021/01/15" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8" severity = "low" tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -53,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1053/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index 9057a5262..f53706cd8 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/01/19" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Execution", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -69,3 +70,4 @@ reference = "https://attack.mitre.org/techniques/T1546/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 4cb321fe7..3c80c6ad1 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2020/12/22" +updated_date = "2021/02/11" [rule] author = ["Elastic"] description = """ -The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. -Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). +The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key +authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -18,6 +18,7 @@ risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1098/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 5864c2f66..7c66c2448 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/26" maturity = "production" -updated_date = "2021/01/26" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -37,6 +38,7 @@ name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 8b99572ca..84de80a36 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2020/12/22" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ risk_score = 47 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Collection", "Credential Access"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -93,3 +94,4 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 1366cb654..2cc053e8b 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2020/12/21" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ risk_score = 73 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -83,3 +84,4 @@ reference = "https://attack.mitre.org/techniques/T1554/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/initial_access_login_failures.toml b/rules/linux/initial_access_login_failures.toml index d2667e1f4..f093c08b4 100644 --- a/rules/linux/initial_access_login_failures.toml +++ b/rules/linux/initial_access_login_failures.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2020/07/08" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -10,11 +10,14 @@ index = ["auditbeat-*"] language = "kuery" license = "Elastic License" name = "Auditd Max Failed Login Attempts" -references = ["https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574"] +references = [ + "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574", +] risk_score = 47 rule_id = "fb9937ce-7e21-46bf-831d-1ad96eac674d" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/initial_access_login_location.toml b/rules/linux/initial_access_login_location.toml index 618844cec..c19fc1b03 100644 --- a/rules/linux/initial_access_login_location.toml +++ b/rules/linux/initial_access_login_location.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2020/07/08" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -10,11 +10,14 @@ index = ["auditbeat-*"] language = "kuery" license = "Elastic License" name = "Auditd Login from Forbidden Location" -references = ["https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412"] +references = [ + "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412", +] risk_score = 73 rule_id = "cab4f01c-793f-4a54-a03e-e5d85b96d7af" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/initial_access_login_sessions.toml b/rules/linux/initial_access_login_sessions.toml index c9df231e0..21b868c4b 100644 --- a/rules/linux/initial_access_login_sessions.toml +++ b/rules/linux/initial_access_login_sessions.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2020/07/08" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -10,11 +10,14 @@ index = ["auditbeat-*"] language = "kuery" license = "Elastic License" name = "Auditd Max Login Sessions" -references = ["https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007"] +references = [ + "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007", +] risk_score = 47 rule_id = "20dc4620-3b68-4269-8124-ca5091e00ea8" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/initial_access_login_time.toml b/rules/linux/initial_access_login_time.toml index 9439ee50a..143a01bd6 100644 --- a/rules/linux/initial_access_login_time.toml +++ b/rules/linux/initial_access_login_time.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2020/07/08" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -10,11 +10,14 @@ index = ["auditbeat-*"] language = "kuery" license = "Elastic License" name = "Auditd Login Attempt at Forbidden Time" -references = ["https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666"] +references = [ + "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666", +] risk_score = 47 rule_id = "90e28af7-1d96-4582-bf11-9a1eff21d0e5" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -46,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index dbb704766..15f10dd84 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2020/12/21" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -9,7 +9,9 @@ description = """ Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration. """ -false_positives = ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."] +false_positives = [ + "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.", +] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" @@ -20,6 +22,7 @@ risk_score = 47 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -54,3 +57,4 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 8018c4e2f..bfd990d73 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/06" maturity = "production" -updated_date = "2021/01/06" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 47 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index b4a2e1dd4..f3676097a 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/01/27" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ risk_score = 47 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 361f6205c..9e98af23e 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2020/02/11" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 73 rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -58,3 +59,4 @@ reference = "https://attack.mitre.org/techniques/T1555/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 2f371afed..82a5e907e 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2021/01/25" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 73 rule_id = "02ea4563-ec10-4974-b7de-12e65aa4f9b3" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index afa22878d..51fc2ac58 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/01/04" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 251a72162..901b9f3c7 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/06" maturity = "production" -updated_date = "2020/01/06" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -26,6 +26,7 @@ risk_score = 73 rule_id = "9092cd6c-650f-4fa3-8a8a-28256c7489c9" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 68db37c73..b23906bbc 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/05" maturity = "production" -updated_date = "2021/01/05" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 47 rule_id = "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -43,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1539/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 4ea3683e4..d8166c7dd 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2020/02/11" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "d75991f2-b989-419d-b797-ac1e54ec2d61" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index aa3088289..b2a715b77 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/15" maturity = "production" -updated_date = "2021/01/15" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "f683dcdf-a018-4801-b066-193d4ae6c8e5" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -41,6 +42,7 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index ee817715f..4a6b8bded 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/01/11" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -9,6 +9,7 @@ description = """ Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" @@ -21,6 +22,7 @@ risk_score = 47 rule_id = "4da13d6e-904f-4636-81d8-6ab14b4e6ae9" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -41,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1553/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index 9e6fe609d..d125e9cc8 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -22,6 +22,7 @@ risk_score = 47 rule_id = "bc1eeacf-2972-434f-b782-3a532b100d67" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 3b8622727..f2b64d941 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2021/01/14" +updated_date = "2021/02/11" [rule] author = ["Elastic"] description = """ -Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own -malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain +Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their +own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. """ from = "now-9m" @@ -22,6 +22,7 @@ risk_score = 47 rule_id = "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -48,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1574/007/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 66444a32e..bfcfba7ba 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2020/12/23" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ risk_score = 47 rule_id = "eea82229-b002-470e-a9e1-00be38b14d32" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -49,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 531f8e6af..e104f972a 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/11" maturity = "production" -updated_date = "2020/01/11" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 73 rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 3cffe15a4..b5022cef6 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2021/01/14" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "6482255d-f468-45ea-a5b3-d3a7de1331ae" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -49,6 +50,7 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 4a89ae649..23fa1cf2d 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/01/11" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ risk_score = 73 rule_id = "d22a85c6-d2ad-4cc4-bf7b-54787473669a" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 357a6cc3d..a06ef6bae 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2020/01/04" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 73 rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -40,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index e36d1d443..ff25023b0 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -1,13 +1,11 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2020/01/05" +updated_date = "2021/02/11" [rule] author = ["Elastic"] -description = """ -Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command. -""" +description = "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command." from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" @@ -17,6 +15,7 @@ risk_score = 73 rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -37,7 +36,9 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index f2b9bf89c..e25336cd8 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -1,13 +1,11 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2021/01/12" +updated_date = "2021/02/11" [rule] author = ["Elastic"] -description = """ -Identifies the execution of macOS built-in commands related to account or group enumeration. -""" +description = "Identifies the execution of macOS built-in commands related to account or group enumeration." from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" @@ -17,6 +15,7 @@ risk_score = 21 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" severity = "low" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Discovery"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -27,7 +26,6 @@ process where event.type in ("start", "process_started") and (process.name : "dscl" and process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and process.args : ("/Active Directory/*", "/Users*", "/Groups*")) - ''' @@ -48,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1087/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index f297aa6af..5d2d74362 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2020/01/07" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 47 rule_id = "35330ba2-c859-4c98-8b7f-c19159ea0e58" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion", "Execution"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 829850241..5dd6f2ff0 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2020/12/23" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 73 rule_id = "080bc66a-5d56-4d1f-8071-817671716db9" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Initial Access", "Execution"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -70,3 +71,4 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 69d364790..5fe8f6d41 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/01/04" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -62,7 +63,9 @@ name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 68341786b..fc395a6f9 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/01/12" maturity = "production" -updated_date = "2020/01/12" +updated_date = "2021/02/11" [rule] author = ["Elastic"] description = """ -Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos -tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting. +Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or +attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -19,6 +19,7 @@ risk_score = 73 rule_id = "16904215-2c95-4ac8-bf5c-12354e047192" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access", "Lateral Movement"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -26,6 +27,7 @@ event.category:process and event.type:start and process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab)))) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -37,6 +39,8 @@ id = "T1550.003" name = "Pass the Ticket" reference = "https://attack.mitre.org/techniques/T1550/003/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -53,3 +57,4 @@ reference = "https://attack.mitre.org/techniques/T1558/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index e4b44a862..16e12c4b2 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2021/01/25" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "661545b4-1a90-4f45-85ce-2ebd7c6a15d0" severity = "low" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 11798c042..c04b40b90 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/25" maturity = "production" -updated_date = "2020/01/25" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "15dacaa0-5b90-466b-acab-63435a59701a" severity = "low" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -44,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 08b1970e8..868bbd575 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2020/01/05" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "41b638a1-8ab6-4f8e-86d9-466317ef2db5" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index cb51ed34b..bd2f77cdb 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2020/01/05" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ risk_score = 47 rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Execution"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -60,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1059/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 46fba43f9..c4e5f27bd 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/01/13" +updated_date = "2021/02/11" [rule] author = ["Elastic"] description = """ Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively -supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to -persist and/or collect clear text credentials as they traverse the registered plugins during user logon. +supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature +to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -23,6 +23,7 @@ risk_score = 47 rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Credential Access"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -49,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1547/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 4010ec6a5..af7609ea5 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2020/01/07" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 47 rule_id = "083fa162-e790-4d85-9aeb-4fea04188adb" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -43,6 +44,7 @@ name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -58,7 +60,10 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 55dfe8dc2..375dcbc31 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "89fa6cb7-6b53-4de2-b604-648488841ab8" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 892557b97..2b44e9b29 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2020/12/18" +updated_date = "2021/02/11" [rule] author = ["Elastic"] description = """ -An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a -malicious application instead of the intended one when invoked. +An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious +application instead of the intended one when invoked. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -15,12 +15,16 @@ language = "kuery" license = "Elastic License" name = "Persistence via Docker Shortcut Modification" references = [ - "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf", + """ + https://github.com/specterops/presentations/raw/master/Leo + Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + """, ] risk_score = 47 rule_id = "c81cefcb-82b9-4408-a533-3c3df549e62d" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -30,7 +34,6 @@ event.category : file and event.action : modification and ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 216ef5c03..414c4f700 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/01/11" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index bb0da753c..bc883ce9a 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/01/11" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "3e3d15c6-1509-479a-b125-21718372157e" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 8e8c24475..62052f91c 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2020/01/04" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "cc2fd2d0-ba3a-4939-b87f-2901764ed036" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 1ee247a7c..b3fa8a5fd 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2020/01/05" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ risk_score = 47 rule_id = "092b068f-84ac-485d-8a55-7dd9e006715f" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 477c43a57..86d01d908 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -1,12 +1,13 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/01/21" +updated_date = "2021/02/11" [rule] author = ["Elastic"] description = """ -Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence. +Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to +run a program during system boot or user login for persistence. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -19,6 +20,7 @@ risk_score = 47 rule_id = "ac412404-57a5-476f-858f-4e8fbb4f48d8" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -45,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1547/011/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index e30154fec..28b58049d 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2020/02/11" +updated_date = "2021/02/11" [rule] author = ["Elastic"] description = """ -Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time -the Sublime application is started. +Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the +Sublime application is started. