diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index 65af92765..9f479d7df 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/05/16" maturity = "production" -updated_date = "2022/07/26" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", ] -risk_score = 43 +risk_score = 47 rule_id = "eb6a3790-d52d-11ec-8ce9-f661ea17fbce" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"] diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 0fe48f280..e6d835227 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/05/11" maturity = "production" -updated_date = "2022/05/12" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", ] -risk_score = 43 +risk_score = 47 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"] diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index df5e2bcb5..42efdaa34 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/07/22" maturity = "production" -updated_date = "2022/07/22" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ name = "Chkconfig Service Add" references = [ "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" ] -risk_score = 74 +risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lightning Framework"] diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 6a05ed28a..fef7f9af4 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/07/12" maturity = "production" -updated_date = "2022/07/12" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ name = "Dynamic Linker Copy" references = [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" ] -risk_score = 85 +risk_score = 73 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" severity = "high" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit"] diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 142560477..0dfeb99ed 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/07/22" maturity = "production" -updated_date = "2022/07/22" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ references = [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" ] -risk_score = 80 +risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework"] diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index b98afeabb..ba99631fb 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/07/11" maturity = "production" -updated_date = "2022/07/11" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ name = "Kernel module load via insmod" references = [ "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" ] -risk_score = 85 +risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit"] diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index a7915099d..7bf3ccc4a 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/23" maturity = "production" -updated_date = "2022/07/27" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", "https://github.com/D00MFist/Mystikal" ] -risk_score = 74 +risk_score = 47 rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Command and Control"] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index c646b0097..828cfdc91 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "InstallUtil Process Making Network Connections" -risk_score = 21 +risk_score = 47 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index 68e1d2892..c10dcf45a 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/09/23" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "MsBuild Network Connection Sequence" -risk_score = 21 +risk_score = 47 rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 8587c10a8..fc2a853d3 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" -risk_score = 21 +risk_score = 47 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index ab5fffc44..f6109ebb4 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/10/13" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "MsXsl Making Network Connections" -risk_score = 21 +risk_score = 47 rule_id = "870d1753-1078-403e-92d4-735f142edcca" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 68410361c..f85daba07 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual Network Activity from a Windows System Binary" -risk_score = 21 +risk_score = 47 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index b4e0b60b3..24ea0ce45 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/07/20" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ interval = "30m" language = "eql" license = "Elastic License v2" name = "Unusual Child Processes of RunDLL32" -risk_score = 21 +risk_score = 73 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index 12097aa2f..11d4b4be0 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/24" maturity = "production" -updated_date = "2022/08/01" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Process Creation CallTrace" -risk_score = 43 +risk_score = 47 rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index cb2491910..b66064a65 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/02" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious WMIC XSL Script Execution" -risk_score = 21 +risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index dee075c87..1cb97983a 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/05/31" maturity = "production" -updated_date = "2022/07/05" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", ] -risk_score = 23 +risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index b4c7732c7..fef327af8 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/15" maturity = "production" -updated_date = "2022/08/02" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ Microsoft introduced the [event used](https://docs.microsoft.com/en-us/windows/s If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -risk_score = 43 +risk_score = 47 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 3a3bb43af..ae04debda 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2021/03/03" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Downloaded URL Files" -risk_score = 21 +risk_score = 47 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 7d32d89a2..12a8bab11 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/05/23" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -risk_score = 21 +risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 9bbe1bb44..27cb52548 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -risk_score = 21 +risk_score = 47 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index eb0b12294..b2a649d7d 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Installation of Custom Shim Databases" -risk_score = 21 +risk_score = 47 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 003d6b265..359ee3b40 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/08/17" min_stack_comments = "EQL regex syntax introduced in 7.12" min_stack_version = "7.12.0" @@ -19,7 +19,7 @@ name = "Image File Execution Options Injection" references = [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", ] -risk_score = 41 +risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index e74648b6c..80e81892e 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2022/05/09" +updated_date = "2022/08/17" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -risk_score = 41 +risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]