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -19,6 +19,7 @@ risk_score = 21 rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a" severity = "low" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -36,7 +37,6 @@ file where event.type in ("change", "creation") and file.extension : "py" and "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper", "/Applications/Sublime Text.app/Contents/MacOS/plugin_host" ) - ''' @@ -52,3 +52,4 @@ reference = "https://attack.mitre.org/techniques/T1554/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index a87e75515..21909f3f1 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/01/21" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 21 rule_id = "48ec9452-e1fd-4513-a376-10a1a26d2c83" severity = "low" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index 768e20a77..83ef049fd 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/01/19" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ risk_score = 47 rule_id = "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1546/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index b984c34c4..00cf2ad52 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/01/21" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -22,9 +22,11 @@ risk_score = 21 rule_id = "b4449455-f986-4b5a-82ed-e36b129331f7" severity = "low" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' event.category:"file" and not event.type:"deletion" and file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root ''' + diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index cc6659e35..cc745a614 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/27" maturity = "production" -updated_date = "2020/12/27" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -51,3 +52,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 09c78d64c..a810cde3c 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/01/25" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 47 rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index e65eb3c9f..929abb69a 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/01/19" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 73 rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -52,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index f05951ebc..182674e8c 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2020/01/05" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "565c2b44-7a21-4818-955f-8d4737967d2e" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -44,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1078/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 4cfa1dde0..87399c5f8 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -22,6 +22,7 @@ risk_score = 73 rule_id = "0ff84c42-873d-41a2-a4ed-08d74d352d01" severity = "high" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml index 01031aafa..a8f599fd9 100644 --- a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml @@ -21,6 +21,7 @@ false_positives = [ server that has no known associated FTP workflow or business requirement is often suspicious. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml index 51ad5dd05..57d5d36f1 100644 --- a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml @@ -20,6 +20,7 @@ false_positives = [ and usually only appears in local traffic using private IPs, which does not match this rule's conditions. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 9a4b82577..72bf51ec5 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -19,6 +19,7 @@ false_positives = [ port in the range by coincidence. This is uncommon but such servers can be excluded. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 809addd84..be3cf6d4d 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -16,6 +16,7 @@ false_positives = [ expected behavior. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml index 5c2feb1c9..1511eb394 100644 --- a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml +++ b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml @@ -19,6 +19,7 @@ false_positives = [ this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml index c0132a80b..397691fac 100644 --- a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml +++ b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml @@ -18,6 +18,7 @@ false_positives = [ be excluded. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 77b5dbe62..868514420 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -22,6 +22,7 @@ false_positives = [ port in the range by coincidence. In this case, such servers can be excluded if desired. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index a019bbb56..8be8972b6 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -21,6 +21,7 @@ false_positives = [ not unexpected. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml index a965bd378..a9cccfa03 100644 --- a/rules/network/command_and_control_smtp_to_the_internet.toml +++ b/rules/network/command_and_control_smtp_to_the_internet.toml @@ -17,6 +17,7 @@ false_positives = [ case, such devices or networks can be excluded from this rule if this is expected behavior. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml index e5c1877af..519e60f9a 100644 --- a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml @@ -18,6 +18,7 @@ false_positives = [ database instances are accessed directly across the Internet. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml index 837bd94cf..00b44fd59 100644 --- a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml @@ -21,6 +21,7 @@ false_positives = [ not unexpected. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml index a8764cae2..d46b6d4f5 100644 --- a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml @@ -20,6 +20,7 @@ false_positives = [ unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index 4c7c4ec73..0dd4b0bc8 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -20,6 +20,7 @@ false_positives = [ server that has no known associated Telnet work-flow or business requirement is often suspicious. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml index af716f030..f6e481d8e 100644 --- a/rules/network/command_and_control_tor_activity_to_the_internet.toml +++ b/rules/network/command_and_control_tor_activity_to_the_internet.toml @@ -18,6 +18,7 @@ false_positives = [ this case, such servers can be excluded if desired. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 7a5de5d23..6864a1c8f 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -19,6 +19,7 @@ false_positives = [ that is unfamiliar to server or network owners can be unexpected and suspicious. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index aa83ab10c..9d353f595 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -19,6 +19,7 @@ false_positives = [ that is unfamiliar to server or network owners can be unexpected and suspicious. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml index 560d49396..380ff23b6 100644 --- a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml +++ b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml @@ -20,6 +20,7 @@ false_positives = [ unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious. """, ] +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index f10e861cb..97e78c5ac 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -11,6 +11,7 @@ system administrators to remotely control a system for maintenance or to use sha directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. """ +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 7dab0942f..48095a8cc 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -11,6 +11,7 @@ system administrators to remotely control a system for maintenance or to use sha directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. """ +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 958aa350a..c3bb513fd 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -11,6 +11,7 @@ the Internet. SMB is commonly used within networks to share files, printers, and systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration. """ +from = "now-9m" index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 90292fcc4..b10370eed 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -10,6 +10,7 @@ Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml index 14e2ece1c..bdf129a62 100644 --- a/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -10,6 +10,7 @@ Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a n Adversaries may target user email to collect sensitive information. """ false_positives = ["Legitimate exchange system administration activity."] +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 2b0e61660..cfd60d2e0 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -9,6 +9,7 @@ description = """ Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. """ +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 656a334db..089f2adf1 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 03cebc83e..97979c244 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 41e326b31..8bdbcc217 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] @@ -34,12 +34,11 @@ id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -52,6 +51,7 @@ name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 5d14d0e60..daa927cda 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 388c98a1c..07add6f58 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 47 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index a8cbb375c..a4e8b1e16 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/11" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -18,6 +18,7 @@ risk_score = 21 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index ec43ec64a..e2caba391 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/01" maturity = "production" -updated_date = "2021/02/01" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ risk_score = 21 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -55,3 +56,4 @@ reference = "https://attack.mitre.org/techniques/T1553/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 6c4969f1d..6c64d84f2 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/02/08" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 21 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml index bc1c0e160..627b8d36a 100644 --- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -7,6 +7,7 @@ updated_date = "2021/02/16" author = ["Elastic"] description = "Identifies possibly suspicious activity using trusted Windows developer activity." false_positives = ["These programs may be used by Windows developers but use by non-engineers is unusual."] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 84aec1be2..743f0f86f 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index c4123749e..f6054c95f 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 586c67f7f..d3ad8e5f0 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 3432bf084..e3998e6d1 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index 868607270..017ef04c4 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 4ec6b268e..7bcb73239 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index faa3b2740..67bfc9df4 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_mshta_making_network_connections.toml b/rules/windows/defense_evasion_mshta_making_network_connections.toml index 6081de486..f11bc5049 100644 --- a/rules/windows/defense_evasion_mshta_making_network_connections.toml +++ b/rules/windows/defense_evasion_mshta_making_network_connections.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "development" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 6f11678d8..733ddfd17 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 1360c7ed1..610332803 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 1be23e6f7..7f10d9b03 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 6dc366f16..3d53839ab 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_reg_beacon.toml b/rules/windows/defense_evasion_reg_beacon.toml index ed5e0d065..c690524fd 100644 --- a/rules/windows/defense_evasion_reg_beacon.toml +++ b/rules/windows/defense_evasion_reg_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 5fc458d38..44931dfb3 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 86011885d..39d09e298 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_stop_process_service_threshold.toml b/rules/windows/defense_evasion_stop_process_service_threshold.toml index 7659ac891..95c2a25e4 100644 --- a/rules/windows/defense_evasion_stop_process_service_threshold.toml +++ b/rules/windows/defense_evasion_stop_process_service_threshold.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/03" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] @@ -38,12 +38,12 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.threshold] field = "host.id" value = 10 diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index bab116c9f..71e8db4d5 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] @@ -47,3 +47,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 556d2b18c..3c9f36c79 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/01/21" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ risk_score = 47 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 069de2eed..dadb97c65 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -9,6 +9,7 @@ description = """ Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware. """ +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 27e9cd596..5510f1ed4 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 32e0879b4..5c4aa21e2 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index b1c597e32..0e849b06d 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -9,6 +9,7 @@ description = """ The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index ef9160b66..96a3e6300 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -9,6 +9,7 @@ description = """ Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools. """ +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/discovery_file_dir_discovery.toml b/rules/windows/discovery_file_dir_discovery.toml index 5b5a0fbea..13db60d5a 100644 --- a/rules/windows/discovery_file_dir_discovery.toml +++ b/rules/windows/discovery_file_dir_discovery.toml @@ -16,6 +16,7 @@ false_positives = [ noise and exclude any known FP's from the rule. """, ] +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" @@ -53,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 11af912a9..2a2620c62 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -6,6 +6,7 @@ updated_date = "2021/02/16" [rule] author = ["Elastic"] description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool." +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 136be8ba9..9e190c891 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -9,6 +9,7 @@ description = """ Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml index b92201c6c..394835d76 100644 --- a/rules/windows/discovery_process_discovery_via_tasklist_command.toml +++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml @@ -13,6 +13,7 @@ false_positives = [ tasklist to get information about running processes. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/discovery_query_registry_via_reg.toml b/rules/windows/discovery_query_registry_via_reg.toml index e4f6f540c..7b7589dab 100644 --- a/rules/windows/discovery_query_registry_via_reg.toml +++ b/rules/windows/discovery_query_registry_via_reg.toml @@ -9,6 +9,7 @@ description = """ Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on activities. """ +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 01a5f3954..d95e8508b 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -6,6 +6,7 @@ updated_date = "2021/02/16" [rule] author = ["Elastic"] description = "Discovery of remote system information using built-in commands, which may be used to mover laterally." +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 3a27b7961..3ebb86e21 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -15,6 +15,7 @@ false_positives = [ frameworks. Usage by non-engineers and ordinary users is unusual. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 025de6c12..003b6bd8e 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/01/20" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 47 rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 4635dc443..13ca18065 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 345c155e4..cd7dff492 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 30652c94a..ea00370ec 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 1ad6808da..4b2863676 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 37b5ff7aa..d566fab5f 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index c09174161..56a6591f4 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 816cd25db..e298228db 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index e856870df..21397ef87 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 2eba386be..3e764952a 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 208162588..880452c02 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] @@ -43,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1053/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 8e6b02631..2adf32ac8 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -10,6 +10,7 @@ Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processe adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from MS Office products. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" @@ -44,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index d121547e4..05e9e6338 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -17,6 +17,7 @@ false_positives = [ to conceal malicious code. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index c610fd30e..bedb9d1ea 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/27" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] @@ -68,3 +68,4 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 2e7e3330c..807167f1f 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -16,6 +16,7 @@ false_positives = [ to spawn. """, ] +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 9a317bf33..539d98ecc 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -9,6 +9,7 @@ description = """ Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 39308c844..e0c8962c2 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] @@ -76,3 +76,4 @@ reference = "https://attack.mitre.org/techniques/T1569/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 5eac56b19..a9f338187 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index bb0b641e2..5292f3af9 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 75eaa527a..c57204513 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 3f0d413ff..78e50ca81 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 23cfaf3be..628282b72 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/10" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 468b820aa..8a277253f 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 78e58a4a6..036ba7b01 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 2329a1f09..5e03c626f 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 27c319f0e..1d1952dcb 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index e83f1a590..05a31c30d 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 8047fa05c..f6aa1d9b9 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 1f154763c..193b3c6c7 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] @@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1546/011/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 68e37ddfa..2b8b07a92 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -9,6 +9,7 @@ description = """ Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index d9b827f93..1a84aadf8 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -9,6 +9,7 @@ description = """ Attackers may maintain persistence by creating registry keys using AppInit DLLs. AppInit DLLs are loaded by every process using the common library, user32.dll. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 7aa8dd579..a8201cd6b 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/02/04" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Persistence"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 119d7e27c..d0bd9b3bb 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -9,6 +9,7 @@ description = """ The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 922b0ed48..a5e7a6d43 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/01/28" [rule] author = ["Elastic"] @@ -41,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1053/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index b3d30e2c8..d58852601 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -10,6 +10,7 @@ Windows contains accessibility features that may be launched with a key combinat adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index a2d7c8ac7..a6940a2ea 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -9,6 +9,7 @@ description = """ Detects changes to registry persistence keys that are uncommonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index f05481acb..8419907d7 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -9,6 +9,7 @@ description = """ Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 35ccdf84c..807d5e4c4 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -9,6 +9,7 @@ description = """ Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index e8206cb9f..16666e812 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -10,6 +10,7 @@ Identifies processes modifying the services registry key directly, instead of th could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index eb0870274..7f7fb59cd 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -9,6 +9,7 @@ description = """ Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 54a0a655a..b05ae0896 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2020/12/09" +updated_date = "2021/02/16" [rule] author = ["Elastic"] @@ -9,6 +9,7 @@ description = """ Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment. """ +from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License" @@ -49,6 +50,7 @@ name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 3cb8528f7..4c7abad8f 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -6,6 +6,7 @@ updated_date = "2021/02/16" [rule] author = ["Elastic"] description = "Identifies script engines creating files in the startup folder, or the creation of script files in the startup folder." +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index ce30a56e9..6274f54f8 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -9,6 +9,7 @@ description = """ Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index d2ad4f83b..d43fccce2 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -11,6 +11,7 @@ adversarial activity where a scheduled task is configured via Windows Component be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" @@ -46,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1053/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index d289f528a..6e6e216f7 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -9,6 +9,7 @@ description = """ Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index fc42eccc7..7663bfecd 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 12011b76b..14ca9546c 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/09" maturity = "production" -updated_date = "2021/02/10" +updated_date = "2021/02/11" [rule] author = ["Elastic", "Skoetting"] @@ -22,6 +22,7 @@ risk_score = 21 rule_id = "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 5af7a5d30..2869b4b4c 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "development" -updated_date = "2021/01/04" +updated_date = "2021/02/11" [rule] author = ["Skoetting"] @@ -24,6 +24,7 @@ risk_score = 21 rule_id = "38e17753-f581-4644-84da-0d60a8318694" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' @@ -43,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1136/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index ca6733327..0a12cf275 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -10,6 +10,7 @@ The Application Shim was created to allow for backward compatibility of software changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License" diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 460d59685..950c1b785 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -9,6 +9,7 @@ description = """ Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 9e39562fd..43ab196a4 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -10,6 +10,7 @@ An adversary can use Windows Management Instrumentation (WMI) to install event f bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. """ +from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 502b3dce6..6a14965bd 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/01/20" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -25,6 +25,7 @@ risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index b59d5f26b..630cd9d0c 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/01/21" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 97cdbbf83..703d1d3f4 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -9,6 +9,7 @@ description = """ Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index e19593f36..22b59b812 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2020/01/07" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ risk_score = 73 rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -86,3 +87,4 @@ reference = "https://attack.mitre.org/techniques/T1574/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 28a2a15c1..2da7cc36c 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/01/21" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ risk_score = 47 rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +timestamp_override = "event.ingested" type = "eql" query = ''' @@ -49,8 +50,6 @@ reference = "https://attack.mitre.org/techniques/T1547/010/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 38c4a3577..49883e9f3 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -9,6 +9,7 @@ description = """ Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges. """ +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index b4d5d02fb..9049fef8e 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -11,6 +11,7 @@ import unittest from collections import defaultdict from pathlib import Path +import eql import jsonschema import kql import toml @@ -394,3 +395,65 @@ class TestRuleMetadata(unittest.TestCase): error_msg = f'{error_prefix} it is unnecessary to define the current latest ecs version if only ' \ f'one version is specified: {latest_ecs}' self.assertNotIn(latest_ecs, ecs_versions, error_msg) + + def test_updated_date_newer_than_creation(self): + """Test that the updated_date is newer than the creation date.""" + rules = rule_loader.load_rules() + invalid = [] + + for rule in rules.values(): + created = tuple(rule.metadata['creation_date'].split('/')) + updated = tuple(rule.metadata['updated_date'].split('/')) + if updated < created: + invalid.append(rule) + + if invalid: + rules_str = '\n '.join(f'{r.id} - {r.name}' for r in invalid) + err_msg = f'The following rules have an updated_date older than the creation_date\n {rules_str}' + self.fail(err_msg) + + +class TestTuleTiming(unittest.TestCase): + """Test rule timing and timestamps.""" + + def test_event_override(self): + """Test that rules have defined an timestamp_override if needed.""" + rules = rule_loader.load_rules() + missing = [] + + for rule in rules.values(): + required = False + + if 'endgame-*' in rule.contents.get('index', []): + continue + + if rule.type == 'query': + required = True + elif rule.type == 'eql' and eql.utils.get_query_type(rule.parsed_query) != 'sequence': + required = True + + if required and not rule.contents.get('timestamp_override', '') == 'event.ingested': + missing.append(rule) + + if missing: + rules_str = '\n '.join(f'{r.id} - {r.name}' for r in missing) + err_msg = f'The following rules should have the `timestamp_override` set to `event.ingested`\n {rules_str}' + self.fail(err_msg) + + def test_required_lookback(self): + """Ensure endpoint rules have the proper lookback time.""" + rule_types = ('query', 'eql', 'threshold') + long_indexes = {'logs-endpoint.events.*'} + rules = rule_loader.load_rules() + missing = [] + + for rule in rules.values(): + contents = rule.contents + + if rule.type in rule_types and set(contents.get('index', [])) & long_indexes and not contents.get('from'): + missing.append(rule) + + if missing: + rules_str = '\n '.join(f'{r.id} - {r.name}' for r in missing) + err_msg = f'The following rules should have a longer `from` defined, due to indexes used\n {rules_str}' + self.fail(err_msg)